-
Notifications
You must be signed in to change notification settings - Fork 1
/
Logsandrules.ps1
130 lines (112 loc) · 4.64 KB
/
Logsandrules.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
function Enable-FirewallLogs {
# Enable Windows Firewall logs
Set-NetFirewallProfile -Profile Domain,Public,Private -LogAllowed True
}
#Enable-FirewallLogs
function Restore-FirewallRules {
# Disable the Windows Firewall service temporarily
Set-Service -Name MpsSvc -StartupType Disabled
# Restore the default Windows Firewall settings
netsh advfirewall reset
# Re-enable the Windows Firewall service
Set-Service -Name MpsSvc -StartupType Automatic
Start-Service -Name MpsSvc
}
#Restore-DefaultFirewall
function Import-FirewallRules {
[CmdletBinding()]
param(
[Parameter(Mandatory=$true)]
[ValidateScript({Test-Path $_ -PathType Leaf})]
[string]$Path
)
try {
# Import the WFAS policy file
Import-NetFirewallRule -PolicyStore $Path -ErrorAction Stop
# Activate the imported firewall rules
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True -ErrorAction Stop
Write-Host "Firewall rules imported and activated successfully."
} catch {
Write-Error "Failed to import and activate firewall rules: $_"
}
}
#Import-FirewallRules -Path "C:\temp\myfirewallrules.wfw"
function Set-Syslog {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$ServerAddress,
[Parameter(Mandatory = $true)]
[int]$Port,
[Parameter(Mandatory = $true)]
[string]$Protocol
)
# Set the registry keys to enable syslog forwarding
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "AutoBackupLogFiles" -Value 0
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "MaxSize" -Value 0x800000
# Install the syslog agent
Install-Package -Name SyslogAgent -ProviderName 'NuGet' -Force
# Set the syslog configuration
$Config = @{
ServerAddress = $ServerAddress
Port = $Port
Protocol = $Protocol
}
Set-SyslogAgentConfig @Config
# Start the syslog service
Start-Service -Name syslogagent
}
#Set-Syslog -ServerAddress "syslog.example.com" -Port 514 -Protocol UDP
function Enable-DNSLogging {
[CmdletBinding()]
param()
# Enable DNS debug logging
$DnsServer = Get-WmiObject -Namespace "root\MicrosoftDNS" -Class "MicrosoftDNS_Server"
$DnsServer.DebugLogging = $true
$DnsServer.DebugFile = "C:\Windows\System32\dns\dns.log"
$DnsServer.DebugLevel = 0
$DnsServer.Put()
# Enable DNS query logging
$RegistryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters"
$Values = @{
"LogFilePath" = "C:\Windows\System32\dns\dnsquery.log"
"EnableLogging" = 1
"LogIncomingRequests" = 1
"LogOutgoingResponses" = 1
"LogLevel" = 2
}
$Values.GetEnumerator() | ForEach-Object {
Set-ItemProperty -Path $RegistryPath -Name $_.Key -Value $_.Value -Force
}
# Restart the DNS service
Restart-Service -Name DNS -Force
}
#Enable-DNSLogging
function Enable-ADEnhancedLogging {
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$DomainController
)
# Enable directory service access auditing
$AuditPolicy = Get-AuditPolicy
$AuditPolicy.DirectoryServiceAccess = "Success,Failure"
Set-AuditPolicy -AuditPolicy $AuditPolicy
# Enable directory service changes auditing
$NTDSObject = Get-ADObject "CN=NTDS Settings,CN=$DomainController,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com" -Properties "options"
$Options = $NTDSObject.options
$Options[5] = $Options[5] -bor 0x20
Set-ADObject -Instance $NTDSObject
# Enable detailed tracking of security events
$GPO = Get-GPO -Name "Default Domain Controllers Policy" -Server $DomainController
$SecuritySettings = $GPO.ExtensionData.Extension.SecuritySettings
$AuditPolicy = $SecuritySettings.AuditPolicy
$AuditPolicy.AuditDetailedTracking = "Enabled"
$SecuritySettings.AuditPolicy = $AuditPolicy
Set-GPRegistryValue -Name $GPO.DisplayName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -ValueName "ProcessCreationIncludeCmdLine_Enabled" -Type DWORD -Value 1
# Refresh the group policy on the domain controller
Invoke-GPUpdate -Computer $DomainController -Target "Computer"
# Restart the domain controller to apply the changes
Restart-Computer -ComputerName $DomainController -Force
}
#Enable-ADEnhancedLogging -DomainController "dc1.example.com"