ScriptShare

This script fixes the windows CIS Benchmark check 2.3.17.3: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'."

This script fixes the windows CIS Benchmark check 2.3.17.2: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'."

This script fixes the windows CIS Benchmark check 2.3.17.1: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 2.3.11.4: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'."

This script fixes the windows CIS Benchmark check 2.3.10.4: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."

The script checks the registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for the property DisableDomainCreds. If it is not set to 1, the script sets it to 1 (Enabled). After modification, it verifies the setting and reports the result.

Notes

• This script directly modifies the registry. In managed environments, consider using Group Policy for persistent changes.
• The change may require a system restart to fully enforce, depending on the system state.
• Compatible with PowerShell 5.1.

This script fixes the windows CIS Benchmark check 2.3.9.5: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher."

The script ensures the registry key SMBServerNameHardeningLevel under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters is set to a value of 1 or higher, which corresponds to 'Accept if provided by client' or stricter. It then verifies that the value meets the CIS requirement (>=1).

Parameters

HardeningLevel The value to set for SMBServerNameHardeningLevel. Must be an integer greater than or equal to 1. Default is 1 (Accept if provided by client).

Example(s)

.\FixCisCheck.ps1Sets the hardening level to 1 and verifies..\FixCisCheck.ps1 -HardeningLevel 2Sets the hardening level to 2 (Required from client) and verifies.

This script fixes the windows CIS Benchmark check 2.3.8.1: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 18.9.20.1.1: "Ensure 'Turn off access to the Store' is set to 'Enabled'."

This script fixes the windows CIS Benchmark check 5.2: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."

This script fixes the windows CIS Benchmark check 2.3.7.7: "Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'."

The script verifies the current value of the CachedLogonsCount registry key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. If the value is greater than 4 or does not exist, it sets it to 4. After modification, it verifies the setting and reports the compliance status.

Parameters

Verbose Use this switch to enable verbose output for detailed logging.

Notes

• This script must be run with administrative privileges.
• It is designed to be idempotent, meaning it only makes changes if necessary and always verifies the result.