Kisa 2024 cloud vulnerability inspection guide for window server

kisa/Cloud_Vulnerability_Inspection_Guide_2024/Window_Server/account-lockout-threshold.yaml

@@ -0,0 +1,65 @@
+id: account-lockout-threshold
+
+info:
+  name: Account Lockout Threshold Check
+  author: nukunga[SungHyunJeon]
+  severity: medium
+  description: |
+    Ensure the account lockout threshold is configured to 5 or fewer invalid login attempts to reduce the risk of brute-force attacks.
+  impact: |
+    An absent or misconfigured lockout threshold permits unlimited password guessing attempts, significantly increasing the risk of account compromise.
+  remediation: |
+    Set the lockout threshold using:
+    > net accounts /lockoutthreshold:5
+    or configure it via Local Security Policy under:
+    Account Lockout Policy → Account lockout threshold.
+  reference:
+    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
+  tags: account-management,code,windows-audit,kisa
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+
+    args:
+      - -ExecutionPolicy
+      - Bypass
+
+    pattern: "*.ps1"
+    source: |
+      $netAccountsOutput = net accounts
+      $thresholdLine = $netAccountsOutput | Where-Object { $_ -match "Lockout threshold:" }
+      if ($thresholdLine) {
+          # "Lockout threshold:"
+          $matches = [regex]::Match($thresholdLine, "Lockout threshold:\s+(\S+)")
+          if ($matches.Success) {
+              $value = $matches.Groups[1].Value.Trim()
+              if ($value -eq "0" -or $value -eq "Never") {
+                  Write-Output "ACCOUNT_LOCKOUT_THRESHOLD_NOT_SET"
+              }
+              elseif ([int]$value -gt 5) {
+                  Write-Output "ACCOUNT_LOCKOUT_THRESHOLD_EXCEEDS_MAX"
+              }
+              else {
+                  Write-Output "ACCOUNT_LOCKOUT_THRESHOLD_OK"
+              }
+          }
+          else {
+              Write-Output "ACCOUNT_LOCKOUT_THRESHOLD_NOT_FOUND"
+          }
+      }
+      else {
+          Write-Output "ACCOUNT_LOCKOUT_THRESHOLD_NOT_FOUND"
+      }
+
+    matchers:
+      - type: word
+        words:
+          - "ACCOUNT_LOCKOUT_THRESHOLD_NOT_SET"
+          - "ACCOUNT_LOCKOUT_THRESHOLD_EXCEEDS_MAX"
+        condition: or

kisa/Cloud_Vulnerability_Inspection_Guide_2024/Window_Server/admin-account-rename.yaml

@@ -0,0 +1,42 @@
+id: admin-account-rename
+
+info:
+  name: Administrator Account Rename Check
+  author: nukunga[SungHyunJeon]
+  severity: medium
+  description: |
+    Ensure the default Administrator account has been renamed to help prevent targeted brute-force attacks.
+  impact: |
+    Retaining the default Administrator account name gives attackers a predictable target for password guessing attempts on a privileged account.
+  remediation: |
+    Rename the Administrator account using Local Security Policy or the following command-line instruction:
+    > wmic UserAccount where Name="administrator" call Rename Name="NEW_NAME"
+  reference:
+    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
+  tags: account-management,code,windows-audit,kisa
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      # Check SID ending with -500 (built-in Administrator)
+      $adminAccount = Get-LocalUser | Where-Object { $_.SID -like '*-500' }
+      if ($adminAccount.Name -eq 'Administrator') {
+          "ADMINISTRATOR_ACCOUNT_NOT_RENAMED"
+      } else {
+          "ADMINISTRATOR_ACCOUNT_RENAMED"
+      }
+
+    matchers:
+      - type: word
+        words:
+          - "ADMINISTRATOR_ACCOUNT_NOT_RENAMED"

kisa/Cloud_Vulnerability_Inspection_Guide_2024/Window_Server/admin-group-minimal.yaml

@@ -0,0 +1,59 @@
+id: admin-group-minimal
+
+info:
+  name: Minimum Administrator Group Membership Check
+  author: nukunga[SungHyunJeon]
+  severity: medium
+  description: |
+    Ensure that only essential accounts are members of the Administrators group. Excess or unnecessary accounts can increase the system's vulnerability to compromise.
+  impact: |
+    Additional accounts in the Administrators group can be leveraged by attackers to gain unauthorized access and execute administrative tasks.
+  remediation: |
+    Remove unneeded accounts from the Administrators group using:
+    > net localgroup administrators [AccountName] /del
+  reference:
+    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
+  tags: account-management,code,windows-audit,kisa,admin-group
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      $output = net localgroup administrators | Out-String
+      $lines = $output -split "`n"
+      $start = $false
+      $accounts = @()
+      foreach ($line in $lines) {
+          # Identify the start of the member list by the separator line
+          if ($line -match "^-+") {
+              $start = $true
+              continue
+          }
+          # End the member list when reaching the completion message
+          if ($start -and $line -match "The command completed successfully") {
+              break
+          }
+          if ($start -and $line.Trim() -ne "") {
+              $accounts += $line.Trim()
+          }
+      }
+      # Assume that only one account (the built-in administrator or a renamed equivalent) is necessary.
+      if ($accounts.Count -gt 1) {
+          "EXTRA_ADMIN_ACCOUNTS_FOUND"
+      } else {
+          "ADMIN_GROUP_MINIMAL"
+      }
+
+    matchers:
+      - type: word
+        words:
+          - "EXTRA_ADMIN_ACCOUNTS_FOUND"

kisa/Cloud_Vulnerability_Inspection_Guide_2024/Window_Server/autologon-control.yaml

@@ -0,0 +1,44 @@
+id: autologon-control
+
+info:
+  name: Autologon Function Control Check
+  author: nukunga[SungHyunJeon]
+  severity: medium
+  description: |
+    Ensure the Autologon feature is disabled by verifying that the AutoAdminLogon registry value under
+    HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon is either missing or set to "0".
+    A value of "1" indicates that login credentials may be stored in the registry, creating a potential security risk.
+  impact: |
+    Enabling Autologon allows attackers with physical or remote access to retrieve stored login credentials, potentially resulting in unauthorized system access.
+  remediation: |
+    Disable Autologon by setting the AutoAdminLogon registry value to "0". This can be done using:
+    - Registry Editor: Go to HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon and set AutoAdminLogon to "0".
+  reference:
+    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
+  tags: autologon,account-management,code,windows-audit,kisa
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      $regPath = "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
+      $autologon = (Get-ItemProperty -Path $regPath -Name AutoAdminLogon -ErrorAction SilentlyContinue).AutoAdminLogon
+      if ($null -eq $autologon -or $autologon -eq "0") {
+          "AUTO_ADMIN_LOGON_DISABLED"
+      } else {
+          "AUTO_ADMIN_LOGON_ENABLED"
+      }
+
+    matchers:
+      - type: word
+        words:
+          - "AUTO_ADMIN_LOGON_ENABLED"

kisa/Cloud_Vulnerability_Inspection_Guide_2024/Window_Server/crash-on-audit-fail.yaml

@@ -0,0 +1,51 @@
+id: crash-on-audit-fail
+
+info:
+  name: Shutdown on Audit Failure Check
+  author: nukunga[SungHyunJeon]
+  severity: medium
+  description: |
+    Ensure the "Shutdown on Audit Failure" policy is disabled.
+    The registry value should be set to "4,0" to prevent the system from shutting down if it cannot log security audit events.
+    If set to "4,1", the system will shut down on audit failure, which could result in a denial-of-service condition.
+  impact: |
+    Enabling this policy (value set to "4,1") may cause the system to shut down unexpectedly if audit logs cannot be written, potentially disrupting services and risking data loss.
+  remediation: |
+    Disable the policy by setting the CrashOnAuditFail value to "4,0". This can be done by:
+    - Using the Registry Editor: Navigate to HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System and set CrashOnAuditFail to "4,0".
+    - Through Local Security Policy: Set "Audit: Shut down system immediately if unable to log security audits" to Disabled.
+  reference:
+    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
+  tags: account-management,code,windows-audit,kisa,policy
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      $cfgPath = "C:\cfg.txt"
+      secedit /export /cfg $cfgPath | Out-Null
+      $cfg = Get-Content $cfgPath | Out-String
+      if ($cfg -match "CrashOnAuditFail\s*=\s*(\S+)") {
+          $value = $Matches[1].Trim()
+          if ($value -eq "4,1") {
+              "CRASH_ON_AUDIT_FAIL_ENABLED"
+          } else {
+              "CRASH_ON_AUDIT_FAIL_DISABLED"
+          }
+      } else {
+          "CRASH_ON_AUDIT_FAIL_NOT_FOUND"
+      }
+
+    matchers:
+      - type: word
+        words:
+          - "CRASH_ON_AUDIT_FAIL_ENABLED"

kisa/Cloud_Vulnerability_Inspection_Guide_2024/Window_Server/dns-zone-transfer-check.yaml

@@ -0,0 +1,56 @@
+id: dns-zone-transfer-check
+
+info:
+  name: DNS Zone Transfer Check
+  author: nukunga[SungHyunJeon]
+  severity: medium
+  description: |
+    Ensure DNS zone transfers are restricted by verifying that the SecureSecondaries registry value is set to 2 for all active zones.
+    Unrestricted zone transfers can expose sensitive domain information, helping attackers map the network infrastructure.
+  impact: |
+    If DNS zone transfers are not properly restricted, attackers could access domain and zone details, which may aid in planning and launching further attacks against the network infrastructure.
+  remediation: |
+    Configure DNS zone transfer restrictions by:
+    - Disabling zone transfers entirely, or
+    - Restricting transfers to designated servers by setting the SecureSecondaries registry value to 2.
+  reference:
+    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
+  tags: code,windows-audit,kisa,dns,zone-transfer
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      $regPath = "HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\DNS Server\Zones"
+      $zones = Get-ChildItem -Path $regPath -ErrorAction SilentlyContinue
+      if (!$zones) {
+          "DNS_ZONE_TRANSFER_COMPLIANT"
+          exit
+      }
+      $vulnerable = $false
+      foreach ($zone in $zones) {
+          $secureVal = (Get-ItemProperty -Path $zone.PSPath -ErrorAction SilentlyContinue).SecureSecondaries
+          if ($secureVal -ne 2) {
+              $vulnerable = $true
+              break
+          }
+      }
+      if ($vulnerable) {
+          "DNS_ZONE_TRANSFER_VULNERABLE"
+      } else {
+          "DNS_ZONE_TRANSFER_COMPLIANT"
+      }
+
+    matchers:
+      - type: word
+        words:
+          - "DNS_ZONE_TRANSFER_VULNERABLE"

kisa/Cloud_Vulnerability_Inspection_Guide_2024/Window_Server/ftp-access-control-check.yaml

@@ -0,0 +1,53 @@
+id: ftp-access-control-check
+
+info:
+  name: FTP Access Control Check
+  author: nukunga[SungHyunJeon]
+  severity: medium
+  description: |
+    Ensure FTP access is restricted by configuring IP address filters. Without these restrictions, unauthorized networks could potentially access FTP services.
+  impact: |
+    Lack of proper IP-based access control allows FTP services to be accessed by unauthorized networks, heightening the risk of data breaches and other security threats.
+  remediation: |
+    Set up IP address restrictions using IIS Manager:
+    - Open IIS Manager.
+    - Go to the FTP site → FTP IP Address and Domain Restrictions.
+    - Add the allowed IP addresses and configure suitable deny rules.
+  reference:
+    - https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
+  tags: ftp,iis,security,windows,code,windows-audit,kisa
+
+self-contained: true
+
+code:
+  - pre-condition: |
+      IsWindows();
+    engine:
+      - powershell
+      - powershell.exe
+    args:
+      - -ExecutionPolicy
+      - Bypass
+    pattern: "*.ps1"
+    source: |
+      Import-Module WebAdministration -ErrorAction SilentlyContinue
+      $ftpSites = Get-ChildItem IIS:\Sites | Where-Object { $_.Bindings.Collection.Protocol -eq "ftp" }
+      $vulnerable = $false
+      foreach ($site in $ftpSites) {
+          $ipSecurity = Get-WebConfigurationProperty -pspath "MACHINE/WEBROOT/APPHOST/$($site.Name)" -filter "system.ftpServer/security/ipSecurity" -name "allowUnlisted" -ErrorAction SilentlyContinue
+          # If allowUnlisted is true, FTP access is open to unlisted IPs (i.e., no proper IP restriction is applied)
+          if ($ipSecurity -eq $true) {
+              $vulnerable = $true
+              break
+          }
+      }
+      if ($vulnerable) {
+          "FTP_IP_ACCESS_CONTROL_NOT_CONFIGURED"
+      } else {
+          "FTP_IP_ACCESS_CONTROL_CONFIGURED"
+      }
+
+    matchers:
+      - type: word
+        words:
+          - "FTP_IP_ACCESS_CONTROL_NOT_CONFIGURED"