XeroSec

This script fixes the windows CIS Benchmark check 2.3.17.3: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.17.2

Fix Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.

This script fixes the windows CIS Benchmark check 2.3.17.2: "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.17.1

Fix Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 2.3.17.1: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.11.4

Fix Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.

This script fixes the windows CIS Benchmark check 2.3.11.4: "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.10.4

This script fixes the CIS benchmark check for "Network access: Do not allow storage of passwords and credentials for network authentication" by setting the required registry key and verifying the change.

This script fixes the windows CIS Benchmark check 2.3.10.4: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."

The script checks the registry key at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa for the property DisableDomainCreds. If it is not set to 1, the script sets it to 1 (Enabled). After modification, it verifies the setting and reports the result.

Notes

This script directly modifies the registry. In managed environments, consider using Group Policy for persistent changes.
The change may require a system restart to fully enforce, depending on the system state.
Compatible with PowerShell 5.1.

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.9.5

This script fixes the CIS benchmark check for 'Microsoft network server: Server SPN target name validation level' by setting the registry key to the specified value and verifies the change.

This script fixes the windows CIS Benchmark check 2.3.9.5: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher."

The script ensures the registry key SMBServerNameHardeningLevel under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters is set to a value of 1 or higher, which corresponds to 'Accept if provided by client' or stricter. It then verifies that the value meets the CIS requirement (>=1).

Parameters

HardeningLevel The value to set for SMBServerNameHardeningLevel. Must be an integer greater than or equal to 1. Default is 1 (Accept if provided by client).

Example(s)

.\FixCisCheck.ps1Sets the hardening level to 1 and verifies..\FixCisCheck.ps1 -HardeningLevel 2Sets the hardening level to 2 (Required from client) and verifies.

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.8.1

Fix Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 2.3.8.1: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 18.9.20.1.1

Fix Ensure 'Turn off access to the Store' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.9.20.1.1: "Ensure 'Turn off access to the Store' is set to 'Enabled'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 5.2

Fix Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.

This script fixes the windows CIS Benchmark check 5.2: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."

XXeroSec

7mo ago

XeroSec

Member

454scripts

4comments

Programming Languages

PowerShell10 (2.2%)

Operating Systems

Windows10 (100.0%)

Statistics

Script Score

Comment Score

Total Score

Avg. Score/Script

Latest Scripts

v1PowerShell Windows

cis_win11_enterprise 5.11

Fix Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'.

This script fixes the windows CIS Benchmark check 5.11: "Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.17.3

Fix Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'.

This script fixes the windows CIS Benchmark check 2.3.17.3: "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.17.2

Fix Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'.

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.17.1

Fix Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 2.3.17.1: "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.11.4

Fix Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'.

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.10.4

This script fixes the CIS benchmark check for "Network access: Do not allow storage of passwords and credentials for network authentication" by setting the required registry key and verifying the change.

This script fixes the windows CIS Benchmark check 2.3.10.4: "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'."

Notes

This script directly modifies the registry. In managed environments, consider using Group Policy for persistent changes.
The change may require a system restart to fully enforce, depending on the system state.
Compatible with PowerShell 5.1.

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.9.5

This script fixes the CIS benchmark check for 'Microsoft network server: Server SPN target name validation level' by setting the registry key to the specified value and verifies the change.

This script fixes the windows CIS Benchmark check 2.3.9.5: "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher."

Parameters

HardeningLevel The value to set for SMBServerNameHardeningLevel. Must be an integer greater than or equal to 1. Default is 1 (Accept if provided by client).

Example(s)

.\FixCisCheck.ps1Sets the hardening level to 1 and verifies..\FixCisCheck.ps1 -HardeningLevel 2Sets the hardening level to 2 (Required from client) and verifies.

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 2.3.8.1

Fix Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 2.3.8.1: "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 18.9.20.1.1

Fix Ensure 'Turn off access to the Store' is set to 'Enabled'.

This script fixes the windows CIS Benchmark check 18.9.20.1.1: "Ensure 'Turn off access to the Store' is set to 'Enabled'."

XXeroSec

7mo ago

v1PowerShell Windows

cis_win11_enterprise 5.2

Fix Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'.

This script fixes the windows CIS Benchmark check 5.2: "Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'."

XXeroSec

7mo ago