The current script feature set includes audit checks and enumeration for:
- Installed security products
- World-exposed local filesystem shares
- Domain users and groups with local group membership
- Registry autoruns
- Local services that are configurable by Authenticated Users group members
- Local services for which corresponding binary is writable by Authenticated Users group members
- Non-system32 Windows Hosted Services and their associated DLLs
- Local services with unquoted path vulnerability
- Non-system scheduled tasks
- DLL hijackability
- User Account Control settings
- Unattended installs leftovers
I can see this useful PowerShell script coming in quite handy for assessment using the CIS Top 20 Security Controls. I ran it on my domain-joined Windows 10 Surface Book via a privileged PowerShell and liked the results.
The script confirms that it's running with admin rights, checks PowerShell version, then inspects Windows Firewall settings. Looking good on the firewall, and WINSpect tees right off on my Window Defender instance and its configuration as well.
Not sharing a screenshot of my shares or admin users, sorry, but you'll find them enumerated when you run WINSpect.
WINSpect wrapped up with a quick check of configurable services, SMSvcHost is normal as part of .NET, even if I don't like it, but the flowExportService doesn't need to be there at all, I removed that a while ago after being really annoyed with it during testing. No user hosted services, and DLL Safe Search is enable...bonus. Finally, no unattended install leftovers, and all the scheduled tasks are normal for my system. Sweet, pretty good overall, thanks WINSpect. :-)
Give it a try for yourself, and keep an eye out for updates. Amine indicates that Local Security Policy controls, administrative shares configs, loaded DLLs, established/listening connections, and exposed GPO scripts on the to-do list.
Cheers...until next time.