-
Notifications
You must be signed in to change notification settings - Fork 9
/
MDE-AuditCheck.ps1
157 lines (139 loc) · 9.73 KB
/
MDE-AuditCheck.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
## Provided with no guaranties nor warranties by Olaf Hartong. @olafhartong
## Requires Remote Server Administration Tools (RSAT)
# Get all GPOs in an array
$AllGPOs = (Get-GPO -All)
Write-Host "This script checks the Group Policies for Audit settings" -ForegroundColor Green
Write-Host "Next it makes sure all categories that can impact MDE functionality are set properly" -ForegroundColor Green
Write-Host "There is a total of" ($AllGPOs).Count "GPOs." -ForegroundColor Green
Write-Host "`nThe following GPOs contain Audit settings:" -ForegroundColor Green
# Loop through all GPOs to find ones that have audit settings
foreach ($TheGPO in $AllGPOs)
{
# Create XML report from current GPO
[XML]$CurrentXML = Get-GPOReport -Name $TheGPO.DisplayName -ReportType XML
if (@($currentxml.GPO.Computer.ExtensionData.Extension | Where-Object {$_.type -Match 'Audit'}).Count -ne 0)
{
Write-Host "Audit Settings: " -NoNewline -ForegroundColor Cyan
$TheGPO.DisplayName
}
}
# Write second result header
Write-Host "`nOut of those, the following GPOs have potential blind spots due to lacking audit settings:" -ForegroundColor Green
# Loop through GPOs
foreach ($TheGPO in $AllGPOs)
{
# Create XML report from current GPO
[XML]$CurrentXML = Get-GPOReport -Name $TheGPO.DisplayName -ReportType XML
if (@($currentxml.GPO.Computer.ExtensionData.Extension | Where-Object {$_.type -match 'Audit'}))
{
Write-Host "GPO: " -ForegroundColor Cyan $TheGPO.DisplayName
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Logon'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Logon'}
if ($AuditSetting.SettingValue -NotIn 3) { Write-Host " Audit Logon - Expected setting is 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow }
}
else
{
Write-Host -ForegroundColor Yellow " Audit Logon - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Authorization Policy Change'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Authorization Policy Change'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Authorization Policy Change - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host " Authorization Policy Change - Not Set" -ForegroundColor Yellow
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Security Group Management'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Security Group Management'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit Security Group Management - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit Security Group Management - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit User Account Management'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit User Account Management'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit User Account Management - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit User Account Management - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit PNP Activity'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit PNP Activity'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit PNP Activity - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit PNP Activity - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Other Logon/Logoff Events'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Other Logon/Logoff Events'}
if ($AuditSetting.SettingValue -NotIn 2,3) { Write-Host " Audit Other Logon/Logoff Events - Expected setting is 2 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit Other Logon/Logoff Events - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit File System'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit File System'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit File System - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit File System - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Filtering Platform Connection'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Filtering Platform Connection'}
if ($AuditSetting.SettingValue -NotIn 2,3) { Write-Host " Audit Filtering Platform Connection - Expected setting is 2 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit Filtering Platform Connection - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Other Object Access Events'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Other Object Access Events'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit Other Object Access Events - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit Other Object Access Events - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Audit Policy Change'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Audit Policy Change'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit Audit Policy Change - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit Audit Policy Change - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Other System Events'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Other System Events'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit Other System Events - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit Other System Events - Not Set"
}
if (@($currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Security System Extension'}) )
{
$AuditSetting=$currentxml.GPO.Computer.ExtensionData.Extension.AuditSetting | Where-Object {$_.SubCategoryName -Match 'Audit Security System Extension'}
if ($AuditSetting.SettingValue -NotIn 1,3) { Write-Host " Audit Security System Extension - Expected setting is 1 or 3, current setting is:" $AuditSetting.SettingValue -ForegroundColor Yellow}
}
else
{
Write-Host -ForegroundColor Yellow " Audit Security System Extension - Not Set"
}
}
}