Solved

Windows batch script to capture security settings

Posted on 2014-12-12
3
637 Views
Last Modified: 2015-01-11
I'm knocking out a script to collect / capture what's the current settings
or values for the following parameters in Windows 2008 R2:

Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Network access: Let Everyone permissions apply to anonymous users
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)
MSS: Enable the computer to stop generating 8.3 style filenames
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions
DCOM: Machine Launch Restrictions
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Devices: Unsigned driver installation behavior
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Remotely accessible registry paths and subpaths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next password change
MSS: (AFD DynamicBacklogGrowthDelta) Number of connections to create when additional connections are necessary for Winsock applications (10 recommended)
MSS: (AFD EnableDynamicBacklog) Enable dynamic backlog for Winsock applications (recommended)
MSS: (AFD MaximumDynamicBacklog) Maximum number of "quasi-free" connections for Winsock applications
MSS: (AFD MinimumDynamicBacklog) Minimum number of free connections for Winsock applications (20 recommended for systems under attack, 10 otherwise)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (EnablePMTUDiscovery) Allow automatic detection of MTU size (possible DoS by an attacker using a small MTU)
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TCPMaxPortsExhausted) How many dropped connect requests to initiate SYN attack protection (5 is recommended)
MSS: Disable Autorun for all drives
MSS: Enable Safe DLL search mode (recommended)
MSS: Enable the computer to stop generating 8.3 style filenames
MSS: How often keep-alive packets are sent in milliseconds
Percentage threshold for the security event log at which the system will generate a warning
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Access Credential Manager as a Trusted Caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Terminal Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a page file
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or objects
Accounts: Administrator account status
Accounts: Guest account status
Accounts : Limit local account use of blank passwords to console logon only
Accounts: Rename Administrator account
Accounts: Rename Guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Network security: Do not store LAN Manager hash value on next password change
Network Security : Force logoff when logon hours expire
Network Security: LAN Manager Authentication Level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP
based (including secure RPC) clients
based (including secure RPC) servers
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit incoming NTLM traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic links)
System settings: Optional subsystems
System settings: User Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval mode for the Built-in Administrator Account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure locations
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
(System) : Security System Extension
(System) : System Integrity
(System) : IPsec Driver
(System) : Other System Events
(System) : Security State Change
(Logon/Logoff) : Logon
(Logon/Logoff) : Logoff
(Logon/Logoff) : Account Lockout
(Logon/Logoff) : IPsec Main Mode
(Logon/Logoff) : IPsec Quick Mode
(Logon/Logoff) : IPsec Extended Mode
(Logon/Logoff) : Special Logon
(Logon/Logoff) : Other Logon/Logoff Events
(Logon/Logoff) : Network Policy Server
(Object Access) : File System
(Object Access) : Registry
(Object Access) : Kernel Object
(Object Access) : SAM
(Object Access) : Certification Services
(Object Access) : Application Generated
(Object Access) : Handle Manipulation
(Object Access) : File Share
(Object Access) : Filtering Platform Packet Drop
(Object Access) : Filtering Platform Connection
(Object Access) : Other Object Access Events
(Object Access) : Detailed File Share
(Privilege Use) : Sensitive Privilege Use
(Privilege Use) : Non Sensitive Privilege Use
(Privilege Use) : Other Privilege Use Events
(Detailed Tracking) : Process Termination
(Detailed Tracking) : DPAPI Activity
(Detailed Tracking) : RPC Events
(Detailed Tracking) : Process Creation
(Policy Change) : Audit Policy Change
(Policy Change) : Authentication Policy Change
(Policy Change) : Authorization Policy Change
(Policy Change) : MPSSVC Rule-Level Policy Change
(Policy Change) : Filtering Platform Policy Change
(Policy Change) : Other Policy Change Events
(Account Management) : User Account Management
(Account Management) : Computer Account Management
(Account Management) : Security Group Management
(Account Management) : Distribution Group Management
(Account Management) : Application Group Management
(Account Management) : Other Account Management Events
(DS Access) : Directory Service Changes
(DS Access) : Directory Service Replication
(DS Access) : Detailed Directory Service Replication
(DS Access) : Directory Service Access
(Account Logon) : Kerberos Service Ticket Operations
(Account Logon) : Other Account Logon Events
(Account Logon) : Kerberos Authentication Service
(Account Logon) : Credential Validation
(Windows Components/Remote Desktop Services/Remote Desktop Connection Clients) :
Do not allow passwords to be saved
(Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security) :
Always prompt for password upon connection
(Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security) :
Set client connection encryption level
(System/Internet Communication Management/Internet Communication settings) :
Turn off downloading of print drivers over HTTP
(System/Internet Communication Management/Internet Communication settings) :
Turn off Internet download for Web publishing and online ordering wizards
(System/Internet Communication Management/Internet Communication settings) :
Turn off printing over HTTP
(System/Internet Communication Management/Internet Communication settings) :
Turn off Search Companion content file updates
(System/Internet Communication Management/Internet Communication settings) :
Turn off the "Publish to Web" task for files and folders
(System/Internet Communication Management/Internet Communication settings) :
Turn off the Windows Messenger Customer Experience Improvement Program
(Windows Components/AutoPlay Policies) : Turn off Autoplay
(Windows Components/Credential User Interface) : Require trusted path for credential entry
(Windows Components/NetMeeting) : Disable remote Desktop Sharing
(Windows Components/Event Log Service/Application) : Maximum Log Size (KB)
(Windows Components/Event Log Service/Application) : Retain old events
(Windows Components/Event Log Service/Security) : Maximum Log Size (KB)
(Windows Components/Event Log Service/Security) : Retain old events
(Windows Components/Event Log Service/System) : Maximum Log Size (KB)
(Windows Components/Event Log Service/System) : Retain old events
(Windows Components/Credential User Interface) : Require trusted path for credential entry
(Windows Components/NetMeeting) : Disable remote Desktop Sharing
(Windows Components/Windows Update) : Configure Automatic Updates
(System/Group Policy/Policy): Registry policy processing
(System/Group Policy/Policy/Registry policy processing: Enabled) :
Do not apply during periodic background processing
(System/Group Policy/Policy/Registry policy processing: Enabled) :
Process even if the Group Policy objects have not changed
Always prompt client for password upon connection
Set client connection encryption level
Do not allow passwords to be saved
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Interactive logon: Do not display last user name
Interactive logon: Require Domain Controller authentication to unlock workstation
System cryptography: Force strong key protection for user keys stored on the computer
Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
MSS: Enable the computer to stop generating 8.3 style filenames
MSS: How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
Devices: Restrict floppy access to locally logged-on user only
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Interactive logon: Do not display last user name
Interactive logon: Require Domain Controller authentication to unlock workstation
System cryptography: Force strong key protection for user keys stored on the computer
Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
MSS: Enable the computer to stop generating 8.3 style filenames
MSS: How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
0
Comment
Question by:sunhux
  • 2
3 Comments
 
LVL 6

Accepted Solution

by:
Rob G earned 500 total points
ID: 40497168
Are you asking how to get the policy output?
Gpresult /Z >c:\Result.txt
0
 

Author Comment

by:sunhux
ID: 40504580
Gpresult is only part of it
0
 

Author Comment

by:sunhux
ID: 40504584
Some of it not covered by gpresult
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
A procedure for exporting installed hotfix details of remote computers using powershell
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now