Health and Vulnerability Scanner for Windows 10, 11 and Server 2016-22

The SecureReport script is designed to detect vulnerabilities and common misconfigurations within Windows and installed applications. While scanners like Nessus operate network-wide, this script provides a comprehensive audit of security concerns, executed locally for a deeper analysis.

Hackers or disgruntled employees could exploit these vulnerabilities, potentially leading to privilege escalation from user to system access and ultimately gaining Domain Admin privileges.

The vulnerability script underwent testing on the most recent iterations of Windows 11, and Server 2022, requiring PowerShell version 5.1 to generate an HTML output. Notably, PowerShell version 4 lacks support for '-depth', hindering the audit of File, Folder, and Registry permissions. Windows 8, 8.1, 2012, and 2012 R2 necessitate an update to Windows Management Framework 5.1 for compatibility.

Do not make changes to your IT systems based on the output of this report without a backup or testing, some of the suggestions are aimed at Domain joined clients and are likely to prevent Linux or legacy services from connecting to the domain.

#Downloading and Executing the Script

Download Tenaka/SecureReport (github.com), and launch from either PowerShell or PowerShell_ISE with Administrative privileges. The report will take a while to execute, potentially up to 30 minutes, please be patient.

The report output is saved to C:\Securereport\FinishedReport.htm

The html output can be imported into Excel for further analysis and uses the True and False values as a drop-down filter.
Open Excel, Data, Import from Web. Enter the file path in the following format file:///C:/SecureReport/NameOfReport.htm, then select multiple items and click on Load and select 'Load To', click on Table.

new-look70

new-look71

newlook-tabs2

new-look70

1/7

#List of checks and balances:

Host Details, CPU, Bios, Windows Version

Accounts, Groups and Password Policy

User Rights Assignments

Install Applications and installed Windows Updates

Virtualization, UEFI, Secure Boot, DMA, TPM and Bitlocker Settings

LSA, DLL Safe Search Order, Hypervisor Code Integrity

DLL Hijacking

Files not Signed (Authenticode)

Autologon Credentials in the Registry

Unquoted paths

Processes that contain passwords in the command line

Enabled legacy Network protocols

Registry Keys with weak Permissions

System Folders with weak Permissions

Drivers not Signed

Authenticode Hash Mismatch

Windows, Edge and Office 2016-365 GPO comparison against Microsoft recommend.

Firewall settings and rules

Active Directory Account and SPN issues

SQL Server

#URA

User Rights Assignments (URA) control what tasks a user can perform on the local client, server or Domain Controller.

For example, the ‘Log on as a service’ (SeServiceLogonRight) provides the rights for a service account to Logon as a Service, not Interactively.

Access to URA can be abused and attack the system.

Both SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege are commonly used by service accounts and vulnerable to an escalation of privilege via Juicy Potato exploits.

Access this computer from the network (SeNetworkLogonRight) allows pass-the-hash when Local Admins share the same password, remove all the default groups and apply named groups, separating client from servers."

Further details can be found @ https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/user-rights-assignment

#TPM and Bitlocker

"TPM and Bitlocker protect against offline attack from USB and mounting the local Windows system then accessing the local data. 'TPM and Pin' enhances Bitlocker by preventing LPC Bus (Low Pin Count) bypasses of Bitlocker with TPM.

Further information can be found @

https://www.tenaka.net/bitlocker

#Secure Boot

Secure Boot is a security standard to ensure only trusted OEM software is allowed at boot. At startup the UEFi and boot software's digital signatures are validated preventing rootkits