Audit policy using Pester

Posted on November 29, 2016 by _Emin_

In my previous post, I’ve shown how to leverage DSC to apply a configuration that defines the local Audit policy.
If you’re just interested in the compliance of a system, Pester might be more suitable to assess it against a template. It will somehow validate the operational status of the system.

First, I create a hashtable of settings like this:

auditpol.exe /get /category:* /r |
ConvertFrom-Csv |
Select Subcategory*,*lusion* | 
ForEach-Object {
    '    @{'
    "        Name = '{0}'" -f $_.Subcategory
    "        GUID = '{0}'" -f $_.'Subcategory GUID'
    "        Inclusion = '{0}'" -f $_.'Inclusion Setting'
    '    },'
}

and I populate the file auditpol.ps1 using the output of the above command. The content looks like this. The hashtable is stored inside an array named $AuditPolicy.

Now in the test file auditpol.tests.ps1, I’ve:

	$here = Split-Path -Parent $MyInvocation.MyCommand.Path
	$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.Tests\.', '.'
	. "$here\$sut"

	#region Audit Policy
	Describe 'Audit Policy' {
	BeforeAll {
	$CurrentAuditPolicy = (& (gcm auditpol.exe) @('/get','/category:','/r') \| ConvertFrom-Csv \| Select Subcategory,lusion)
	}
	$AuditPolicy \| ForEach-Object -Process {
	$n= $_.Name
	$g= $_.GUID
	$i = $_.Inclusion
	It "should have its $n policy set to $i" {
	($CurrentAuditPolicy \| Where { $_.'Subcategory GUID' -eq $g }).'Inclusion Setting' -eq $i \| Should be $true
	}
	}
	}
	#endregion

view raw Pester-polaudit.tests.ps1 hosted with ❤ by GitHub

Let’s see how to use it

Invoke-Pester ~/documents/pester/auditpol

audit-pol-invoke-pester-success

If I change the Logoff policy for example like this:

auditpol /Set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /failure:enable

and run the pester test a second time, I’ll get:
audit-pol-invoke-pester-failure
…my system isn’t compliant anymore with the settings defined in my template.

#PowerShell10Year

Posted on November 26, 2016 by _Emin_

PowerShell celebrated its 10th anniversary on Monday, November 14th.

To celebrate it, there was a live stream all day long that was announced on the PowerShell Team blog

If you missed it, no problem, you can go to channel9 an watch it using this link https://channel9.msdn.com/Events/PowerShell-Team/PowerShell-10-Year-Anniversary

The community demonstrated all day long how they use PowerShell. That was awesome!!! And Kenneth Hansen and Angel Calvo discussed Future Directions for PowerShell
ps10y-future-03

There were also Code Golf holes to celebrate that day 😀

Code golf hole 1

I submitted the following answer and introduced a old trick (works in PS2.0) to subtract days to the current datetime object

gcim(gwmi -li *ix*).Name|? I*n -gt((date)+-30d)

and it passed the pester test
ps10y-hole1-pester
Here’s what it does:

gwmi is the alias of the Get-WmiObject cmdlet.
-li is the shortest version of the -List parameter of Get-WmiObject.
-List allows wildcards when looking for WMI classes. So *ix* matches the Win32_QuickFixEngineering WMI class that the Get-Hotfix cmdlet queries.
gcim is the alias of the Get-CimInstance cmdlet.
(gwmi -li *ix*).Name returns Win32_QuickFixEngineering.
Now that we have the list of hotfixes as CIM instances we can filter on the right.
? is the alias of Where-Object.
I*n is the short name of the InstalledOn property that is a datetime object.
So we can compare it to the current date minus 30 days.
We can omit Get- in Get-Date and just type (date).
To subtract 30 days we use the old trick (date)+-30d 😎

A longer form would be

Get-CimInstance (Get-WmiObject -List *ix*).Name |
Where InstalledOn -gt (Get-date).AddDays(-30d)
# or 
Get-CimInstance Win32_QuickFixEngineering |
Where InstalledOn -gt (Get-date).AddDays(-30d)

Code golf hole 2

I submitted the following answer that uses the -File switch parameter. Some answers submitted have a problem and may be broken when you change the path to another drive like HKLM: or Cert: for example. Mine is also somehow broken and works only if the console is started as administrator where the default path is set to C:\windows\system32.

(ls c: -File|% E*n|group|sort c* -d)[0..9]

…but it passed the pester test
ps10y-hole2-pester
Anyway, here’s how to decode it:

ls is the alias of the Get-ChildItem cmdlet.
ls c: -File will return only files including those that don’t have an extension in system32.
% is the alias of the ForEach-Object cmdlet.
E*n is the short name of the Extension property of items returned by Get-ChildItem.
Group is the short version of the Group-Object cmdlet. We can usually omit the -Object (Noun) for cmdlets that deal with -Object except for the New-Object cmdlet.
sort is the alias of the Sort-Object cmdlet.
c* is the short name of the Count property returned by Group-Object.
-d is the short name of the -Descending switch parameter of the Sort-Object cmdlet.
To get only the first 10, we enclose everything in parentheses to treat it as an array and then we enumerate the elements in the array using the [0..9] notation.

A longer form would be

(Get-ChildItem -Path c: -File | ForEach-Object { 
 $_.Extension 
} |Group-Object | 
Sort-Object -Property Count -Descending)[0..9]

Code golf hole 3

For the 3rd hole, I submitted the following solution 😎

gal ?,?? -e h,g?,?s

and it passed the pester test
ps10y-hole3-pester
Here is how to read it:

gal is the alias of the Get-Alias cmdlet.
Get-Alias uses by the default the -Name parameter and it accepts an array of strings and wildcards.
* represents all/any characters and ? only one character (it’s the same in DOS) and ?? represents two characters.
-e is the short name of the -Exclude parameter of the Get-Alias cmdlet.
-Exclude also accepts an array of strings and wildcards.
To avoid aliases for Get- cmdlets, we explicitly exclude h, the alias of the Get-History cmdlet, all the aliases for Get- cmdlets that begin by g and followed by a second letter like gi (Get-Item), gc (Get-Content),…, and finally the last two Unix aliases of the Get-Process cmdlet, ps, and the Get-ChildItem cmdlet, ls.

A longer form would be

Get-Alias -Name ?,?? -Exclude h,gc,gi,gl,gm,gp,gu,gv,ps,ls

Security policy and DSC

Posted on November 21, 2016 by _Emin_

When I showcased DSC to our security team, I also built another wrapper of secedit.exe.
I took the same quick’n dirty approach as the audit policy DSC script from my previous post. Again, only a File and a Script DSC resources are involved in the configuration.

Note that there’s also a limitation in my code.
Secedit.exe can handle more than just the local security policy.
There are other areas it can cover: restricted group settings, user logon rights,…

To get the security baseline I first exported the local security policy to a file like this:

 
secedit.exe /export /Cfg C:\secpol.txt /areas SECURITYPOLICY

… and I copied/pasted the content of the resulting C:\secpol.txt into to Content property of my File resource.

	#region secedit
	Script SeceditPolicy {
	GetScript = {
	@{
	GetScript = $GetScript
	SetScript = $SetScript
	TestScript = $TestScript
	Result = (&{
	$null = & (gcm secedit.exe) @('/export','/Cfg','C:\Windows\temp\secpol.SECURITYPOLICY.txt','/areas','SECURITYPOLICY')
	(Get-Content -Path 'C:\Windows\temp\secpol.SECURITYPOLICY.txt' -ReadCount 1) -match '^([A-Z\s0-9_\\]+)=(.*)$' -replace '=',',' \|
	ConvertFrom-Csv -Header Key,Value1,Value2
	})
	}
	}
	SetScript = {
	# secedit /import /db filename /cfg filename [/overwrite][/areas area1 area2...] [/log filename] [/quiet]
	& (gcm secedit.exe) @('/import','/db','C:\Windows\security\database\secedit.sdb','/cfg','C:\windows\temp\seceditpol.inf',
	'/areas','SECURITYPOLICY','/log','C:\windows\temp\seceditpol.log','/quiet')
	}
	TestScript = {
	if(
	Compare-Object `
	-ReferenceObject (
	(Get-Content -Path 'C:\windows\temp\seceditpol.inf' -ReadCount 1) `
	-match '^([A-Z\s0-9_\\]+)=(.*)$' -replace '=',',' \|
	ConvertFrom-Csv -Header Key,Value1,Value2
	) `
	-DifferenceObject (
	& {
	$null = & (gcm secedit.exe) @('/export','/Cfg','C:\Windows\temp\secpol.SECURITYPOLICY.txt','/areas','SECURITYPOLICY')
	(Get-Content -Path 'C:\Windows\temp\secpol.SECURITYPOLICY.txt' -ReadCount 1) `
	-match '^([A-Z\s0-9_\\]+)=(.*)$' -replace '=',',' \|
	ConvertFrom-Csv -Header Key,Value1,Value2
	}
	) # -IncludeEqual
	) {
	return $false
	} else {
	return $true
	}
	}
	DependsOn = '[File]seceditinf'
	}
	File seceditinf {
	DestinationPath = 'C:\windows\temp\seceditpol.inf'
	Ensure = 'Present';
	Force = $true
	Contents = @'
	[Unicode]
	Unicode=yes
	[System Access]
	MinimumPasswordAge = 0
	MaximumPasswordAge = 42
	MinimumPasswordLength = 0
	PasswordComplexity = 1
	PasswordHistorySize = 0
	LockoutBadCount = 0
	RequireLogonToChangePassword = 0
	ForceLogoffWhenHourExpire = 0
	NewAdministratorName = "Administrator"
	NewGuestName = "Guest"
	ClearTextPassword = 0
	LSAAnonymousNameLookup = 0
	EnableAdminAccount = 1
	EnableGuestAccount = 0
	[Event Audit]
	AuditSystemEvents = 0
	AuditLogonEvents = 0
	AuditObjectAccess = 0
	AuditPrivilegeUse = 0
	AuditPolicyChange = 0
	AuditAccountManage = 0
	AuditProcessTracking = 0
	AuditDSAccess = 0
	AuditAccountLogon = 0
	[Version]
	signature="$CHICAGO$"
	Revision=1
	[Registry Values]
	MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel=4,0
	MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand=4,0
	MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount=1,"10"
	MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon=4,0
	MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,5
	MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption=1,"0"
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin=4,5
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser=4,3
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD=4,0
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName=4,0
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection=4,1
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA=4,1
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths=4,1
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle=4,0
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization=4,1
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken=4,0
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption=1,""
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText=7,
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop=4,1
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption=4,0
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon=4,0
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon=4,1
	MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures=4,0
	MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing=3,0
	MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse=4,1
	MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel=4,3
	MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic=4,2
	MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec=4,536870912
	MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec=4,536870912
	MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic=4,1
	MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=4,1
	MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,0
	MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM=4,1
	MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers=4,1
	MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine=7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\CurrentVersion
	MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine=7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Microsoft\Windows NT\CurrentVersion\Print,Software\Microsoft\Windows NT\CurrentVersion\Windows,System\CurrentControlSet\Control\ContentIndex,System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig,System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration,Software\Microsoft\Windows NT\CurrentVersion\Perflib,System\CurrentControlSet\Services\SysmonLog
	MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive=4,1
	MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown=4,0
	MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
	MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional=7,
	MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect=4,15
	MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff=4,1
	MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature=4,0
	MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes=7,
	MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature=4,0
	MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess=4,1
	MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword=4,0
	MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature=4,1
	MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature=4,0
	MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity=4,1
	MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain=4,7
	MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange=4,0
	MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge=4,30
	MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal=4,1
	MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey=4,1
	MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel=4,1
	MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel=4,1
	'@
	}
	#endregion

view raw DSC-secedit.ps1 hosted with ❤ by GitHub

Audit policy and DSC

Posted on November 14, 2016 by _Emin_

auditpolicydsc-tweet

It can be found on the powershell gallery and/or github

Now that Microsoft has published a full module for this purpose, I can actually show you the quick’n dirty way I coded it a few months ago when I needed to showcase DSC to our internal security team.

It only uses native File and Script DSC resources. In other words, there’s no dependency on any external DSC resource 🙂

First to get the content of the CSV file we’ll drop on the disk and that represents our desired settings, I do

auditpol.exe /get /category:* /r |
ConvertFrom-Csv |
Select Subcategory*,*lusion* | 
Export-Csv -Path ~/Documents/polaudit.csv

Then I paste the content of the polaudit.csv into the Content property of the File resource.

The Get and Test part of the script DSC resource use the same trick above to get the output of our brave old legacy (heritage) auditpol.exe as objects:

	File auditcsv {
	DestinationPath = 'C:\windows\temp\polaudit.csv'
	Ensure = 'Present';
	Force = $true
	Contents = @'
	"Subcategory","Subcategory GUID","Inclusion Setting","Exclusion Setting"
	"Security System Extension","{0CCE9211-69AE-11D9-BED3-505054503030}","No Auditing",
	"System Integrity","{0CCE9212-69AE-11D9-BED3-505054503030}","Success and Failure",
	"IPsec Driver","{0CCE9213-69AE-11D9-BED3-505054503030}","No Auditing",
	"Other System Events","{0CCE9214-69AE-11D9-BED3-505054503030}","Success and Failure",
	"Security State Change","{0CCE9210-69AE-11D9-BED3-505054503030}","Success",
	"Logon","{0CCE9215-69AE-11D9-BED3-505054503030}","Success and Failure",
	"Logoff","{0CCE9216-69AE-11D9-BED3-505054503030}","Success",
	"Account Lockout","{0CCE9217-69AE-11D9-BED3-505054503030}","Success",
	"IPsec Main Mode","{0CCE9218-69AE-11D9-BED3-505054503030}","No Auditing",
	"IPsec Quick Mode","{0CCE9219-69AE-11D9-BED3-505054503030}","No Auditing",
	"IPsec Extended Mode","{0CCE921A-69AE-11D9-BED3-505054503030}","No Auditing",
	"Special Logon","{0CCE921B-69AE-11D9-BED3-505054503030}","Success",
	"Other Logon/Logoff Events","{0CCE921C-69AE-11D9-BED3-505054503030}","No Auditing",
	"Network Policy Server","{0CCE9243-69AE-11D9-BED3-505054503030}","Success and Failure",
	"User / Device Claims","{0CCE9247-69AE-11D9-BED3-505054503030}","No Auditing",
	"File System","{0CCE921D-69AE-11D9-BED3-505054503030}","No Auditing",
	"Registry","{0CCE921E-69AE-11D9-BED3-505054503030}","No Auditing",
	"Kernel Object","{0CCE921F-69AE-11D9-BED3-505054503030}","No Auditing",
	"SAM","{0CCE9220-69AE-11D9-BED3-505054503030}","No Auditing",
	"Certification Services","{0CCE9221-69AE-11D9-BED3-505054503030}","No Auditing",
	"Application Generated","{0CCE9222-69AE-11D9-BED3-505054503030}","No Auditing",
	"Handle Manipulation","{0CCE9223-69AE-11D9-BED3-505054503030}","No Auditing",
	"File Share","{0CCE9224-69AE-11D9-BED3-505054503030}","No Auditing",
	"Filtering Platform Packet Drop","{0CCE9225-69AE-11D9-BED3-505054503030}","No Auditing",
	"Filtering Platform Connection","{0CCE9226-69AE-11D9-BED3-505054503030}","No Auditing",
	"Other Object Access Events","{0CCE9227-69AE-11D9-BED3-505054503030}","No Auditing",
	"Detailed File Share","{0CCE9244-69AE-11D9-BED3-505054503030}","No Auditing",
	"Removable Storage","{0CCE9245-69AE-11D9-BED3-505054503030}","No Auditing",
	"Central Policy Staging","{0CCE9246-69AE-11D9-BED3-505054503030}","No Auditing",
	"Non Sensitive Privilege Use","{0CCE9229-69AE-11D9-BED3-505054503030}","No Auditing",
	"Other Privilege Use Events","{0CCE922A-69AE-11D9-BED3-505054503030}","No Auditing",
	"Sensitive Privilege Use","{0CCE9228-69AE-11D9-BED3-505054503030}","No Auditing",
	"Process Creation","{0CCE922B-69AE-11D9-BED3-505054503030}","No Auditing",
	"Process Termination","{0CCE922C-69AE-11D9-BED3-505054503030}","No Auditing",
	"DPAPI Activity","{0CCE922D-69AE-11D9-BED3-505054503030}","No Auditing",
	"RPC Events","{0CCE922E-69AE-11D9-BED3-505054503030}","No Auditing",
	"Authentication Policy Change","{0CCE9230-69AE-11D9-BED3-505054503030}","Success",
	"Authorization Policy Change","{0CCE9231-69AE-11D9-BED3-505054503030}","No Auditing",
	"MPSSVC Rule-Level Policy Change","{0CCE9232-69AE-11D9-BED3-505054503030}","No Auditing",
	"Filtering Platform Policy Change","{0CCE9233-69AE-11D9-BED3-505054503030}","No Auditing",
	"Other Policy Change Events","{0CCE9234-69AE-11D9-BED3-505054503030}","No Auditing",
	"Audit Policy Change","{0CCE922F-69AE-11D9-BED3-505054503030}","Success",
	"User Account Management","{0CCE9235-69AE-11D9-BED3-505054503030}","Success",
	"Computer Account Management","{0CCE9236-69AE-11D9-BED3-505054503030}","Success",
	"Security Group Management","{0CCE9237-69AE-11D9-BED3-505054503030}","Success",
	"Distribution Group Management","{0CCE9238-69AE-11D9-BED3-505054503030}","No Auditing",
	"Application Group Management","{0CCE9239-69AE-11D9-BED3-505054503030}","No Auditing",
	"Other Account Management Events","{0CCE923A-69AE-11D9-BED3-505054503030}","No Auditing",
	"Directory Service Changes","{0CCE923C-69AE-11D9-BED3-505054503030}","No Auditing",
	"Directory Service Replication","{0CCE923D-69AE-11D9-BED3-505054503030}","No Auditing",
	"Detailed Directory Service Replication","{0CCE923E-69AE-11D9-BED3-505054503030}","No Auditing",
	"Directory Service Access","{0CCE923B-69AE-11D9-BED3-505054503030}","Success",
	"Kerberos Service Ticket Operations","{0CCE9240-69AE-11D9-BED3-505054503030}","Success",
	"Other Account Logon Events","{0CCE9241-69AE-11D9-BED3-505054503030}","No Auditing",
	"Kerberos Authentication Service","{0CCE9242-69AE-11D9-BED3-505054503030}","Success",
	"Credential Validation","{0CCE923F-69AE-11D9-BED3-505054503030}","Success",
	'@
	}
	Script AuditPolicy {
	GetScript = {
	@{
	GetScript = $GetScript
	SetScript = $SetScript
	TestScript = $TestScript
	Result = (& (gcm auditpol.exe) @('/get','/category:','/r') \| ConvertFrom-Csv \| Select Subcategory,lusion)
	}
	}
	SetScript = {
	Import-Csv -Path 'C:\windows\temp\polaudit.csv' \| ForEach-Object {
	$g = $_.'Subcategory GUID'

	Switch ($_.'Inclusion Setting') {
	'No Auditing' {
	& (gcm auditpol.exe) @('/set',"/subcategory:$($g)",'/failure:disable','/success:disable')
	break
	}
	'Success' {
	& (gcm auditpol.exe) @('/set',"/subcategory:$($g)",'/failure:disable','/success:enable')
	break
	}
	'Failure' {
	& (gcm auditpol.exe) @('/set',"/subcategory:$($g)",'/failure:enable','/success:disable')
	break
	}
	'Success and Failure' {
	& (gcm auditpol.exe) @('/set',"/subcategory:$($g)",'/failure:enable','/success:enable')
	break
	}
	default {}
	}
	}
	}
	TestScript = {
	if(
	Compare-Object -ReferenceObject (Import-Csv 'C:\windows\temp\polaudit.csv') `
	-DifferenceObject (& (gcm auditpol.exe) @('/get','/category:','/r') \| ConvertFrom-Csv \| Select Subcategory,lusion)
	) {
	return $false
	} else {
	return $true
	}
	}
	DependsOn = '[File]auditcsv'
	}