Skip to content

Module Documentation

Jump to bottom
Ryan edited this page Mar 4, 2026 · 5 revisions

Module Documentation

Detailed documentation for each security audit module.

Table of Contents

module-acsc.ps1

Purpose: Australian Cyber Security Centre Essential Eight Maturity Model assessment
Checks: 123
Execution Time: ~15-25 seconds
Severity Coverage: 123/123 (100%)
Best For: Australian government agencies, organizations adopting Essential Eight

Categories (8)

# Category Checks Focus
1 E1 App Control ~15 AppLocker service, executable rules, WDAC enforcement, SRP policies, constrained language mode
2 E2 Patch Apps ~12 Office version currency, .NET Framework, Java detection, Flash EOL
3 E3 Office Macros ~12 VBA warnings for Word/Excel, internet macro blocking, VBA object model access
4 E4 App Hardening ~15 Flash COM killbit, OLE package blocking, SmartScreen, Windows Script Host
5 E5 Admin Privs ~20 Admin group size, UAC, consent prompt, token filtering, LSA protection
6 E6 Patch OS ~15 Windows Update service, hotfix recency, OS EOL detection, auto-update
7 E7 MFA ~15 Credential Guard, Windows Hello, smart card removal, screen lock timeout
8 E8 Backups ~19 VSS service, System Restore, BitLocker recovery, Controlled Folder Access

Standalone Usage

.\modules\module-acsc.ps1

module-cmmc.ps1

Purpose: Cybersecurity Maturity Model Certification Level 2 compliance assessment
Checks: 103
Execution Time: ~15-20 seconds
Severity Coverage: 103/103 (100%)
Best For: DoD contractors, organizations handling CUI, NIST SP 800-171 alignment

Categories (7)

# Category Checks Focus
1 AC Access Control ~18 Least privilege, session management, remote access, account lockout
2 AU Audit ~15 Logging, audit trail protection, event correlation, log retention
3 CM Config Mgmt ~15 Baseline configuration, change control, software restrictions
4 IA Authentication ~18 Password policy, multi-factor, credential protection, session lock
5 MP Media ~10 Media protection, sanitization, removable media controls
6 SC Comms ~15 Encryption, boundary protection, session integrity, TLS
7 SI Integrity ~12 Malware protection, monitoring, software integrity, patching

Standalone Usage

.\modules\module-cmmc.ps1

module-enisa.ps1

Purpose: ENISA Cybersecurity Good Practices for SMEs and organizations
Checks: 198
Execution Time: ~20-30 seconds
Severity Coverage: 198/198 (100%)
Best For: EU-based organizations, ENISA compliance, European cybersecurity standards

Categories (10)

# Category Checks Focus
1 GP.1 Network Security ~22 Firewall profiles, SMBv1, SMB signing, LLMNR, NetBIOS, NLA
2 GP.2 IAM ~22 Guest account, admin rename, password policy, UAC, Credential Guard
3 GP.3 Patch Mgmt ~12 Windows Update, hotfix recency, auto-update, PowerShell version
4 GP.4 Cryptography ~18 BitLocker, TLS 1.0/1.1 disabled, SSL 3.0, NULL cipher, RC4
5 GP.5 Logging ~22 Security log size, audit logon/privilege, PowerShell logging
6 GP.6 Data Protection ~15 VSS, System Restore, Recycle Bin, Controlled Folder Access
7 GP.7 Incident Response ~12 WEF service, Windows Error Reporting, crash dump config
8 GP.8 Hardening ~22 Secure Boot, DEP, AutoPlay, Remote Registry, cached logons
9 GP.9 Web Security ~12 SmartScreen, IE Enhanced Security, attachment zone info
10 GP.10 Endpoint ~21 Defender real-time, signatures, cloud protection, ASLR

Standalone Usage

.\modules\module-enisa.ps1

module-gdpr.ps1

Purpose: GDPR technical controls assessment for data protection compliance
Checks: 133
Execution Time: ~15-25 seconds
Severity Coverage: 133/133 (100%)
Best For: EU data protection compliance, organizations processing EU personal data

Categories (7)

# Category Checks Focus
1 Art.5 Principles ~18 Data processing principles, storage limitation, integrity
2 Art.25 Privacy by Design ~20 Default privacy settings, data minimization, access controls
3 Art.32 Confidentiality ~22 Access control, authentication, privilege management
4 Art.32 Encryption ~18 BitLocker, TLS, cipher strength, certificate management
5 Art.32 Availability ~18 Backup, recovery, system resilience, service continuity
6 Art.32 Testing ~18 Monitoring, audit logging, vulnerability assessment
7 Art.33-34 Breach ~19 Incident detection, logging, notification readiness

Standalone Usage

.\modules\module-gdpr.ps1

module-hipaa.ps1

Purpose: HIPAA Security Rule technical safeguard assessment
Checks: 184
Execution Time: ~20-30 seconds
Severity Coverage: 184/184 (100%)
Best For: Healthcare organizations, business associates handling ePHI

Categories (8)

# Category Checks Focus
1 Access Control ~28 Unique user ID, emergency access, automatic logoff, encryption
2 Administrative ~22 Security management, workforce security, information access
3 Audit Controls ~25 Audit logging, log review, log protection, event correlation
4 Authentication ~22 Password policy, multi-factor, credential management
5 Integrity ~20 Data integrity mechanisms, electronic signatures
6 Physical Safeguards ~18 Workstation security, device controls, media disposal
7 Transmission Security ~25 Encryption in transit, TLS, network monitoring
8 ePHI Protection ~24 Data at rest encryption, backup, access audit trails

Standalone Usage

.\modules\module-hipaa.ps1

module-iso27001.ps1

Purpose: ISO/IEC 27001:2022 Annex A control assessment
Checks: 244
Execution Time: ~25-40 seconds
Severity Coverage: 244/244 (100%)
Best For: ISO 27001 certification, ISMS implementation, international compliance

Categories (13)

# Category Checks Focus
1 A.5 Organizational ~15 Policies, roles, responsibilities, contact with authorities
2 A.6 People ~12 Screening, terms of employment, security awareness
3 A.7 Physical ~12 Security perimeters, office security, equipment protection
4 A.8 Authentication ~22 Password policy, MFA, credential management, session control
5 A.8 Backup ~18 Backup procedures, recovery testing, data retention
6 A.8 Configuration ~22 Baseline configs, change management, capacity planning
7 A.8 Cryptography ~20 Encryption standards, key management, certificate handling
8 A.8 Endpoint Devices ~18 Device management, removable media, screen lock
9 A.8 Hardening ~22 System hardening, unnecessary services, secure defaults
10 A.8 Logging ~22 Log generation, protection, analysis, clock synchronization
11 A.8 Network Security ~25 Segmentation, filtering, remote access, wireless security
12 A.8 Privileged Access ~20 Admin account management, privilege escalation controls
13 A.8 Vulnerabilities ~16 Vulnerability management, patch management, scanning

Standalone Usage

.\modules\module-iso27001.ps1

module-pcidss.ps1

Purpose: PCI DSS v4.0 compliance assessment for cardholder data environments
Checks: 227
Execution Time: ~25-35 seconds
Severity Coverage: 227/227 (100%)
Best For: Payment card processing, merchant compliance, service provider assessment

Categories (11)

# Category Checks Focus
1 Req 1 Network Security ~22 Firewall configuration, network segmentation, DMZ controls
2 Req 2 Secure Config ~22 Default passwords, unnecessary services, hardening standards
3 Req 3 Stored Data ~18 Data retention, encryption at rest, key management
4 Req 4 Crypto Transit ~20 TLS configuration, cipher strength, certificate validation
5 Req 5 Malware ~18 Anti-malware deployment, signature updates, scanning
6 Req 6 Secure Systems ~22 Patch management, change control, application security
7 Req 7 Access Control ~22 Need-to-know, RBAC, least privilege, access reviews
8 Req 8 Authentication ~25 Password complexity, MFA, session management, lockout
9 Req 10 Logging ~25 Audit trail, log review, time synchronization, log retention
10 Req 11 Testing ~18 Vulnerability scanning, penetration testing, IDS/IPS
11 Req 12 Policies ~15 Security policies, risk assessment, incident response

Standalone Usage

.\modules\module-pcidss.ps1

module-soc2.ps1

Purpose: SOC 2 Type II Trust Service Criteria assessment
Checks: 124
Execution Time: ~15-20 seconds
Severity Coverage: 124/124 (100%)
Best For: Service organizations, SaaS providers, cloud service compliance

Categories (6)

# Category Checks Focus
1 CC5 Control Activities ~22 Security configurations, policy enforcement, change management
2 CC6 Logical Access ~25 Authentication, authorization, access controls, session mgmt
3 CC7 Operations ~22 Monitoring, incident detection, response procedures
4 CC8 Change Mgmt ~18 Configuration baselines, change control, testing
5 A1 Availability ~20 Backup, recovery, resilience, capacity monitoring
6 C1 Confidentiality ~17 Encryption, data classification, access restrictions

Standalone Usage

.\modules\module-soc2.ps1

module-core.ps1

Purpose: Essential Windows security baseline checks
Checks: 177
Execution Time: ~30-60 seconds
Severity Coverage: 176/176 (100%)
Cross-References: 127 mappings
Best For: Quick security assessments, workstation baselines

Overview

The Core module contains fundamental security checks that every Windows system should pass regardless of industry or compliance requirements. These represent the "must-have" security configurations.

Check Categories

Category Checks Description
User Accounts 6 Local user enumeration, built-in account status
Account Policy 5 Password and lockout policies
Windows Defender 5 Antivirus status, signatures, scans
Windows Firewall 3 Firewall status across profiles
Windows Update 4 Update service, configuration, recent updates
System Security 8 UAC, SMB, RDP, audit policies
Services 5 Critical service status
Network Security 4 SMB protocols, signing

Key Checks

User Account Security

  • Lists all enabled local accounts
  • Checks Administrator account status (should be disabled)
  • Checks Guest account status (must be disabled)
  • Enumerates local administrators group
  • Detects accounts with never-expiring passwords
  • Identifies inactive accounts (>90 days)

Authentication & Access Control

  • Minimum password length (≥14 characters)
  • Password complexity requirements
  • Password history (≥24 passwords)
  • Account lockout threshold (≤5 attempts)
  • Lockout duration (≥15 minutes)

Endpoint Protection

  • Windows Defender real-time protection enabled
  • Antivirus signatures age (<7 days)
  • Last scan status and age
  • Cloud-delivered protection enabled
  • Behavior monitoring enabled

Network Protection

  • Firewall enabled on Domain, Private, Public profiles
  • Default inbound action (should be Block)
  • SMBv1 protocol disabled
  • SMB signing enabled
  • Network Level Authentication for RDP

Usage

# Run Core module only
.\Windows-Security-Audit.ps1 -Modules Core

# Core module as baseline + another framework
.\Windows-Security-Audit.ps1 -Modules Core,STIG

When to Use

  • Daily/frequent checks - Fast execution suitable for regular audits
  • User workstations - Covers essential endpoint security
  • Quick triage - Rapid assessment of unknown system
  • Baseline validation - Verify fundamental security before deeper audit

module-stig.ps1

Purpose: DISA STIG (Security Technical Implementation Guide) compliance
Checks: 185
Execution Time: ~2-3 minutes
Best For: DoD, Federal contractors, high-security environments

Overview

DISA STIGs provide prescriptive security guidance for Department of Defense information systems. This module checks configuration against Windows 10/11 and Server STIGs with proper V-ID references and CAT severity ratings.

STIG Categories

Severity Description Risk Level Count
CAT I High severity vulnerabilities Immediate threat ~10
CAT II Medium severity vulnerabilities Significant risk ~75
CAT III Low severity vulnerabilities Minor risk ~5

Check Categories

V-ID Range Category Focus Area
V-220718-726 Account Policies Password requirements, lockout
V-220729-734 Windows Firewall All profiles, inbound/outbound rules
V-220755-772 Audit Policy 18 audit subcategories
V-220858-860 Event Logs Application, Security, System log sizes
V-220908-928 Security Options LM auth, UAC, anonymous restrictions
V-220929-931 User Rights Built-in accounts (Administrator, Guest)
V-220964-970 Remote Access RDP security, NLA, encryption
V-220968-970 SMB Security SMBv1, signing, client/server
V-220971-972 PowerShell PSv2 removal, Script Block Logging
V-220973-984 Miscellaneous AutoPlay, Secure Boot, VBS, services

Example V-IDs

CAT I (Critical):

  • V-220929 - Guest account must be disabled
  • V-220926 - User Account Control must be enabled
  • V-220729/730/731 - Windows Firewall must be enabled (all profiles)

CAT II (Important):

  • V-220718 - Minimum password length: 14 characters
  • V-220726 - Password history: 24 passwords
  • V-220968 - SMBv1 must be disabled
  • V-220967 - RDP must require Network Level Authentication

Log Size Requirements

Per STIG requirements:

  • Application Log: ≥32 MB
  • Security Log: ≥1024 MB (1 GB)
  • System Log: ≥32 MB

Audit Subcategories

All 18 required audit subcategories with Success/Failure requirements:

  • Credential Validation
  • Security Group Management
  • User Account Management
  • Plug and Play Events
  • Process Creation
  • Account Lockout
  • Logon/Logoff/Special Logon
  • Removable Storage
  • Policy Changes (Audit, Authentication, Authorization)
  • Sensitive Privilege Use
  • IPsec Driver
  • Security State/System Changes
  • System Integrity

Usage

# Full STIG assessment
.\Windows-Security-Audit.ps1 -Modules STIG

# STIG + related frameworks
.\Windows-Security-Audit.ps1 -Modules STIG,NIST

Output Interpretation

Results include:

  • V-ID - STIG vulnerability ID
  • CAT Level - Severity (I/II/III)
  • Status - Pass/Fail/Warning/Info/Error
  • Remediation - Exact commands or GPO paths

When to Use

  • DoD systems - Required for DoD information systems
  • Federal contractors - Handling CUI (Controlled Unclassified Information)
  • High-security environments - Most rigorous publicly available baseline
  • Compliance audits - Evidence for RMF/ATO processes

module-nist.ps1

Purpose: NIST 800-53 and Cybersecurity Framework compliance
Checks: 474
Execution Time: ~1-2 minutes
Best For: Federal agencies (FISMA), FedRAMP, risk-based frameworks

Overview

Implements NIST SP 800-53 Revision 5 security controls and aligns with NIST Cybersecurity Framework core functions. Provides control family mappings for compliance documentation.

NIST 800-53 Control Families

Family Code Focus Area Checks
Access Control AC Account management, remote access, device lock 5
Audit & Accountability AU Audit events, storage, protection, generation 4
Identification & Authentication IA User ID, passwords, authenticators 3
System & Communications Protection SC Boundary, transmission, cryptographic protection 4
Configuration Management CM Baseline config, settings, least functionality 4
Incident Response IR Incident handling, monitoring 2
Media Protection MP Removable media controls 1
System & Information Integrity SI Flaw remediation, malware, monitoring, integrity 5

Control Examples

AC-2: Account Management

  • Active local account enumeration
  • Inactive account detection (>90 days)
  • Account review procedures

AU-2: Audit Events

  • Critical audit categories configured
  • Comprehensive logging of security events
  • Event correlation capabilities

IA-5: Authenticator Management

  • Password length (≥14 characters)
  • Password history (≥24 passwords)
  • Password age/expiration policies

SC-13: Cryptographic Protection

  • BitLocker encryption status
  • Encryption methods and algorithms
  • Data-at-rest protection

SI-2: Flaw Remediation

  • Windows Update status and configuration
  • Recent update history (last 30 days)
  • Pending critical updates

NIST Cybersecurity Framework (CSF)

Function Description Module Coverage
Identify Asset management, risk assessment Asset inventory, system enumeration
Protect Access control, data security Authentication, encryption, firewalls
Detect Anomaly detection, monitoring Audit logging, Defender monitoring
Respond Response planning, analysis Incident handling capabilities
Recover Recovery planning System Restore, backup verification

NIST 800-171 Overlap

Many NIST 800-171 requirements (for CUI protection) overlap with 800-53 controls checked by this module:

  • 3.1.x - Access Control
  • 3.3.x - Audit and Accountability
  • 3.5.x - Identification and Authentication
  • 3.13.x - System and Communications Protection
  • 3.14.x - System and Information Integrity

Usage

# NIST assessment
.\Windows-Security-Audit.ps1 -Modules NIST

# NIST + FISMA-related frameworks
.\Windows-Security-Audit.ps1 -Modules NIST,CISA

Control Mapping

Each finding maps to specific NIST control(s):

Category: NIST - AC-7
Message: Account lockout threshold: 3 attempts
Details: NIST 800-53 AC-7: Account lockout protects against brute force attacks

When to Use

  • Federal agencies - FISMA compliance (required)
  • FedRAMP - Cloud service provider authorization
  • DoD contractors - NIST 800-171 assessment
  • Risk-based approach - Flexible framework implementation
  • Audit preparation - Control evidence collection

module-cis.ps1

Purpose: CIS (Center for Internet Security) Benchmarks compliance
Checks: 223
Execution Time: ~2-3 minutes
Best For: Industry best practices, all organizations

Overview

CIS Benchmarks represent consensus-based security configuration guidance developed by cybersecurity professionals worldwide. This module implements Windows 10/11 and Server CIS Benchmarks.

CIS Benchmark Sections

Section Category Checks
1 Account Policies Password, lockout, Kerberos
2 Local Policies Audit, user rights, security options
5 System Services Service configuration and hardening
9 Windows Firewall Domain, Private, Public profiles
17 Advanced Audit Policy Granular audit subcategories
18 Administrative Templates System, network, Windows components
19 Credential Protection WDigest, LSASS, Credential Guard
19 BitLocker Disk encryption configuration

Recommendation Levels

Level 1:

  • Basic security requirements
  • Minimal functionality impact
  • Recommended for all environments
  • Most checks in this module

Level 2:

  • Defense-in-depth measures
  • May reduce functionality or usability
  • High-security environments
  • Marked in check details

Key Coverage Areas

Account Policies (Section 1)

  • Minimum password length: ≥14 characters
  • Password history: ≥24 passwords
  • Maximum password age: ≤365 days
  • Minimum password age: ≥1 day
  • Account lockout: ≤5 attempts, ≥15 minute duration
  • Password complexity enabled
  • Reversible encryption disabled

Audit Policy (Section 2 & 17)

  • Basic audit policy vs Advanced Audit Policy
  • Critical audit categories enabled
  • 18+ audit subcategories configured
  • Success and/or Failure auditing per category

Security Options (Section 2.3)

  • LAN Manager authentication level: NTLMv2 only
  • Anonymous SAM/share enumeration restricted
  • NTLM SSP minimum security configured
  • Machine inactivity limit: ≤15 minutes
  • UAC configuration (multiple settings)
  • Interactive logon messages

Event Logs (Section 5)

  • Application log: ≥32 MB
  • Security log: ≥196 MB (recommended ≥1 GB)
  • System log: ≥32 MB
  • Log retention policies

Windows Firewall (Section 9)

  • All profiles enabled (Domain, Private, Public)
  • Default inbound action: Block
  • Default outbound action: Allow (or Block for Level 2)
  • Logging enabled for blocked connections
  • Log file sizes adequate (≥16 MB)
  • Notifications configured appropriately

Administrative Templates (Section 18)

  • AutoPlay/Autorun disabled
  • Always Install Elevated disabled
  • Printer driver installation restricted
  • Windows Update configuration
  • Windows Error Reporting settings
  • Remote Assistance configuration

Credential Protection (Section 19)

  • WDigest authentication disabled
  • LSASS running as Protected Process (PPL)
  • Credential Guard enabled (if supported)

BitLocker (Section 19)

  • System drive encryption enabled
  • Recovery keys configured
  • Encryption methods appropriate

Scored vs Not Scored

CIS Benchmarks include:

  • Scored - Impact CIS Benchmark compliance score
  • Not Scored - Recommendations that may not apply universally

This module primarily implements Scored recommendations.

Usage

# CIS assessment
.\Windows-Security-Audit.ps1 -Modules CIS

# CIS + related standards
.\Windows-Security-Audit.ps1 -Modules CIS,MS

CIS-CAT Integration

For official CIS scoring:

  • Use CIS-CAT Pro tool (paid)
  • This module provides similar checks
  • Results can guide CIS-CAT remediation

When to Use

  • All organizations - Industry-recognized baseline
  • No formal compliance requirement - Best practice guide
  • Audit preparation - Pre-assessment before formal CIS-CAT
  • Security baseline - Well-balanced security vs usability
  • Cyber insurance - Often referenced in requirements

module-nsa.ps1

Purpose: NSA Cybersecurity guidance and best practices
Checks: 173
Execution Time: ~1-2 minutes
Best For: Nation-state threat mitigation, critical infrastructure

Overview

Implements NSA Cybersecurity Information Sheets and guidance documents focused on defending against sophisticated nation-state adversaries. Emphasis on advanced persistent threats (APTs) and zero-trust principles.

NSA Focus Areas

Area Purpose Checks
Boot Security Prevent bootkits/rootkits Secure Boot, BitLocker, TPM
Application Control Block unauthorized software AppLocker, WDAC/Device Guard
Credential Protection Defeat credential theft Credential Guard, LSASS PPL, WDigest
Remote Access Security Secure remote connections RDP NLA, encryption levels
PowerShell Security Prevent PowerShell abuse PSv2 removal, logging, transcription
SMB Security Stop lateral movement SMBv1 removal, signing, encryption
Endpoint Protection Malware defense Defender comprehensive config
Audit & Logging Enable threat detection Advanced audit policies
Network Hardening Reduce attack surface Firewall, LLMNR/NetBIOS

Key Security Controls

Boot Integrity:

  • Secure Boot status (UEFI required)
  • BitLocker on system drive
  • TPM chip utilization
  • Boot configuration protection

Application Whitelisting:

  • AppLocker service running
  • AppLocker policies configured
  • WDAC/Device Guard status
  • Code Integrity Policy enforcement

Credential Theft Prevention:

  • Credential Guard running (VBS-based)
  • LSASS as Protected Process Light (PPL)
  • WDigest disabled (prevents plaintext creds in memory)
  • Cached credential limit reduced

Remote Desktop Hardening:

  • RDP disabled if not needed
  • Network Level Authentication (NLA) required
  • High encryption level enforced
  • RDP session timeout configured

PowerShell Attack Surface Reduction:

  • PowerShell v2 removed (lacks logging, can bypass)
  • Script Block Logging enabled
  • Module Logging enabled
  • Transcription enabled (optional but recommended)

SMB Protocol Security:

  • SMBv1 completely disabled
  • SMB signing required (client and server)
  • SMB encryption enabled
  • Anonymous SMB access blocked

Windows Defender Configuration:

  • Real-time protection active
  • Cloud-delivered protection (MAPS) enabled
  • Behavior monitoring active
  • IOAV (download/attachment scanning) enabled
  • Signatures current (<1 day old)
  • Exploit Protection configured

Advanced Logging:

  • Advanced Audit Policy in use
  • Critical audit subcategories enabled
  • PowerShell logging comprehensive
  • Process creation auditing with command line

Network Protocol Hardening:

  • All firewall profiles enabled
  • LLMNR disabled (prevents name resolution poisoning)
  • NetBIOS over TCP/IP disabled
  • IPv6 configured or disabled

NSA Guidance Documents Referenced

  • Mitigating Cloud Vulnerabilities
  • Securing Wireless Devices in Public Settings
  • Defensive Best Practices for Destructive Malware
  • Mitigating Recent VPN Vulnerabilities
  • Adopting Encrypted DNS
  • Selecting and Hardening Remote Access VPNs

Usage

# NSA assessment
.\Windows-Security-Audit.ps1 -Modules NSA

# NSA + critical infrastructure frameworks
.\Windows-Security-Audit.ps1 -Modules NSA,CISA

Threat Focus

NSA guidance specifically addresses:

  • Advanced Persistent Threats (APTs)
  • Nation-state actors
  • Sophisticated malware (NotPetya, WannaCry, etc.)
  • Supply chain attacks
  • Lateral movement techniques
  • Credential theft and reuse
  • Living-off-the-land attacks

When to Use

  • National Security Systems - NSS information (required)
  • Critical infrastructure - High-value targets
  • Defense Industrial Base - DoD contractors
  • Advanced threat environment - Facing nation-state actors
  • Zero trust architecture - Implementing ZTA principles

module-cisa.ps1

Purpose: CISA Cybersecurity Performance Goals
Checks: 231
Execution Time: ~2 minutes
Best For: Critical infrastructure, small/medium businesses, high-ROI security

Overview

Implements CISA's Cybersecurity Performance Goals (CPGs) - a prioritized subset of security practices representing minimum baseline security for critical infrastructure and organizations of all sizes.

CISA CPG Priority Areas

Area Focus Checks
Account Security MFA, passwords, privilege 7
Patch Management Updates, Known Exploited Vulnerabilities 5
Logging & Monitoring Centralized logging, retention 8
Endpoint Detection & Response Antivirus, behavior monitoring 12
Data Encryption BitLocker, data-at-rest/in-transit 5
Network Security Firewall, SMB, protocols 8
Secure Configuration UAC, Secure Boot, defaults 10
Access Control Admin accounts, shares, privileges 8
Incident Response Defender, logging, System Restore 5

Multi-Factor Authentication

  • Network Level Authentication for RDP
  • Smart Card Policy service status
  • Windows Hello for Business configuration
  • Cached credential limits

Patch Management & KEV Catalog

  • Windows Update service running
  • Automatic updates configured
  • Recent update history (last 30 days)
  • Pending critical updates
  • Update failure detection

Known Exploited Vulnerabilities (KEV): CISA maintains catalog of actively exploited CVEs. This module checks patch management processes to ensure rapid response to KEV additions.

Centralized Logging

Event Log Configuration:

  • Security log: ≥1024 MB (1 GB)
  • Application log: ≥32 MB
  • System log: ≥32 MB
  • Circular vs archive-on-full mode

PowerShell Logging:

  • Script Block Logging enabled
  • Module Logging configured
  • Transcription enabled (optional)
  • Log output directory specified

Advanced Logging:

  • Process Creation auditing (Event ID 4688)
  • Command line in process events
  • Sysmon installation detected
  • Windows Event Forwarding configured

Endpoint Detection & Response

Windows Defender Comprehensive:

  • Real-time protection enabled
  • Cloud protection (MAPS) - Basic or Advanced
  • Behavior monitoring active
  • On-access protection enabled
  • Signature age (<7 days optimal)
  • Recent scans (full and quick)
  • Network Protection (Block mode)
  • Controlled Folder Access (ransomware protection)
  • Attack Surface Reduction rules configured

Microsoft Defender for Endpoint:

  • Sense service running
  • System onboarded to MDE
  • Advanced EDR capabilities active

Data Protection

Encryption:

  • BitLocker on all volumes
  • Encryption methods (XtsAes256 recommended)
  • Recovery keys configured
  • EFS usage detection

Network Security

Windows Firewall:

  • All profiles enabled (Domain, Private, Public)
  • Default inbound: Block
  • Outbound rules reviewed
  • Logging for blocked/allowed connections

Protocol Security:

  • SMBv1 completely disabled
  • SMB signing required
  • SMB encryption enabled
  • LLMNR disabled
  • NetBIOS over TCP/IP disabled

Secure Configuration

Essential Settings:

  • User Account Control enabled
  • Secure Boot (UEFI)
  • Built-in accounts (Administrator, Guest) disabled/renamed
  • Password complexity meets requirements
  • Automatic updates enabled

Access Control

  • Local administrator group enumeration
  • Remote Desktop Users group review
  • Inactive account detection
  • Network share permissions
  • "Everyone" group usage detected

Incident Response Capabilities

  • Windows Defender active and current
  • Security event log enabled and sized
  • System Restore points available
  • Windows Error Reporting status
  • Backup services (wbengine)
  • Volume Shadow Copy Service

Usage

# CISA CPG assessment
.\Windows-Security-Audit.ps1 -Modules CISA

# Critical infrastructure combo
.\Windows-Security-Audit.ps1 -Modules CISA,NSA

High-ROI Focus

CISA CPGs prioritize controls that:

  • Provide maximum security benefit
  • Are achievable by organizations of all sizes
  • Don't require extensive resources
  • Protect against most common threats

When to Use

  • Critical infrastructure sectors (16 identified by CISA)
  • State/local governments - Limited cybersecurity resources
  • Small/medium businesses - Cost-effective security
  • Shields Up guidance - Heightened threat environment
  • Ransomware defense - Focus on ransomware prevention

module-ms.ps1

Purpose: Microsoft Security Baselines and recommendations
Checks: 231
Execution Time: ~1-2 minutes
Best For: All Windows environments, Microsoft ecosystem

Overview

Implements Microsoft's Security Compliance Toolkit (SCT) baselines and security recommendations. Represents vendor-recommended configurations optimized for Windows features and modern security capabilities.

Microsoft Security Features

Feature Purpose Checks
Windows Defender AV Antivirus, Anti-malware 10
Exploit Protection EMET successor, memory protection 5
Attack Surface Reduction Behavioral blocking 3
Network Protection Block malicious sites/IPs 2
Controlled Folder Access Ransomware protection 3
SmartScreen Phishing/malware protection 4
Device Guard / WDAC Application whitelisting 6
Credential Guard Credential isolation (VBS) 3
Windows Hello Passwordless authentication 4
Remote Desktop Security RDP hardening 5
PowerShell Security Script execution protection 4
Windows Firewall Network segmentation 6
SMB Security File sharing protection 4

Windows Defender Antivirus

Protection Layers:

  • Real-time protection (file and process scanning)
  • Behavior monitoring (machine learning)
  • IOAV protection (downloads and attachments)
  • On-access protection (file access events)
  • Cloud-delivered protection (MAPS)
  • Automatic sample submission
  • PUA (Potentially Unwanted Applications) protection

Signature Management:

  • Antivirus signature age
  • NIS signature age
  • Update frequency and source
  • Fallback update order

Scanning:

  • Quick scan schedule and history
  • Full scan schedule and history
  • Custom scan support

Exploit Protection

System-wide Mitigations:

  • DEP (Data Execution Prevention)
  • SEHOP (Structured Exception Handler Overwrite Protection)
  • ASLR (Address Space Layout Randomization)
  • Control Flow Guard (CFG)
  • Arbitrary code guard
  • Block low integrity images
  • Validate exception chains
  • Validate image dependency integrity

Attack Surface Reduction Rules

15 Microsoft-recommended ASR rules:

  1. Block executable content from email/webmail
  2. Block Office apps from creating child processes
  3. Block Office from creating executable content
  4. Block Office from injecting code
  5. Block JavaScript/VBScript from launching executables
  6. Block execution of potentially obfuscated scripts
  7. Block Win32 API calls from Office macros
  8. Block executables unless they meet prevalence/age/trusted list
  9. Use advanced protection against ransomware
  10. Block credential stealing from lsass.exe
  11. Block process creations from PSExec and WMI
  12. Block untrusted/unsigned processes from USB
  13. Block Office communication apps from creating child processes
  14. Block Adobe Reader from creating child processes
  15. Block persistence through WMI event subscription

Network Protection

  • Block connections to malicious domains/IPs
  • SmartScreen integration
  • Microsoft Defender SmartScreen filter
  • Block mode vs Audit mode
  • URL/IP reputation checks

Controlled Folder Access

  • Protected folders (default + custom)
  • Allowed applications list
  • Ransomware behavior blocking
  • Block mode vs Audit mode
  • Notification configuration

SmartScreen

Windows SmartScreen:

  • App and file SmartScreen filter
  • Warn/Block unrecognized apps
  • Admin approval for unrecognized apps

Microsoft Edge SmartScreen:

  • Phishing and malware protection
  • Download reputation checking
  • PUA blocking in Edge

Device Guard / WDAC

Virtualization-based Security:

  • VBS status and configuration
  • Secure Boot requirement
  • DMA protection

Code Integrity:

  • Hypervisor-protected Code Integrity (HVCI)
  • Code Integrity Policy enforcement
  • Audit vs Enforcement mode

Credential Guard:

  • Credentials isolated in VBS container
  • LSASS protection enhanced
  • Credential theft mitigation

Credential Protection

  • LSASS as Protected Process Light (PPL)
  • WDigest authentication disabled
  • Cached logon credential count
  • Smart card requirement options

Windows Hello for Business

  • WHFB policy configuration
  • PIN complexity requirements
  • Minimum PIN length
  • Biometric anti-spoofing
  • TPM requirement

Remote Desktop Security

  • RDP enablement status
  • Network Level Authentication
  • Encryption level (High/FIPS)
  • Security Layer (RDP/SSL/TLS)
  • Idle session timeout

PowerShell Security

  • PowerShell v2 removal
  • Script Block Logging
  • Module Logging
  • Transcription
  • Constrained Language Mode
  • Execution Policy

Usage

# Microsoft baseline assessment
.\Windows-Security-Audit.ps1 -Modules MS

# Microsoft + industry standards
.\Windows-Security-Audit.ps1 -Modules MS,CIS

Security Compliance Toolkit

Microsoft provides:

  • Group Policy Objects (GPO packages)
  • Policy Analyzer tool
  • LGPO tool for local application
  • Baseline documentation

This module checks if systems align with these baselines.

When to Use

  • All Windows environments - Vendor recommendations
  • Microsoft 365/Azure AD - Ecosystem integration
  • Modern Windows features - Takes advantage of latest security capabilities
  • Continuous updates - Microsoft updates baselines with new Windows releases
  • Integration with Microsoft security stack - Defender, Intune, Sentinel

Module Comparison Matrix

Feature Core STIG NIST CIS NSA CISA MS
Checks 177 185 474 223 173 231 80+
Execution Time ~30s ~3m ~2m ~3m ~2m ~2m ~2m
Framework Specific No Yes Yes Yes Yes Yes Yes
Severity Ratings No CAT I/II/III Control Families Level 1/2 Best Practices CPGs Recommendations
Compliance Mapping No V-IDs Control IDs Section Numbers CSI References Performance Goals Feature Names
Best For Quick checks DoD/Federal Federal/FISMA All orgs Nation-state threats Critical infrastructure Microsoft shops

Running Multiple Modules

Comprehensive Audit

# All 16 modules (3,199 checks)
.\Windows-Security-Audit.ps1

Federal/Government Systems

# STIG, NIST, CISA combo
.\Windows-Security-Audit.ps1 -Modules STIG,NIST,CISA

Enterprise Best Practices

# CIS and Microsoft baselines
.\Windows-Security-Audit.ps1 -Modules CIS,MS

High-Security Environment

# STIG, NSA, CISA, MS
.\Windows-Security-Audit.ps1 -Modules STIG,NSA,CISA,MS

Quick + Compliance

# Core baseline + specific framework
.\Windows-Security-Audit.ps1 -Modules Core,STIG

For detailed framework information: See Framework Reference
For usage examples: See Usage Guide
For troubleshooting: See Troubleshooting

module-ms-defenderatp.ps1

Purpose: Microsoft Defender for Endpoint (ATP/EDR) comprehensive assessment
Checks: 86
Execution Time: ~15-30 seconds
Severity Coverage: 85/85 (100%)
Cross-References: 71 mappings
Best For: Organizations using Microsoft Defender for Endpoint, EDR validation

Overview

The MS-DefenderATP module provides deep analysis of Microsoft Defender for Endpoint capabilities, covering EDR functionality, threat and vulnerability management, and advanced protection features that go beyond the standard Defender AV checks in the MS module.

Check Categories

Category Checks Description
Onboarding 9 Defender for Endpoint onboarding status, Sense service health
EDR Block Mode 5 EDR in block mode configuration and effectiveness
Connectivity 8 Cloud connectivity, telemetry, service URLs
Scanning 13 Advanced scanning capabilities, scan scheduling
Tamper Protection 6 Anti-tampering configuration and status
ASR Details 5 Advanced ASR rules analysis beyond basic MS module
Exclusions 7 Exclusions and exceptions audit (security risk assessment)
AIR 6 Automated Investigation and Response configuration
TVM 6 Threat and Vulnerability Management integration
Custom Indicators 4 Custom indicator (IoC) configuration
Device Control 4 Device control policies and USB restrictions
Network Protection 3 Network protection beyond standard firewall
Web Filtering 4 Web content filtering and category blocking
Advanced Features 5 Advanced ATP features and integrations

Key Checks

EDR and Onboarding

  • Defender for Endpoint onboarding status verification
  • Sense service (EDR agent) running and healthy
  • EDR in block mode for passive-mode coverage
  • Cloud connectivity to Defender for Endpoint service
  • Telemetry and diagnostic data configuration

Threat and Vulnerability Management

  • TVM integration health and feature availability
  • Vulnerability assessment scanning status
  • Security recommendations tracking
  • Software inventory completeness
  • Exposure score and risk assessment

Advanced Protection

  • Automated Investigation and Response (AIR) enabled
  • Tamper protection preventing security setting changes
  • Custom IoC (Indicators of Compromise) configuration
  • Device control policies for removable media
  • Web content filtering categories

Usage

# Run Defender ATP module with standard MS module
.\Windows-Security-Audit.ps1 -Modules MS,MS-DefenderATP

# Run standalone for quick EDR health check
.\modules\module-ms-defenderatp.ps1

Notes

  • Requires systems enrolled in Microsoft Defender for Endpoint
  • Some checks require Defender for Endpoint Plan 2 features
  • Results may show "Info" status on systems not onboarded to MDE
  • Complements (does not replace) the MS module Defender AV checks

Clone this wiki locally