Written by Ben Hooper, CTO at Astrix. See the original post here

Backstory

Back in August 2018, one of our partners commissioned us to create a PowerShell script that they could use to automatically and selectively revoke local administrative permissions to get IT systems compliant with the relevant parts of Cyber Essentials when those systems don’t have Active Directory Domain Services (AD DS) but do have Remote Monitoring and Management (RMM). A few days later, we had completed writing and testing the script and handed it over to the partner who were very happy with it.

This made us realise that IT departments would probably have a lot of use for a PowerShell toolkit that could automatically implement components of Cyber Essentials’ technical controls (see here and here) and/or cyber security basics in general. After all, they’d otherwise have to do so manually which takes quite a bit of time, especially for Managed Service Providers (MSPs) who would have to do so for multiple clients and who rarely have the spare time to invest in things like this.

So, we decided to:

  1. Fully pursue this. After all, we were well-positioned to do so given our experience as an MSP with administering and automating many IT systems, our experience as a Cyber Essentials Certification Body (see here if you’re interested in getting certified), and our resources.
  2. Make it freely available. After all, this would help to advance our vision of making people secure and would make the lives of our clients’ IT departments easier. Win-win!
  3. Not charge the partner. It’s only fair!

The scripts

We wanted these scripts to be as simple, easy to use, and flexible as possible so:

  1. The intended usage is manual execution on each PC or automatic execution on multiple PCs via an RMM system or Group Policy. As such, these scripts output to the console by default and can output to predefined or custom log files in local or network locations. Currently, there is no option to use 1 computer as a “hub”.
  2. We purchased a code signing certificate and used it to digitally sign them so that:
    1. To use them, PowerShell’s execution policy only has to be lowered from Restricted to AllSigned if you install our certificate in the store Trusted Publishers or RemoteSigned if you do not.Note: If you’re using an RMM system then you may not need to make any of these changes.
    2. You’ll know when these scripts have been modified by someone other than us (see here).
  3. They are compatible with PowerShell version 2 (default in Windows 7 with Service Pack 1) and newer.
  4. They use a standard format and, as such, the top of each has a comment block which explains the purpose, the notes, how to use any available parameters / switches / arguments, the change history, etc.

We have done our best to ensure that these scripts are safe and bug-free but, as always, you should check and safely test them for yourself before deploying them.

Currently, we have created the below 5 PowerShell scripts and have at least 1 other in the pipeline.

We have hosted a ZIP file of the PS1 files and the CER file for download here. For each individual script / PS1 file, download links are below.


The script: Enable-WindowsFirewall

Cyber Essentials’ #1 technical control is “Use a firewall to secure your Internet connection” and says “You could use a personal firewall on your internet connected laptop (normally included within your Operating System at no extra charge)”.

By default, our script will:

  1. Check the Windows service, report the current state, and ensure that it’s set to automatic and running, as default.
  2. Check the firewall states, report the current states, and ensure that they’re set to on for all network profiles, as default.
  3. Ensure that the inbound and outbound connection actions / behaviours are set to default for all network profiles.

We have hosted the PS1 file for download here.

We have recorded a short video of this script in action which you can see below:

The script: Set-CEPasswordPolicy

Cyber Essentials’ #2 technical control is “Choose the most secure settings for your devices and software” and says “your devices and your accounts should always be password-protected“ and “you must change all default passwords before devices are distributed and used”. Also, the CE questionnaire requires that applicants answer “Yes” to “Do all your users and administrators use passwords of at least 8 characters?” otherwise it’s a major non-compliance.

Please note: As it’s the only way that we could effectively guarantee this due to the way Windows handles passwords, by default, our script will:

  1. For all local user accounts:
    1. Disable "Password never expires".
    2. Enable "User must change password at next logon".
  2. Configure the local policy "Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy" | "Minimum Password Length".

We have hosted the PS1 file for download here.

We have recorded a short video of this script in action which you can see below:

The script: Remove-LocalAdminPermissions

Cyber Essentials’ #3 technical control is “Control who has access to your data and services” and says “Check what privileges your accounts have - accounts with administrative privileges should only be used to perform administrative tasks. Standard accounts should be used for general work. By ensuring that your staff don’t browse the web or check emails from an account with administrative privileges you cut down on the chance that an admin account will be compromised.“.

By default, our script will remove all user accounts and security groups from the local security group “Administrators” except for the default local user account “Administrator”, the domain security group “Domain Admins”, and any others specified.

If specified, our script will disable the default local user account “Administrator” in addition to the above.

We have hosted the PS1 file for download here.

We have recorded a short video of this script in action which you can see below:

The script: List-EndpointProtection

Cyber Essentials’ #4 technical control is “Protect yourself from viruses and other malware” and says “Anti-malware measures are often included for free within popular operating systems [and] should be used on all computers and laptops.“.

By default, our script will check Windows’ security center and report back whether an antivirus / endpoint protection app is installed and, if so, whether it’s enabled and up-to-date.

We have hosted the PS1 file for download here.

We have recorded a short video of this script in action when it finds no apps which you can see below:

We have recorded a short video of this script in action when it finds an app which you can see below:

The script: Enable-WindowsUpdate

Cyber Essentials’ #5 technical control is “Keep your devices and software up to date” and says “Applying these updates (a process known as patching) is one of the most important things you can do to improve security. Operating systems, programmes, phones and apps should all be set to ‘automatically update’ wherever this is an option“.

By default, our script will:

  1. Check the Windows service, report the current state, and ensure that it’s set to automatic and running, as default.
  2. Check the important and recommended updates configuration, report the current states, and ensure that they’re set to automatically install, as default.
  3. Ensure that Microsoft Update (Windows Update for other Microsoft products) is set to enabled.
  4. Set the installation schedule to "Every day at 03:00", as default.

We have hosted the PS1 file for download here.

We have recorded a short video of this script in action which you can see below: