Cyber Essentials Automation via PowerShell & GPO

Objective:

Develop a system to streamline the application of Cyber Essentials technical controls to Windows 10/11 Home and Pro devices. The solution should prioritize configurations via Group Policy Objects (GPO) where possible and be executable remotely. The system is intended for efficient, repeatable deployments on non-domain or locally connected network devices.

Requirements:

Disable USB Storage:

Accounts:

All accounts except the ACSadmin (that this system will create) and any system protected accounts should be turned to local accounts i.e. those that have no admin permissions. This applies to Entra joined accounts as well.

Default Password Configuration:

Set a default password (e.g., “Changeme@12!”) for all local accounts, except for specified admin accounts (e.g., "acsadmin," "guest," etc.).

Enforce a 12-character minimum password length for all accounts.

Prompt users to reset passwords at first login.

Account Creation:

Create a standard administrator account "acsadmin" with a unique password prompt at installation.

Ensure account permissions are set for Cyber Essentials compliance.

Account Lockout:

Set account lockout to trigger after 10 failed login attempts.

Configure account lockout duration to 10 minutes.

Screen Lock Timeout:

Set the screen saver to a 10-minute inactivity timeout with an auto-lock requirement.

Use the “Blank” screen saver as the default option for all users.

Autorun/Autoplay Configuration:

Disable autorun and autoplay features through registry changes to prevent automatic execution of removable media.

Standard User Accounts:

Change all unnecessary local user accounts to standard user privileges, removing administrator rights where appropriate.

Logging:

Implement logging of each step's success or failure to [login to view URL] on the root directory.

Group Policy Object (GPO) Integration

Configure as many security settings as possible using GPOs for easy and centralized control. This includes:

Enforcing password complexity and minimum length via GPO.

Configuring account lockout and screen saver timeout settings.

Disabling USB access, autorun, and autoplay through GPO where applicable.

Domain Management

Provide options within the script to join devices to:

Local Domain (Active Directory): Using an administrator’s credentials prompt during script execution.

Azure Active Directory/Entra Domain: Prompt the administrator for Azure AD credentials if joining the Azure AD domain.

Remote Access Compatibility

Ensure the script is compatible with remote execution tools (e.g., Remote Desktop, remote PowerShell sessions) to facilitate deployment on target machines. A minimal setup should enable administrators to remotely deploy this system on each device.

Error Handling and Documentation

Implement error handling for each configuration step with relevant error messages.

Create a detailed log file for each execution, with time stamps, that administrators can review for troubleshooting.

Provide a comprehensive user guide that covers setup, use, and common troubleshooting.

Deliverables:

Complete PowerShell script with GPO templates, if needed.

Full documentation for usage and troubleshooting.

Technical Specifications:

Minimum Password Length: 12 characters

Password Complexity: Must include upper- and lower-case letters, numbers, and symbols.

Account Lockout: Lockout after 10 failed attempts for 10 minutes.

Screen Lock: 10-minute timeout with Blank screensaver set and auto-lock enforced.

Logging: Activity logged in [login to view URL] at C:\.

I have the full PowerShell scrip which I can provide

Include basic logging with event summaries and timestamps.

Powershell การติดตั้งสคริปต์ ผู้ดูแลระบบ Windows Desktop Windows Server

หมายเลขโปรเจค: #38736599

เกี่ยวกับโปรเจกต์