-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathPullCurrentSecurityConfig.ps1
More file actions
125 lines (90 loc) · 4.98 KB
/
PullCurrentSecurityConfig.ps1
File metadata and controls
125 lines (90 loc) · 4.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#pull current security configuration and store for future comparision with target configuration to measure compliance
#output file
$currentStatePath = "C:\Users\bob\Desktop\currentState.json"
# Get Windows Firewall profile statuses
$firewallProfiles = Get-NetFirewallProfile
$firewallDomainStatus = $firewallProfiles | Where-Object { $_.Name -eq 'Domain' } | Select-Object -ExpandProperty Enabled
$firewallPrivateStatus = $firewallProfiles | Where-Object { $_.Name -eq 'Private' } | Select-Object -ExpandProperty Enabled
$firewallPublicStatus = $firewallProfiles | Where-Object { $_.Name -eq 'Public' } | Select-Object -ExpandProperty Enabled
# Get UAC status
$uacStatus = (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA").EnableLUA
#Check if Windows Update service is running
# Specify the name of the service (e.g., Windows Update service)
$serviceName = "wuauserv"
# Get the service information
$service = Get-Service -Name wuauserv
# Check the startup type
if ($service.StartType -eq "Manual") {
# Check if it's set to trigger start
$triggerStartRegistryValue = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$serviceName" -Name "TriggerStart"
if ($triggerStartRegistryValue) {
$windowsUpdateStatus = "Manual (Trigger Start)"
} else {
$windowsUpdateStatus = "Manual"
}
} elseif ($service.StartType -eq "Automatic") {
$windowsUpdateStatus = "Automatic"
}
# Get Windows Defender status
$windowsDefenderStatus = Get-MpComputerStatus
# retreive desired configuration from cmdlet
$ComputerState = $windowsDefenderStatus.ComputerState
$AMServiceEnabled = $windowsDefenderStatus.AMServiceEnabled
$AntispywareEnabled = $windowsDefenderStatus.AntispywareEnabled
$AntivirusEnabled = $windowsDefenderStatus.AntivirusEnabled
$RealTimeProtectionEnabled = $windowsDefenderStatus.RealTimeProtectionEnabled
$BehaviorMonitorEnabled = $windowsDefenderStatus.BehaviorMonitorEnabled
# Create a custom PowerShell object to store the information
$systemInfo = [PSCustomObject]@{
firewallDomainStatus = $firewallDomainStatus
firewallPrivateStatus = $firewallPrivateStatus
firewallPublicStatus = $firewallPublicStatus
<# compliant = 1
1=enabled 0=disabled #>
UACStatus = $uacStatus
<# compliant = 1 or 2
0 - UAC is turned off ("Never Notify")
1 - Default UAC setting ("Notify me only when apps try to make changes")
2 - UAC is turned on with the highest level of notification ("Always notify me")
#>
WindowsUpdateStatus = $windowsUpdateStatus
# compliant = "Manual (Trigger Start)" or "Automatic"
AMServiceEnabled = $windowsDefenderStatus.AMServiceEnabled
# compliant = true
AntispywareEnabled = $windowsDefenderStatus.AntispywareEnabled
# compliant = true
AntivirusEnabled = $windowsDefenderStatus.AntivirusEnabled
# compliant = true
RealTimeProtectionEnabled = $windowsDefenderStatus.RealTimeProtectionEnabled
# compliant = true
BehaviorMonitorEnabled = $windowsDefenderStatus.BehaviorMonitorEnabled
# compliant = true
ComputerState = $windowsDefenderStatus.ComputerState
<#
compliant = 0, 2, or 5. others are eithers transional phases or IOCs
0 - "NoStatus`:
This state indicates that no specific status information is available for Windows Defender at the moment.
1 - "Disabled`:
Indicates that Windows Defender is currently disabled. This means it is not actively providing real-time protection or performing scans.
2 - "Enabled`:
This state indicates that Windows Defender is enabled and actively protecting the system against threats.
3 - "NotMonitored`:
Indicates that Windows Defender is not actively being monitored. This can occur if there are issues with the monitoring service.
4 - "OutOfDate`:
This state signifies that the antivirus definitions are out of date. It's important to regularly update definitions to ensure effective protection.
5 - "UpToDate`:
Indicates that the antivirus definitions are current and up to date.
6 - "NoResponse`:
This state suggests that Windows Defender is not responding. This might indicate a problem with the service.
7 - "ServiceStarting`:
Indicates that the Windows Defender service is in the process of starting up.
8 - "ServiceStopping`:
This state indicates that the Windows Defender service is in the process of shutting down.
9 - "NeedsFullScan`:
Indicates that a full system scan is recommended or needed.
10 - "ThreatDetected`:
This state means that Windows Defender has detected one or more threats on the system.
#>
}
# Convert the object to JSON and save it to a file
$systemInfo | ConvertTo-Json | Set-Content -Path $currentStatePath