CHAPS – Configuration Hardening Assessment PowerShell

CHAPS is a PowerShell script for checking system security settings where additional software and assessment tools, such as Microsoft Policy Analyzer, cannot be installed. The purpose of this script is to run it on a server or workstation to collect configuration information about that system. The information collected can then be used to provide recommendations (and references) to improve the security of the individual system and systemic issues within the organization’s Windows environment.

CHAPS - Configuration Hardening Assessment PowerShell Script
CHAPS – Configuration Hardening Assessment PowerShell Script

Examples of environments where this script is useful include Industrial Control System (ICS) environments where systems cannot be modified. These systems include Engineer / Operator workstations, Human Machine Interface (HMI) systems, and management servers that are deployed in production environments.

Secure Baseline Checks – Securing Windows Workstations:

  • Check AppLocker – Determine if AppLocker is configured to monitor scripts, at a minimum.
  • Check EMET – If version is less than Windows 10, check that EMET service is running.
  • Deploy LAPS – Determine if LAPS is installed.
  • Force Group Policy to reapply settings during “refresh”
  • Determine how NoGPOListChanges is configured to see if GPOs are allied everytime they are checked.
  • Disable Net Session Enumeration
  • Disable WPAD – Check for a WPAD entry in the Windows “etc\hosts” file. Check for the WpadOverride registry key.
  • Determine if the WinHTTPAutoProxySvc is running.
  • Check if the Windows Hotfix KB3165191 is installed.
  • Check WINS configuration.
  • Determine network adapter configurations
  • Disable LLMNR
  • Detemine if DNSClient.EnableMulticast is disabled.
  • Disable Windows Browser Protocol – Determine if the Computer Browser service is running.
  • Disable NetBIOS – Check the setting of TcpipNetbiosOptions to determine if it is disabled.
  • Disable Windows Scripting
  • Prevent Interactive Login – Check the configuration of registry key LocalAccountTokenFilterPolicy to see if it is disabled.
  • Disable WDigest – Check the configuration of registry key WDigest.UseLogonCredential to determine if it is disabled.
  • Disable SMBv1 – Use Get-SmbServerConfiguration to check:
    • If SMBv1 is disabled.
    • If SMBv1 auditing is enabled.
  • Block Untrusted Fonts on Windows 10 – Check the registry key Kernel.MitigationOptions to determine if it is configured to block untrusted fonts.
  • Enable Credential / Device Guard on Windows 10
  • Secure LanMan Authentication
  • Restrict RPC Clients – Determine if remote RPC client access is restricted.
  • Configure NTLM session security – Check NTLM Session Server Security settings to determine if it requires NTLMv2 and 128-bit encryption. Check NTLM Session Client Security settings to determine if it requires NTLMv2 and 128-bit encrypion.

You can read more and download this script over here: https://github.com/cutaway-security/chaps

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments