Hello @0x6d69636b,

Thanks for the quick chat recently! As mentioned we've made use of RSOP* CIM classes to audit key settings.
I have looked at the list of URA we want to audit at scale and had come up with the following code sample for it. In this case, the effectiveness of AD Tiering GPOs, and control of other sensitive privileges in an environment.

#User Right Assignment of interest
$URA=@('SeDenyServiceLogonRight',
    'SeDenyBatchLogonRight',
    'SeDenyNetworkLogonRight',
    'SeDenyInteractiveLogonRight',
    'SeDenyRemoteInteractiveLogonRight',
    'SeDebugPrivilege',
    'SeEnableDelegationPrivilege',
    'SeImpersonatePrivilege',
    'SeBatchLogonRight',
    'SeServiceLogonRight',
    'SeInteractiveLogonRight',
    'SeNetworkLogonRight',
    'SeRemoteInteractiveLogonRight')

# Inspect RSOP classes
# Having a precedence of 1 indicates the winning GPO
$URA_RSOP = Get-WmiObject RSOP_UserPrivilegeRight -namespace "root\RSOP\Computer" | where UserRight -in $URA | where precedence -eq 1 | select UserRight,AccountList,GPOID

The GPOID is the Distinguished Name of the object in AD, in the policies container. I'll have a look at the overall structure of HK, perhaps the name or GUIDs of GPOs expected to manage these settings can be stored in a config as well? Do you see this check fit in the current execution flow of HK?

A full list of RSOP classes can be found here, somehow this content is "outdated", but there's a ton more settings to review if needed.
https://learn.microsoft.com/en-us/previous-versions/windows/desktop/policy/rsop-wmi-classes

Cheers

A non existant folder isnt created :( perhaps this could be done automatically incase people automate this script. Ex Sys admin wasnt paying attention when running this across a network, uh oh the folder I gave Kitty was the wrong path and now I lost the default settings

The function Create a Group Policy (experimental) has been added since v0.91. Could you please confirm how to execute it?

Invoke-HardeningKitty -Mode GPO -FileFindingList .\lists\finding_list_0x6d69636b_machine.csv -GPOName HardeningKitty-Machine-01

If you specify an appropriate name in the -GPOName part of the above command, the following error will occur.
Get-GPRegistryValue: I get a message that there is no GPO named xxx in my domain.

Also, if you specify an existing GPO, a message will appear stating that you do not have access rights.

Is it actually a command that creates a domain policy?
How should I specify how to apply it to local policy?

Our machines are deployed with Intune. Checking the baseline with hardeningkitty reports that the firewall is OFF.
This is done by checking the registry hive under ..\Policies.
But this is only set when its controlled by GPO. When done with Intune there is no ..\WindowsFirewall..

You can check it by NETSH or other functions.

But the first thing I would like to see is : When a registry key is not readable, don't assume its 0. Report it as not available.

10501,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium

Hope you are willing to help and improve.

Best regards,
Gert

When executing Invoke-HardeningKitty -Mode Audit -Log -Report the generated csv as severity column contains "passed" along with medium and low. Typo?

After importing the module, when executing Invoke-HardeningKitty -Mode Config -Backup as indicated in the Readme.md , PowerShell returns the following error regarding the Backup parameter:

Invoke-HardeningKitty : A parameter cannot be found that matches parameter name 'Backup'.
At line:1 char:36
+ Invoke-HardeningKitty -Mode Config -Backup
+                                    ~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Invoke-HardeningKitty], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Invoke-HardeningKitty

Hi, in lists/finding_list_cis_microsoft_windows_10_enterprise_22h2_machine.csv control ID 18.9.7.1.5.1 on line 347 is incorrectly labelled as 189.7.1.5.1.

According to my tests when Account Lockout Duration is set to 0, Windows reports the value as "Never", which is also reflected in HardeningKitty's output.

According to documentation:

A value of 0 specifies that the account will be locked out until an administrator explicitly unlocks it.

HardeningKitty specifies a numeric threshold for this value, while
a) the "Never" string can't be handled with such a rule
b) 0 as a special case can't be handled by a "bigger is better" kind of rule

I think the "0" setting is more secure than any expiring value, so it should be accepted, but I don't know how much flexibility the rule format of HardeningKitty provides to handle the above edge case.

Is it possible to disable the default logging functionality?

I have been trying to figure out which rule has been giving me issues with network drives. wont let me add drives due to unauthenticated guest access.

Hi there,

Just working on a Windows 11 22H2 machine today. Any chance you have this CIS list for 22H2? Unless you think 21H2 would suffice....

finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv

Thanks

hello.

I was wondering if there are any sections specifically that wouldn't allow for batch files to run. it is a net use batch file that we are trying to implement but so far I have not found any script related lines that would stop them from running. I am able to manually add them through file explorer. thnak you

I did a scan of a server against the BSI ND Machine baseline and in the scan result (CSV) for ID 279 (Increase scheduling priority), it shows only BUILTIN\Administrators as a result, despite the Window Manager\Window Manager Group also being configured via its SID (S-1-5-90-0) which I got from here. I would expect that SID to show up in the "Result" column as well, which isn't the case. For other settings I use S-1-0-0 for Nobody and those settings get a pass too, so I'm not sure it is related to the fact I am using a SID here per se.

Caveats: I'm not entirely convinced doing it via the SID is correct and the Windows Server language is German.

HardeningKitty is a great tool and has been very helpful for creating gold images etc.

Do you have a scripted method for creating the finding lists from the STIG xml or pol files? It looks as though it might be possible, but not sure if all the required information is there.

Perhaps you could provide a short description of how you go about generating the finding lists from a STIG, this would be helpful for those looking to add new lists of keep theirs up to date.

thanks in advance.

Hello,
just a few remarks regarding the finding_list_cis_microsoft_windows_10_enterprise_machine.csv:

• 18.8.3.1 - the recommended value should be '0' (disabled)
• 18.8.4.1 and 18.8.4.2 are swapped, and default credential check is no longer part of this version of CIS benchmark. It should be 'Remote host allows delegation of non-exportable credentials'
• '18.5.14.1.1' does not exist in CIS, it should be '18.5.14.1'

Why are the settings in the registry path:
HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile

also checked ? For a compliance check SOFTWARE\Policies\Microsoft\WindowsFirewall should be enough?

The Retention registry setting in "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security", "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application". "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup", and "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System" needs to be REG_SZ. The script creates these as REG_DWORD which do configure the setting correctly.

Not sure if there are other examples here, but I only noticed then when Windows alerted me to the fact that the security log was full, however I knew we enforced the retention setting to prevent this.

Hello,

I'm trying harden a Windows Server 2022 VM on Azure using the list finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine. When I run the hardeningkitty the RDP is disabled and then I can't access via RDP using a admin user or any other local user.

According to the documentation:

"To install a package with elevated (system) privileges, set the AlwaysInstallElevated value to "1" under both of the following registry keys:"

This implies that when these keys are missing, the setting is not the same as if the setting value was 1.

This list (and others) however assume the value to be 1 by default:

https://github.com/scipag/HardeningKitty/blame/7751c3c303ba77f30d9d59362914018800eeb0bb/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_user.csv#L14

This results in false positive findings.

I have this setup on a multitude of computers but we are running issues with certain smb network drives connecting.

invoke-hardeningKitty .\lists\finding_list_cis_microsoft_windows_11_enterprise_21h2_user.csv -EmojiSupport -Mode Audit

Output:
[*] 8/6/2022 9:25:35 AM - Starting Category Administrative Templates: System
[😺] ID 19.6.6.1.1, Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program, Result=1, Severity=Passed

Log:
"19.6.6.1.1","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program","Passed","1"

This reboot request halts requires human input.
This halts an automated process.

Hello, while I run the script and I want to save it as CSV file, however I encounter this kind of error to some of our configured policy.

How to bypass ?

Hi!
just installed HK and cannot run it due to the following error in the output. Can you help please?

PS C:\Users\XXXXXXX\Desktop> Invoke-HardeningKitty -EmojiSupport

  =^._.^=
 _(      )/  HardeningKitty 0.9.0-1670934249

[*] 2023-04-07 20:20:35 - Starting HardeningKitty

[] 2023-04-07 20:20:35 - Getting machine information
[] Hostname: XXXX
[] Domain: XXXX
[] Domain role: Member Server
[] Install date: 01/11/2016 07:16:02
[] Last Boot Time: 04/06/2023 08:17:12
[] Uptime: 1.12:03:23.2387107
[] Windows: Microsoft Windows Server 2012 R2 Standard
[] Windows version: 6.3.9600
[] Windows build: 9600
[] System-locale: lt-LT
[] Powershell Version: 4.0

[*] 2023-04-07 20:20:36 - Language warning
[?] 2023-04-07 20:20:36 - HardeningKitty was developed for the system language 'en-US'. This system uses 'lt-LT' Languag
e-dependent analyses can sometimes produce false results. Please create an issue if this occurs.

[] 2023-04-07 20:20:36 - Getting user information
[] Username: XXXXXX\XXXXXX
[*] Is Admin: True
[!] 2023-04-07 20:20:36 - The finding list C:\Users\XXXXXXX\Desktop\lists\finding_list_0x6d69636b_machine.csv was not fo
und.

Hello,
"Create a Group Policy", but is it possible to create a local group policy?

I know the recommendation exist (and you should disable), but it never made it into the official Microsoft OS machine baselines, right ?
I remember they mentioned somewhere, they think about expanding the baselines and adding user based tasks and services..

11060 | Scheduled Task | XblGameSave Standby Task

[] Windows: Microsoft Windows Server 2022 Standard Evaluation
[] Windows edition: ServerStandardEval
[*] Windows version: 2009
Finding list - finding_list_cis_microsoft_windows_server_2022_21h2_1.0.0_machine.csv

After changing settings to recommended; it still flagging as incorrect:

[$] ID 2.3.10.9, Network access: Remotely accessible registry paths and sub-paths, Result=System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog, Recommended=System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog, Severity=Medium

It's a bit hard to see with that blurb of text so I will paste again with easier formatting for visibility:

Result:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

Recommended:
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

Any idea's what went wrong here?

When executing, on Windows 11 22H2:
Invoke-HardeningKitty -Mode Audit -FileFindingList .\lists\finding_list_msft_security_baseline_windows_11_22h2_machine.csv

the two Edge settings are not found:
`[*] 1/29/2023 6:22:34 PM - Starting Category Microsoft Edge

[$] ID 10952, Configure Windows Defender SmartScreen, Result=, Recommended=1, Severity=Medium

[$] ID 10953, Prevent bypassing Microsoft Defender SmartScreen prompts for sites, Result=, Recommended=1, Severity=Medium`

the list points to the reg key:
HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9

I could only find this setting here (the second Defender setting is also found here):
SOFTWARE\Policies\Microsoft\Internet Explorer\PhishingFilter

[] 16.05.2022 15:05:49 - Getting machine information
[] Domain role: MemberServer
[] Windows: Windows Server 2022 Datacenter
[] Windows edition: ServerDatacenter
[] Windows version: 2009
[] Windows build: 20348.1.amd64fre.fe_release.210507-1500
[] System-locale: de-DE
[] Powershell Version: 5.1

Commandline:
Invoke-HardeningKitty -EmojiSupport -FileFindingList .\lists\finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv

ID 10653, Network Provider: Hardened UNC Paths (NETLOGON), Result=RequireMutualAuthentication=1,RequireIntegrity=1, Severity=Passed

[😿] ID 10654, Network Provider: Hardened UNC Paths (SYSVOL), Result=RequireMutualAuthentication=1,RequireIntegrity=1, Recommended=RequireMutualAuthentication=1, RequireIntegrity=1, Severity=Medium

The recommendation of the second case. contains a space character and might lead to the Severity=Medium instead of Severity=Passed. Both cases are configured exactly the same on my systems.

Hello all!

this is not really an issue - but I would like to know if it is possible to add a new finding and if yes how.

I want to check if the powershell executionpolicy on the endpoint is set to the microsoft default "restricted" or something different.

PS C:\Users\SecurityWho> Get-ExecutionPolicy                                                                        
Restricted

Hello,

I am trying to harden a device but allow RDP connections. Although, after executing it and deleting the fDenyTSConnections key, I am having issues to connect using both an Admin user and a local user.

Thank you.

Hi,

Loving the HardeningKitty capabilities, but for "our" hardening process we need new methods :

• Users creation (to replace default admin by a new account)
• NTFS permissions
• other ?

I want to contribute on that (and not ask you you dev it), but i want to known if it's something that can be considered in the "scope" of HardeningKitty ?

Best Regards,
Richard.

This is a fantastic tool! I wanted to export the local policies to a csv after running HailMary but noticed that there are only "not configured" policies in the Local Group Policy Editor. At least all the "administrative template" policies. I find this weird, because when you enabled a policy the registry is changed. But apparently, when you modify/create a registry key, the corresponding policy is not enabled. Note that the machine I am using HardeningKitty Hailmary on is a non-domain joined machine. Is it possible to automate getting the policies enabled?

Multiple rule lists define the Point and Print driver installation restriction with the default value of 0:

https://github.com/scipag/HardeningKitty/search?q=RestrictDriverInstallationToAdministrators

Meanwhile, according to the documentation:

"Windows updates released August 10, 2021 and later will, by default, require administrative privilege to install drivers."

I don't know if HardeningKitty can take into account the current update level of the target system. If it can't, maybe the updated default could be reflected in lists used for builds released after the above date?