-
Notifications
You must be signed in to change notification settings - Fork 0
Quick Start Guide
Ryan edited this page Mar 4, 2026
·
6 revisions
Get up and running with the Windows Security Audit Script in under 5 minutes.
Before starting, verify you have:
β Windows 10/11 or Windows Server 2016+
# Check Windows version
[System.Environment]::OSVersion.Versionβ PowerShell 5.1 or later
# Check PowerShell version
$PSVersionTable.PSVersionβ Administrator privileges (required for complete results)
# Verify admin rights
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
# Should return: TrueOption A: Using Git (Recommended)
# Clone the repository
git clone https://github.com/Sandler73/Windows-Security-Audit-Project.git
cd Windows-Security-Audit-ProjectOption B: Manual Download
- Visit https://github.com/Sandler73/Windows-Security-Audit-Project
- Click Code β Download ZIP
- Extract to a folder (e.g.,
C:\SecurityAudit) - Open PowerShell as Administrator
- Navigate to the extracted folder
If this is your first time running PowerShell scripts:
# Check current execution policy
Get-ExecutionPolicy
# If it shows "Restricted", set it to allow scripts
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
# Confirm the change by typing: YWhat does this do? Allows locally-created scripts to run while still blocking unsigned downloaded scripts for security.
# Navigate to the script directory
cd C:\Path\To\Windows-Security-Audit-Project
# Run the audit with all default settings
.\Windows-Security-Audit.ps1What happens next:
- β±οΈ Script runs for 2-5 minutes (all 16 modules, ~230 checks per module)
- π Progress displays in real-time with color-coded results
- π HTML report automatically opens in your browser
- β Summary statistics displayed in console
- π Report saved in current directory with timestamp
After the audit completes, you'll see a report file in the current directory:
Security-Audit-Report-20241230-143022.html
- Opens automatically in your default browser
- Interactive interface with dark mode toggle
- Filter and sort results by module, status, or category
- Export selected results to CSV, Excel, JSON, XML, or TXT
- Contains executive summary, all findings, and remediation guidance
- Best for human review and management reporting
HTML Report Features (v6.0):
- π Dark Mode - Toggle for comfortable viewing
- π Live Filtering - Search within any column
- π Sortable Columns - Click headers to sort
- β Select & Export - Choose specific findings to export
- π¦ Multiple Export Formats - CSV, Excel, JSON, XML, TXT
- π± Responsive Design - Works on desktop and mobile
You can generate reports in different formats:
# HTML (default) - Interactive browser report
.\Windows-Security-Audit.ps1 -OutputFormat HTML
# CSV - For Excel analysis
.\Windows-Security-Audit.ps1 -OutputFormat CSV
# JSON - For automation and SIEM integration
.\Windows-Security-Audit.ps1 -OutputFormat JSON
# XML - For SIEM ingestion and structured data
.\Windows-Security-Audit.ps1 -OutputFormat XML
# Console only - No file output
.\Windows-Security-Audit.ps1 -OutputFormat ConsoleSecurity-Audit-Report-20241230-143022.json
- Structured data for automation and integration
- Use with SIEM, ticketing systems, or custom analysis tools
- Machine-readable format
- Contains execution metadata and all results
Security-Audit-Report-20241230-143022.csv
- Open in Excel for filtering and analysis
- Great for tracking remediation over time
- Easy to create charts and dashboards
- Simple tabular format
Security-Audit-Report-20241230-143022.xml
- SIEM-compatible format for security operations
- Structured for automated ingestion
- Includes metadata and all security events
- Standards-compliant XML structure
Results are categorized into 5 status levels:
| Status | Meaning | Action | Color |
|---|---|---|---|
| β Pass | Configuration meets security requirement | None needed | Green |
| β Fail | Security issue detected | Remediate immediately | Red |
| Potential issue or deviation from best practice | Review and consider fixing | Yellow | |
| βΉοΈ Info | Informational finding for awareness | Note for future reference | Cyan |
| π΄ Error | Check could not be completed | Investigate why check failed | Magenta |
The script includes 8 security framework modules:
| Module | Description | Checks |
|---|---|---|
| Core | Baseline security essentials | Windows Defender, Firewall, UAC, Updates, BitLocker, Accounts |
| STIG | DISA Security Technical Implementation Guides | CAT I/II/III findings, Password policies, Audit policies |
| NIST | NIST 800-53 & Cybersecurity Framework | Access Control, Audit, Authentication, System Protection |
| CIS | Center for Internet Security Benchmarks | Account Policies, Firewall, Services, Administrative Templates |
| NSA | NSA Cybersecurity Guidance | Boot Security, Credential Protection, PowerShell Security |
| CISA | CISA Cybersecurity Performance Goals | MFA, Patch Management, Logging, EDR, Encryption |
| MS | Microsoft Security Baseline | Defender, Exploit Protection, ASR Rules, Device Guard |
# Run with all modules (default)
.\Windows-Security-Audit.ps1Look for β Fail items in the HTML report - these are security issues that need attention.
# Run STIG module (includes CAT I critical findings)
.\Windows-Security-Audit.ps1 -Modules STIGIn the HTML report, filter for "CAT I" findings - these are the most critical.
# Run NIST module only
.\Windows-Security-Audit.ps1 -Modules NISTResults will show NIST control family mappings (AC, AU, IA, SC, CM, IR, etc.).
# Run multiple specific modules
.\Windows-Security-Audit.ps1 -Modules STIG,NIST,CISGenerates a combined report with findings from all specified modules.
# Generate JSON only
.\Windows-Security-Audit.ps1 -OutputFormat JSONPerfect for automated scheduled tasks, CI/CD pipelines, or SIEM integration.
# Specify output file path
.\Windows-Security-Audit.ps1 -OutputPath "C:\Reports\Security-Audit.html"Report will be saved to the specified path instead of the default location.
The script now includes powerful remediation capabilities:
Prompt for each issue:
# Review and fix all remediable issues interactively
.\Windows-Security-Audit.ps1 -RemediateIssues
# Fix only failures
.\Windows-Security-Audit.ps1 -RemediateIssues_Fail
# Fix only warnings
.\Windows-Security-Audit.ps1 -RemediateIssues_Warning
# Fix multiple types
.\Windows-Security-Audit.ps1 -RemediateIssues_Fail -RemediateIssues_WarningYou'll be prompted for each issue:
[*] Issue: Guest account is ENABLED
Module: STIG | Status: Fail | Category: STIG - V-220929 (CAT I)
Remediation: Disable-LocalUser -Name Guest
Apply remediation? (Y/N/S=Skip remaining): _
Auto-fix with safety confirmations:
# Automatically remediate all failures (requires double confirmation)
.\Windows-Security-Audit.ps1 -RemediateIssues_Fail -AutoRemediateSafety features:
- β Double confirmation required (type "YES" then "CONFIRM")
- β 10-second timeout for final confirmation
- β All actions logged to JSON file
- β Success/failure statistics displayed
- β Optional system restart prompt
Fix only specific issues:
# 1. Run audit and review HTML report
.\Windows-Security-Audit.ps1
# 2. In HTML report, select specific issues and click "Export Selected"
# (saves Selected-Security-Audit-Report.json)
# 3. Run auto-remediation on selected issues only
.\Windows-Security-Audit.ps1 -AutoRemediate -RemediationFile "Selected-Security-Audit-Report.json"This workflow allows you to:
- Review all findings
- Select only the issues you want to fix
- Auto-remediate just those specific issues
- Review remediation log for results
- Always run audit first and review findings
- Test remediation on non-production systems first
- Create system restore point before bulk remediation
- Review remediation commands in the HTML report
- Some remediations may require system restart
- Remediation log saved to:
Remediation-Log-[timestamp].json
.\Windows-Security-Audit.ps1Open the HTML report and look for:
- β Failed checks (red) - Security issues
β οΈ Warnings (yellow) - Best practice deviations
Use the filter boxes to search for specific issues or sort by clicking column headers.
Each finding includes:
- Details - Why it matters and security impact
- Remediation - Specific PowerShell commands or GPO settings to fix
Option A: Manual Remediation
# Example from report
Disable-LocalUser -Name GuestOption B: Interactive Remediation
# Prompt for each issue
.\Windows-Security-Audit.ps1 -RemediateIssues_FailOption C: Targeted Auto-Remediation
# Export selected issues from HTML report, then:
.\Windows-Security-Audit.ps1 -AutoRemediate -RemediationFile "Selected-Security-Audit-Report.json"After fixing issues, run the audit again to verify:
.\Windows-Security-Audit.ps1Compare the before/after reports to track progress!
Option A: Task Scheduler
# Create a scheduled task to run weekly
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
-Argument "-ExecutionPolicy Bypass -File C:\SecurityAudit\Windows-Security-Audit.ps1"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 2am
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "Security Audit" -Action $action -Trigger $trigger -Principal $principalOption B: Manual Monthly Review
- Run audit at the start of each month
- Compare results to track security posture over time
- Document remediation progress
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser- Right-click PowerShell β Run as Administrator
- Some checks require admin privileges
- Without admin, many checks will show "Error" status
# Ensure you're in the correct directory
cd C:\Path\To\Windows-Security-Audit-Project
# Verify Modules folder exists
Get-ChildItem .\modules\- First run may be slower (loading modules, checking 700+ settings)
- Subsequent runs should be faster
- Average runtime: 2-5 minutes for all modules
- Single module: 30-60 seconds
# Manually open the report
Start-Process "Security-Audit-Report-*.html"- Verify running as Administrator
- Check that required PowerShell modules are installed
- Review error messages in Details column for specific issues
# Run with verbose output
.\Windows-Security-Audit.ps1 -Verbose- Check
Remediation-Log-[timestamp].jsonfor details - Some remediations require reboot to take effect
- Domain-joined systems may have GPO overrides
- Verify you have necessary permissions
# === Basic Usage ===
# Run all modules (default)
.\Windows-Security-Audit.ps1
# Run specific modules
.\Windows-Security-Audit.ps1 -Modules Core,STIG,NIST
.\Windows-Security-Audit.ps1 -Modules STIG
# Run all modules explicitly
.\Windows-Security-Audit.ps1 -Modules All
# === Output Formats ===
# Generate HTML (default)
.\Windows-Security-Audit.ps1 -OutputFormat HTML
# Generate CSV for Excel
.\Windows-Security-Audit.ps1 -OutputFormat CSV
# Generate JSON for automation
.\Windows-Security-Audit.ps1 -OutputFormat JSON
# Generate XML for SIEM
.\Windows-Security-Audit.ps1 -OutputFormat XML
# Console output only (no file)
.\Windows-Security-Audit.ps1 -OutputFormat Console
# Custom output path
.\Windows-Security-Audit.ps1 -OutputPath "C:\Reports\Audit.html"
# === Remediation ===
# Interactive - prompt for each issue
.\Windows-Security-Audit.ps1 -RemediateIssues
.\Windows-Security-Audit.ps1 -RemediateIssues_Fail
.\Windows-Security-Audit.ps1 -RemediateIssues_Warning
# Automatic - fix all failures (requires confirmation)
.\Windows-Security-Audit.ps1 -RemediateIssues_Fail -AutoRemediate
# Targeted - fix specific issues from JSON file
.\Windows-Security-Audit.ps1 -AutoRemediate -RemediationFile "Selected-Report.json"
# === Advanced Options ===
# Verbose output
.\Windows-Security-Audit.ps1 -Verbose
# Debug mode
.\Windows-Security-Audit.ps1 -Debug
# Get help
Get-Help .\Windows-Security-Audit.ps1 -Full
Get-Help .\Windows-Security-Audit.ps1 -ExamplesEach module displays statistics upon completion:
[STIG] Module completed:
Total Checks: 87
Passed: 52
Failed: 23
Warnings: 8
Info: 3
Errors: 1
STIG Categories:
CAT I (High): 5
CAT II (Medium): 18
CAT III (Low): 0
What this means:
- Total Checks - Number of security controls evaluated
- Passed - Configurations meeting requirements
- Failed - Security issues requiring remediation
- Warnings - Non-critical deviations from best practices
- Info - Informational findings
- Errors - Checks that couldn't complete (permission issues, etc.)
- Usage Guide - Detailed usage instructions and advanced scenarios
- Framework Reference - Understand what each module checks
- Module Documentation - Deep dive into each security module
- Development Guide - Create custom modules
- Troubleshooting - Solve common issues
- API Integration - Integrate with SIEM and ticketing systems
- Run regular audits - Monthly at minimum, weekly recommended
- Track progress - Compare reports over time
- Prioritize failures - Fix critical (CAT I) issues first
- Document exceptions - Record why certain findings are accepted
- Test before production - Validate remediations in test environment
- Review remediation logs - Verify all fixes were successful
- Always run as Administrator for complete results
- Review remediation commands before applying
- Create system restore point before bulk fixes
- Test in non-production first
- Keep regular backups
- Document your baseline security configuration
Current Version: 6.0
What's New in v6.0:
- β Severity classification on every check (Critical/High/Medium/Low/Informational)
- β Cross-framework correlation (1,568 mappings linking checks across NIST, CIS, STIG, NSA, CISA)
- β 3,199 total security checks (up from 550+)
- β 8 compliance modules (new: Microsoft Defender for Endpoint ATP)
- β 9-field result objects (added Severity and CrossReferences)
- β Cache-aware registry helpers for performance optimization
- β Standalone module execution (run any module without the orchestrator)
- β Enhanced summary banners with severity distribution