Skip to content

Checks whether a Windows server according to security best practices as defined in the CIS Distribution-Independent Windows Benchmark

License

Notifications You must be signed in to change notification settings

aquasecurity/windows-bench

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

windows-bench

GitHub Release License GitHub Build Actions GitHub Release Actions release-snapshot

windows-bench is a Go application that checks whether the windows operating system is configured securely by running the checks documented in the CIS Distribution Independent windows Benchmark.

Tests are configured with YAML files, making this tool easy to update as test specifications evolve.

CIS windows Benchmark support windows-bench currently supports tests for Windows server 2022 benchmark version 2.0.0 only.

windows-bench will determine the test set to run on the host machine based on the following:

Operating system platform - windows server 2022

Install Go, then clone this repository and run as follows (assuming your $GOPATH is set):

go get github.com/aquasecurity/windows-bench

cd $GOPATH/src/github.com/aquasecurity/windows-bench

GOOS=windows GOARCH=386 go build -o bin/windows-bench.exe main.go

See all supported options

./windows-bench --help

Run checks

./windows-bench

[INFO] 1 Account Policies
[INFO] 1.1 Password Policy
[PASS] 1.1.1 Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated)
[PASS] 1.1.2 Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' (Automated)
[PASS] 1.1.3 Ensure 'Minimum password age' is set to '1 or more day(s)' (Automated)
[FAIL] 1.1.4 Ensure 'Minimum password length' is set to '14 or more character(s)' (Automated)
[FAIL] 1.1.5 Ensure 'Password must meet complexity requirements' is set to 'Enabled' (Automated)

== Remediations ==
1.1.4 To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):
    Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length

1.1.5 To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):
     Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements


== Summary ==
3 checks PASS
2 checks FAIL
0 checks WARN
0 checks INFO

Run checks for specified windows cis version

./windows-bench --version Tests Tests are specified in definition files cfg//definitions.yaml.

Where is the version of windows cis for which the test applies.

Run checks with json format

./windows-bench --json

{
  "id": "1",
  "text": "Account Policies",
  "tests": [
    {
      "section": "1.1",
      "desc": "Password Policy",
      "Constraints": null,
      "type": "",
      "results": [
        {
          "test_number": "1.1.1",
          "test_desc": "Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty PasswordHistoryCount",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty PasswordHistoryCount"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 24 or more password(s):\n  Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account\n  Policies\\Password Policy\\Enforce password history\n"
          ],
          "status": "PASS",
          "actual_value": "24",
          "expected_result": "'' is greater or equal to 24",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.2",
          "test_desc": "Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MaxPasswordAge | Select -ExpandProperty TotalDays",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MaxPasswordAge | Select -ExpandProperty TotalDays"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0:\n Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age\n"
          ],
          "status": "PASS",
          "actual_value": "42",
          "expected_result": "'' is lower or equal to 365 AND '' is not equal to '0'",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.3",
          "test_desc": "Ensure 'Minimum password age' is set to '1 or more day(s)' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordAge | Select -ExpandProperty TotalDays",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordAge | Select -ExpandProperty TotalDays"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 1 or more day(s):\n   Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age\n"
          ],
          "status": "PASS",
          "actual_value": "1",
          "expected_result": "'' is greater or equal to 1",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.4",
          "test_desc": "Ensure 'Minimum password length' is set to '14 or more character(s)' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordLength",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty MinPasswordLength"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):\n    Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password length\n"
          ],
          "status": "FAIL",
          "actual_value": "7",
          "expected_result": "'' is greater or equal to 14",
          "scored": true,
          "IsMultiple": false
        },
        {
          "test_number": "1.1.5",
          "test_desc": "Ensure 'Password must meet complexity requirements' is set to 'Enabled' (Automated)",
          "SubChecks": null,
          "audit_type": "powershell",
          "audit": {
            "cmd": {
              "DomainController": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty ComplexityEnabled",
              "Server": "Get-ADDefaultDomainPasswordPolicy -Current LocalComputer | Select -ExpandProperty ComplexityEnabled"
            }
          },
          "type": "",
          "test_info": [
            "To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):\n     Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements\n"
          ],
          "status": "PASS",
          "actual_value": "True",
          "expected_result": "'' has 'True'",
          "scored": true,
          "IsMultiple": false
        }
      ],
      "pass": 4,
      "fail": 1,
      "warn": 0,
      "info": 0
    }
  ],
  "total_pass": 4,
  "total_fail": 1,
  "total_warn": 0,
  "total_info": 0
}

About

Checks whether a Windows server according to security best practices as defined in the CIS Distribution-Independent Windows Benchmark

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Packages

No packages published