ScriptShare

This script fixes the windows CIS Benchmark check 5.2: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."

This script fixes the windows CIS Benchmark check 2.3.7.7: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'."

The script verifies the current value of the CachedLogonsCount registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. If the value is greater than 4 or does not exist, it sets it to 4. After modification, it verifies the setting and reports the compliance status.

Parameters

Verbose Use this switch to enable verbose output for detailed logging.

Notes

• This script must be run with administrative privileges.
• It is designed to be idempotent, meaning it only makes changes if necessary and always verifies the result.

This script fixes the windows CIS Benchmark check 9.3.4: "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'."

This script fixes the windows CIS Benchmark check 5.5: "Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'."

This script fixes the windows CIS Benchmark check 2.3.4.1: "Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 2.3.2.1: "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'."

This function modifies the registry to ensure that the 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is enabled, as per CIS benchmarks. It also verifies the setting after modification.

Example(s)

Set-CisAuditPolicyOverride

Notes

This function requires administrative privileges and is intended for Windows Vista or later.

This script fixes the windows CIS Benchmark check 2.3.1.5: "Configure 'Accounts: Rename guest account'."

This script fixes the windows CIS Benchmark check 2.3.1.1: "Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'."

This script fixes the windows CIS Benchmark check 1.2.4: "Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'."

This script fixes the windows CIS Benchmark check 1.1.3: "Ensure 'Minimum password age' is set to '1 or more day(s)'."

The script first checks if it is running with administrative privileges. It then attempts to set the minimum password age using the net accounts command. After setting, it verifies the change by parsing the output of net accounts and checks if the age is 1 or more days. This addresses the CIS check for 'Minimum password age'.

Parameters

MinPasswordAgeDays Optional parameter to specify the minimum password age in days. Must be an integer greater than or equal to 1. Defaults to 1.

Example(s)

.\Set-MinPasswordAge.ps1Sets and verifies the minimum password age to 1 day..\Set-MinPasswordAge.ps1 -MinPasswordAgeDays 5Sets and verifies the minimum password age to 5 days.

Notes

• This script must be run with administrative privileges.
• Changes may be overwritten by Group Policy in domain environments.
• Verification is done immediately after setting, but policy changes might require a system reboot or logoff in some cases.