Advanced Security Analyzer Tool for Windows Server
<# .SYNOPSIS Advanced Security Analyzer Tool for Windows Server .DESCRIPTION This script performs a comprehensive security analysis on a Windows Server, providing detailed insights into various security aspects and potential vulnerabilities. .NOTES File Name : AdvancedWindowsServerSecurityAnalyzer.ps1 Author : [Your Name] Prerequisite : PowerShell V5.1 or later, administrator rights on a Windows Server Version : 1.0 Date : [Current Date] .EXAMPLE .\AdvancedWindowsServerSecurityAnalyzer.ps1 #> # Import required modules Import-Module ActiveDirectory Import-Module GroupPolicy # Global variables $global:reportPath = "$env:USERPROFILE\Desktop\Advanced_WindowsServer_Security_Analysis_Report_$(Get-Date -Format 'yyyyMMdd_HHmmss').html" <# .SYNOPSIS Displays the main menu of the tool. #> function Show-Menu { Clear-Host Write-Host "=== Advanced Windows Server Security Analyzer Tool ===" -ForegroundColor Cyan Write-Host "1. Analyze Windows Updates and Patches" Write-Host "2. Audit User Accounts and Permissions" Write-Host "3. Check Firewall and Network Security" Write-Host "4. Review File System and Share Permissions" Write-Host "5. Analyze Services and Running Processes" Write-Host "6. Check Group Policy Settings" Write-Host "7. Audit Event Logs" Write-Host "8. Analyze Installed Software" Write-Host "9. Check for Common Vulnerabilities" Write-Host "10. Review Encryption and Certificate Settings" Write-Host "11. Generate Comprehensive HTML Report" Write-Host "12. Exit" } <# .SYNOPSIS Analyzes Windows Updates and Patches. .OUTPUTS PSObject containing Windows Updates and Patch status. #> function Analyze-WindowsUpdatesAndPatches { Write-Host "`nAnalyzing Windows Updates and Patches..." -ForegroundColor Yellow $updateSession = New-Object -ComObject Microsoft.Update.Session $updateSearcher = $updateSession.CreateUpdateSearcher() $pendingUpdates = $updateSearcher.Search("IsInstalled=0") $installedUpdates = Get-HotFix | Sort-Object -Property InstalledOn -Descending $result = [PSCustomObject]@{ PendingUpdatesCount = $pendingUpdates.Updates.Count LastUpdateDate = $installedUpdates[0].InstalledOn CriticalUpdatesCount = ($pendingUpdates.Updates | Where-Object { $_.MsrcSeverity -eq "Critical" }).Count RecentlyInstalledUpdates = $installedUpdates | Select-Object -First 5 | ForEach-Object { "$($_.HotFixID) - $($_.InstalledOn)" } } $result | Format-List return $result } <# .SYNOPSIS Audits User Accounts and Permissions. .OUTPUTS Array of PSObjects containing user account and permission details. #> function Audit-UserAccountsAndPermissions { Write-Host "`nAuditing User Accounts and Permissions..." -ForegroundColor Yellow $users = Get-ADUser -Filter * -Properties Enabled, PasswordLastSet, LastLogonDate, PasswordNeverExpires, MemberOf $results = @() foreach ($user in $users) { $adminGroups = $user.MemberOf | Where-Object { $_ -like "*admin*" } $results += [PSCustomObject]@{ Username = $user.SamAccountName Enabled = $user.Enabled PasswordLastSet = $user.PasswordLastSet LastLogon = $user.LastLogonDate PasswordNeverExpires = $user.PasswordNeverExpires InAdminGroup = if ($adminGroups) { $true } else { $false } AdminGroups = $adminGroups -join ", " } } $results | Format-Table -AutoSize return $results } <# .SYNOPSIS Checks Firewall and Network Security. .OUTPUTS PSObject containing firewall and network security details. #> function Check-FirewallAndNetworkSecurity { Write-Host "`nChecking Firewall and Network Security..." -ForegroundColor Yellow $firewallProfiles = Get-NetFirewallProfile $openPorts = Get-NetTCPConnection | Where-Object { $_.State -eq 'Listen' } $result = [PSCustomObject]@{ DomainProfileEnabled = ($firewallProfiles | Where-Object { $_.Name -eq "Domain" }).Enabled PrivateProfileEnabled = ($firewallProfiles | Where-Object { $_.Name -eq "Private" }).Enabled PublicProfileEnabled = ($firewallProfiles | Where-Object { $_.Name -eq "Public" }).Enabled OpenPorts = $openPorts | Select-Object LocalPort, OwningProcess InboundRulesCount = (Get-NetFirewallRule -Direction Inbound).Count OutboundRulesCount = (Get-NetFirewallRule -Direction Outbound).Count } $result | Format-List return $result } <# .SYNOPSIS Reviews File System and Share Permissions. .OUTPUTS Array of PSObjects containing file system and share permission details. #> function Review-FileSystemAndSharePermissions { Write-Host "`nReviewing File System and Share Permissions..." -ForegroundColor Yellow $shares = Get-SmbShare | Where-Object { $_.Name -notlike "*$" } $results = @() foreach ($share in $shares) { $acl = Get-Acl $share.Path $permissions = $acl.Access | ForEach-Object { "$($_.IdentityReference) - $($_.FileSystemRights)" } $results += [PSCustomObject]@{ ShareName = $share.Name Path = $share.Path Permissions = $permissions -join "; " } } $results | Format-Table -AutoSize return $results } <# .SYNOPSIS Analyzes Services and Running Processes. .OUTPUTS Array of PSObjects containing service and process details. #> function Analyze-ServicesAndProcesses { Write-Host "`nAnalyzing Services and Running Processes..." -ForegroundColor Yellow $services = Get-WmiObject Win32_Service | Where-Object { $_.StartMode -eq 'Auto' -and $_.State -eq 'Running' } $processes = Get-Process | Where-Object { $_.CPU -gt 10 -or $_.WorkingSet -gt 100MB } $results = @() foreach ($service in $services) { $results += [PSCustomObject]@{ Type = "Service" Name = $service.Name DisplayName = $service.DisplayName StartName = $service.StartName State = $service.State } } foreach ($process in $processes) { $results += [PSCustomObject]@{ Type = "Process" Name = $process.Name ID = $process.Id CPU = $process.CPU Memory = [math]::Round($process.WorkingSet / 1MB, 2) } } $results | Format-Table -AutoSize return $results } <# .SYNOPSIS Checks Group Policy Settings. .OUTPUTS Array of PSObjects containing Group Policy setting details. #> function Check-GroupPolicySettings { Write-Host "`nChecking Group Policy Settings..." -ForegroundColor Yellow $gpos = Get-GPO -All $results = @() foreach ($gpo in $gpos) { $report = Get-GPOReport -Guid $gpo.Id -ReportType XML $settingsCount = ([xml]$report).GPO.Computer.ExtensionData.Extension.Policy.Count + ([xml]$report).GPO.User.ExtensionData.Extension.Policy.Count $results += [PSCustomObject]@{ Name = $gpo.DisplayName CreationTime = $gpo.CreationTime ModificationTime = $gpo.ModificationTime SettingsCount = $settingsCount } } $results | Format-Table -AutoSize return $results } <# .SYNOPSIS Audits Event Logs. .OUTPUTS Array of PSObjects containing event log details. #> function Audit-EventLogs { Write-Host "`nAuditing Event Logs..." -ForegroundColor Yellow $logs = @("System", "Security", "Application") $results = @() foreach ($log in $logs) { $events = Get-EventLog -LogName $log -Newest 100 | Group-Object -Property EntryType foreach ($eventType in $events) { $results += [PSCustomObject]@{ LogName = $log EventType = $eventType.Name Count = $eventType.Count } } } $results | Format-Table -AutoSize return $results } <# .SYNOPSIS Analyzes Installed Software. .OUTPUTS Array of PSObjects containing installed software details. #> function Analyze-InstalledSoftware { Write-Host "`nAnalyzing Installed Software..." -ForegroundColor Yellow $software = Get-WmiObject -Class Win32_Product | Select-Object Name, Vendor, Version, InstallDate $software | Format-Table -AutoSize return $software } <# .SYNOPSIS Checks for Common Vulnerabilities. .OUTPUTS Array of PSObjects containing vulnerability check results. #> function Check-CommonVulnerabilities { Write-Host "`nChecking for Common Vulnerabilities..." -ForegroundColor Yellow $results = @() # Check for SMBv1 $smbv1 = Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol $results += [PSCustomObject]@{ Check = "SMBv1 Enabled" Status = if ($smbv1.State -eq "Enabled") { "Vulnerable" } else { "Secure" } } # Check for PowerShell v2 $psv2 = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 $results += [PSCustomObject]@{ Check = "PowerShell v2 Enabled" Status = if ($psv2.State -eq "Enabled") { "Vulnerable" } else { "Secure" } } # Check RDP settings $rdpEnabled = (Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0 $nlaEnabled = (Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp").UserAuthentication -eq 1 $results += [PSCustomObject]@{ Check = "RDP Enabled without NLA" Status = if ($rdpEnabled -and -not $nlaEnabled) { "Vulnerable" } else { "Secure" } } $results | Format-Table -AutoSize return $results } <# .SYNOPSIS Reviews Encryption and Certificate Settings. .OUTPUTS PSObject containing encryption and certificate details. #> function Review-EncryptionAndCertificates { Write-Host "`nReviewing Encryption and Certificate Settings..." -ForegroundColor Yellow $certs = Get-ChildItem -Path Cert:\LocalMachine\My $tlsSettings = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\*\*' | Where-Object { $_.Enabled -ne $null } $result = [PSCustomObject]@{ CertificateCount = $certs.Count ExpiredCertificates = ($certs | Where-Object { $_.NotAfter -lt (Get-Date) }).Count TLS10Enabled = ($tlsSettings | Where-Object { $_.PSPath -like "*TLS 1.0*" -and $_.Enabled -eq 1 }) -ne $null TLS11Enabled = ($tlsSettings | Where-Object { $_.PSPath -like "*TLS 1.1*" -and $_.Enabled -eq 1 }) -ne $null TLS12Enabled = ($tlsSettings | Where-Object { $_.PSPath -like "*TLS 1.2*" -and $_.Enabled -eq 1 }) -ne $null } $result | Format-List return $result } <# .SYNOPSIS Generates a comprehensive HTML report of all analyses. .PARAMETER AllResults Hashtable containing all analysis results. .OUTPUTS Saves an HTML report to the desktop. #> function Generate-HTMLReport { param([hashtable]$AllResults) Write-Host "`nGenerating Comprehensive HTML Report..." -ForegroundColor Yellow $reportContent = @" <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Advanced Windows Server Security Analysis Report</title> <style> body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; max-width: 1200px; margin: 0 auto; padding: 20px; } h1, h2, h3 { color: #0078D4; } table { border-collapse: collapse; width: 100%; margin-bottom: 20px; } th, td { border: 1px solid #ddd; padding: 8px; text-align: left; } th { background-color: #f2f2f2; } .vulnerable { color: red; font-weight: bold; } .secure { color: green; } </style> </head> <body> <h1>Advanced Windows Server Security Analysis Report</h1> <p>Generated on: $(Get-Date)</p> <h2>Windows Updates and Patches</h2> $($AllResults.UpdatesAndPatches | ConvertTo-Html -Fragment) <h2>User Accounts and Permissions</h2> $($AllResults.UserAccounts | ConvertTo-Html -Fragment) <h2>Firewall and Network Security</h2> $($AllResults.FirewallSecurity | ConvertTo-Html -Fragment) <h2>File System and Share Permissions</h2> $($AllResults.FileSystemPermissions | ConvertTo-Html -Fragment) <h2>Services and Running Processes</h2> $($AllResults.ServicesAndProcesses | ConvertTo-Html -Fragment) <h2>Group Policy Settings</h2> $($AllResults.GroupPolicySettings | ConvertTo-Html -Fragment) <h2>Event Logs Summary</h2> $($AllResults.EventLogs | ConvertTo-Html -Fragment) <h2>Installed Software</h2> $($AllResults.InstalledSoftware | ConvertTo-Html -Fragment) <h2>Common Vulnerabilities Check</h2> $($AllResults.Vulnerabilities | ForEach-Object { $_.Status = if ($_.Status -eq "Vulnerable") { '<span class="vulnerable">Vulnerable</span>' } else { '<span class="secure">Secure</span>' } $_ } | ConvertTo-Html -Fragment) <h2>Encryption and Certificate Settings</h2> $($AllResults.EncryptionSettings | ConvertTo-Html -Fragment) </body> </html> "@ $reportContent | Out-File -FilePath $global:reportPath Write-Host "Report generated and saved to: $global:reportPath" -ForegroundColor Green } # Main program loop $allResults = @{} do { Show-Menu $choice = Read-Host "`nEnter your choice (1-12)" switch ($choice) { "1" { $allResults.UpdatesAndPatches = Analyze-WindowsUpdatesAndPatches } "2" { $allResults.UserAccounts = Audit-UserAccountsAndPermissions } "3" { $allResults.FirewallSecurity = Check-FirewallAndNetworkSecurity } "4" { $allResults.FileSystemPermissions = Review-FileSystemAndSharePermissions } "5" { $allResults.ServicesAndProcesses = Analyze-ServicesAndProcesses } "6" { $allResults.GroupPolicySettings = Check-GroupPolicySettings } "7" { $allResults.EventLogs = Audit-EventLogs } "8" { $allResults.InstalledSoftware = Analyze-InstalledSoftware } "9" { $allResults.Vulnerabilities = Check-CommonVulnerabilities } "10" { $allResults.EncryptionSettings = Review-EncryptionAndCertificates } "11" { Generate-HTMLReport -AllResults $allResults } "12" { Write-Host "Exiting program..." -ForegroundColor Yellow; break } default { Write-Host "Invalid choice. Please try again." -ForegroundColor Red } } if ($choice -ne "12") { Read-Host "`nPress Enter to continue..." } } while ($choice -ne "12")
This Advanced Security Analyzer Tool for Windows Server includes:
- A comprehensive menu-driven interface.
- Advanced functions to analyze various security aspects:
- Detailed Windows Updates and Patch analysis
- In-depth user account and permission auditing
- Comprehensive firewall and network security check
- Detailed file system and share permissions review
- Analysis of services and running processes
- Group Policy settings check
- Event log auditing
- Installed software analysis
- Common vulnerabilities check
- Encryption and certificate settings review
- Detailed HTML report generation with color-coded vulnerability indicators.
Key features:
- Comprehensive analysis of Windows Updates, including pending and critical updates
- Detailed user account analysis, including admin group memberships
- In-depth firewall analysis, including open ports and rule counts
- File system and share permission auditing
- Service and process analysis with focus on auto-start services and resource-intensive processes
- Group Policy analysis
- Event log summary for system, security, and application logs
- Installed software inventory
- Checks for common vulnerabilities like SMBv1, PowerShell v2, and insecure RDP settings
- Review of encryption settings and certificate status
This tool is particularly useful for:
- System administrators performing thorough security audits
- IT security professionals conducting in-depth security assessments
- Compliance officers ensuring adherence to security standards
- Anyone needing a comprehensive overview of a Windows Server’s security posture
To use this script effectively:
- Run PowerShell as an administrator on the Windows Server you want to analyze
- Ensure you have the necessary permissions to query system information and Active Directory (if applicable)
- Review the generated HTML report for a detailed overview of the server’s security status
This script provides a comprehensive and advanced way to analyze the security of a Windows Server, helping to identify potential security issues, misconfigurations, and vulnerabilities across various aspects of the system.
Leave a Reply
Want to join the discussion?Feel free to contribute!