PowerShield

Enterprise-grade security baseline enforcement for Windows Server. A single PowerShell script that audits, remediates, and reports on 120+ hardening controls aligned to CIS Benchmark, NIST 800-53, DISA STIG, and Microsoft Security Baselines.

CIS Benchmark NIST SP 800-53 DISA STIG Microsoft Baselines Server 2019 / 2022 12 Modules

View Repository Download Script

Administrator: PowerShell

PS C:\PowerShield> .\PowerShield.ps1 -Audit ██████╗ ██████╗ ██╗ ██╗███████╗██████╗ ███████╗██╗ ██╗██╗███████╗██╗ ██████╗ ██████╔╝██║ ██║██║ █╗ ██║█████╗ ██████╔╝███████╗███████║██║█████╗ ██║ ██║ ██║ ╚═════╝ ╚═════╝ ╚══╝╚══╝ ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝╚══════╝╚══════╝╚═════╝ [INFO] Mode: AUDIT ONLY [INFO] OS: Windows Server 2022 Datacenter [INFO] Profile: level1 ━━━ 1. ACCOUNT POLICIES (CIS 1.1-1.2) ━━━ [PASS] CIS 1.1.1 — Password history: 24 (>=24) [PASS] CIS 1.1.4 — Min password length: 14 (>=14) [PASS] CIS 1.1.5 — Password complexity: Enabled [FAIL] CIS 1.2.2 — Lockout threshold: 0 (should be 1-5) ━━━ 6. NETWORK SECURITY (CIS 18.4) ━━━ [FAIL] CIS 18.4.x — SMBv1: Enabled (critical — disable immediately) [PASS] CIS 18.4.x — LLMNR: Disabled [PASS] CIS 18.9.x — RDP NLA: Required ━━━ 10. TLS & CRYPTOGRAPHY (NIST/STIG) ━━━ [PASS] NIST — TLS 1.2 (Server): Enabled [FAIL] NIST — TLS 1.0 (Server): Enabled (must disable) EXECUTIVE SUMMARY ───────────────────────────────────────────── System: DC01 (Windows Server 2022 Datacenter) Domain: CORP.LOCAL Compliance: 74.8% Critical Gaps: 3 ═══════════════════════════════════════════════════ PASS: 89 FAIL: 18 WARN: 12 TOTAL: 119 Reports: HTML, CSV, JSON exported to C:\PowerShield\Logs\ ═══════════════════════════════════════════════════

874

Lines of Code

Modules

120+

Security Checks

Standards

Hardening Modules

12 modules covering the complete Windows Server attack surface

Each module maps directly to CIS Benchmark sections, NIST 800-53 control families, and DISA STIG requirements. Modules can be executed individually or as a complete assessment.

Account Policies

CIS 1.1–1.2 | NIST IA

Password policy enforcement (history, age, length, complexity, reversible encryption) and account lockout configuration (threshold, duration, reset counter).

9 checkssecedit

Local Policies

CIS 2.2–2.3 | NIST AC, IA

Administrator/Guest accounts, blank password restriction, SMB signing, SAM enumeration, NTLMv2 enforcement, UAC configuration, inactivity timeout.

12 checksregistry

Advanced Audit Policy

CIS 17 | NIST AU

15 advanced audit subcategories: credential validation, account management, process creation, logon/logoff events, privilege use, policy changes, system integrity.

15 checksauditpol

Windows Firewall

CIS 9 | NIST SC

Domain, Private, and Public profiles: enabled state verification, default inbound action (Block), outbound action, and firewall logging configuration.

12 checksauto-fix

Defender and Exploit Guard

CIS 18.9.47 | NIST SI

Real-time protection, behavior monitoring, PUA detection, IOAV scanning, cloud protection (MAPS), signature freshness, ASLR, Credential Guard (VBS).

10 checksVBS

Network Security

CIS 18.4 | NIST SC, AC

SMBv1 elimination, SMB encryption, WinRM hardening, LLMNR and NetBIOS disablement, IPv6 review, Remote Desktop with Network Level Authentication.

8 checksauto-fix

Windows Services

CIS 5 | NIST CM

Identification and disablement of 20 unnecessary services: IIS, FTP, SNMP, UPnP, SSDP, Xbox, WSL, mobile hotspot, media sharing, and legacy services.

20 checksauto-fix

Registry Hardening

CIS 18 | STIG

14 critical registry controls: LSA Protection (RunAsPPL), WDigest credential caching, SEHOP, PowerShell script block logging, AlwaysInstallElevated, Remote Credential Guard.

14 checksauto-fix

Event Log Configuration

CIS 18.9.26 | NIST AU

Event log sizing for Application, Security, System, and Setup logs. Sysmon deployment detection. PowerShell module logging verification.

6 checkswevtutil

TLS and Cryptography

NIST SC-13 | STIG

Deprecation of SSL 2.0/3.0 and TLS 1.0/1.1. Enforcement of TLS 1.2/1.3. Disablement of RC4, DES, Triple DES, and NULL cipher suites via SCHANNEL registry.

12+ checksSCHANNEL

Windows Update

CIS 18.9.108 | NIST SI

Automatic update policy verification, patch currency assessment (days since last hotfix), and pending reboot detection.

3 checksWSUS

Additional Hardening

NIST CM | STIG

Login warning banners, AutoPlay disablement, BitLocker verification, Print Spooler review (PrintNightmare), administrative shares, Spectre/Meltdown mitigations, local administrator count.

7 checksauto-fix

Deployment

Quick Start

PowerShield requires PowerShell 5.1 or later and must be executed with Administrator privileges. No external modules or dependencies are required.

# Clone repository git clone https://github.com/SiteQ8/PowerShield.git cd PowerShield # Audit only — no system modifications .\PowerShield.ps1 -Audit # Audit with automatic remediation .\PowerShield.ps1 -Fix # Target specific modules .\PowerShield.ps1 -Module Firewall,Services,TLSCrypto # Dry run — preview all changes before applying .\PowerShield.ps1 -DryRun # CIS Level 2 profile .\PowerShield.ps1 -Fix -Profile level2

Compliance

Standards Alignment

Every check in PowerShield is mapped to one or more industry-recognized security standards. The tool supports multiple compliance profiles for different organizational requirements.

Standard	Coverage	Scope
CIS Benchmark for Windows Server 2019/2022	Level 1 and Level 2	Account policies, local policies, audit, firewall, services, registry, event logs, update
NIST SP 800-53 Revision 5	AC, AU, CM, IA, SC, SI	Access control, audit and accountability, configuration management, identification and authentication, system and communications protection, system and information integrity
DISA STIG	CAT I, II, III	LSA protection, WDigest, Credential Guard, SEHOP, TLS configuration, cipher suites, BitLocker, administrative shares
Microsoft Security Baselines	Server 2019 / 2022	Microsoft-recommended registry settings, Group Policy configurations, Windows Defender settings

Reporting

Multi-format compliance reporting

PowerShield generates three report formats with every execution. All reports include system metadata, compliance scoring, and detailed per-check results for audit evidence and remediation tracking.

HTML

Visual report with color-coded results, compliance score, system information, and executive summary. Suitable for management review.

CSV

Structured data export for integration with GRC platforms, SIEM systems, and spreadsheet-based compliance tracking workflows.

JSON

Machine-readable output with full metadata, summary statistics, and individual results for API integration and automated pipelines.