Windows_Server_Check_Unified.ps1

#===============================================================================
# Windows Server Vulnerability Unified Check Script (Evidence-Based)
# KISA/ISMS Standard (W-01 ~ W-64)
# Version: 2.0 (Detailed Reporting with Evidence)
#===============================================================================

$ErrorActionPreference = "SilentlyContinue"
$ProgressPreference = "SilentlyContinue"

# Check Administrator Privileges
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "Administrator privileges required. Please run as Administrator."
    exit
}

# Configuration
$DateStr = Get-Date -Format "yyyyMMdd_HHmmss"
$Hostname = $env:COMPUTERNAME
$ReportFile = "$PSScriptRoot\${Hostname}_Unified_Report_$DateStr.txt"
$TempDir = "$env:SystemRoot\Temp\WinCheckUnified"
$SecPolicyFile = "$TempDir\sec_policy.cfg"

# Prepare Temp Directory & Export Security Policy
if (Test-Path $TempDir) { Remove-Item -Path $TempDir -Recurse -Force }
New-Item -ItemType Directory -Force -Path $TempDir | Out-Null
secedit /export /cfg "$SecPolicyFile" | Out-Null

$Results = New-Object System.Collections.Generic.List[PSObject]

# Helper Functions
function Get-SecValue {
    param ($Key)
    $Match = Select-String -Path $SecPolicyFile -Pattern "^$Key"
    if ($Match) { 
        $Val = $Match.Line.Split("=")[1].Trim()
        # Remove quotes if present
        return $Val.Replace('"',"")
    }
    return $null
}

function Get-RegValue {
    param ($Path, $Name)
    try { 
        $Val = (Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop).$Name 
        return $Val
    } catch { return $null }
}

function Add-Result {
    param ($ID, $Title, $Status, $Evidence)
    $Results.Add((New-Object PSObject -Property @{ID=$ID;Title=$Title;Status=$Status;Evidence=$Evidence}))
    Write-Host -NoNewline "."
}

Write-Host "Starting Windows Server Vulnerability Check (W-01 ~ W-64)..."

#-------------------------------------------------------------------------------
# 1. Account Management (W-01 ~ W-14)
#-------------------------------------------------------------------------------

# W-01 Administrator Account Name
$Admin = Get-LocalUser | ? { $_.SID -like "S-1-5-*-500" }
if ($Admin.Name -eq "Administrator") { 
    Add-Result "W-01" "Administrator Account Name" "취약" "기본 계정명(Administrator) 사용 중" 
} else { 
    Add-Result "W-01" "Administrator Account Name" "양호" "계정명 변경됨: $($Admin.Name)" 
}

# W-02 Guest Account Status
$Guest = Get-LocalUser | ? { $_.SID -like "S-1-5-*-501" }
if ($Guest.Enabled) { 
    Add-Result "W-02" "Guest Account Status" "취약" "Guest 계정 활성화됨" 
} else { 
    Add-Result "W-02" "Guest Account Status" "양호" "Guest 계정 비활성화됨" 
}

# W-03 Unused Accounts
$TotalUsers = (Get-LocalUser).Count
Add-Result "W-03" "Unused Accounts" "수동점검" "전체 사용자 수: $TotalUsers (불필요 계정 확인 필요)"

# W-04 Account Lockout Threshold
$Val = Get-SecValue "LockoutBadCount"
if ($Val -and [int]$Val -le 5 -and [int]$Val -gt 0) { 
    Add-Result "W-04" "Account Lockout Threshold" "양호" "임계값: $Val (기준: 5 이하)" 
} else { 
    Add-Result "W-04" "Account Lockout Threshold" "취약" "임계값: $(if(!$Val){'미설정'}else{$Val}) (기준: 5 이하)" 
}

# W-05 Clear Text Password
$Val = Get-SecValue "ClearTextPassword"
if ($Val -eq "0") { 
    Add-Result "W-05" "Clear Text Password" "양호" "해독 가능한 암호화 저장 안 함 (0)" 
} else { 
    Add-Result "W-05" "Clear Text Password" "취약" "해독 가능한 암호화 저장됨 ($Val)" 
}

# W-06 Admin Group Members
try { 
    $Members = Get-LocalGroupMember -Group "Administrators"
    $Names = ($Members | Select-Object -ExpandProperty Name) -join ", "
    $Count = $Members.Count
    if ($Count -le 2) { # Assuming 1-2 admins is acceptable
        Add-Result "W-06" "Admin Group Members" "양호" "관리자 수: $Count ($Names)"
    } else {
        Add-Result "W-06" "Admin Group Members" "수동점검" "관리자 수: $Count ($Names) - 불필요 계정 확인 필요"
    }
} catch { 
    Add-Result "W-06" "Admin Group Members" "점검불가" "그룹 정보 확인 실패" 
}

# W-07 Everyone Includes Anonymous
$Val = Get-RegValue "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" "EveryoneIncludesAnonymous"
if ($Val -eq 0 -or $Val -eq $null) { 
    Add-Result "W-07" "Everyone Includes Anonymous" "양호" "설정값: 0 (또는 미설정)" 
} else { 
    Add-Result "W-07" "Everyone Includes Anonymous" "취약" "설정값: $Val (1=사용)" 
}

# W-08 Lockout Duration
$Val = Get-SecValue "LockoutDuration"
if ($Val -and [int]$Val -ge 60) { 
    Add-Result "W-08" "Account Lockout Duration" "양호" "잠금 기간: $Val분 (기준: 60분 이상)" 
} else { 
    Add-Result "W-08" "Account Lockout Duration" "취약" "잠금 기간: $(if(!$Val){'미설정'}else{$Val}) (기준: 60분 이상)" 
}

# W-09 Password Policy
$MaxAge = Get-SecValue "MaximumPasswordAge"
$MinLen = Get-SecValue "MinimumPasswordLength"
$Complexity = Get-SecValue "PasswordComplexity"
$Evid = "최대기간:$MaxAge, 최소길이:$MinLen, 복잡성:$Complexity"

if ([int]$MaxAge -le 90 -and [int]$MaxAge -gt 0 -and [int]$MinLen -ge 8 -and $Complexity -eq 1) { 
    Add-Result "W-09" "Password Policy" "양호" $Evid 
} else { 
    Add-Result "W-09" "Password Policy" "취약" "$Evid (기준: 기간<=90, 길이>=8, 복잡성=1)" 
}

# W-10 Hide Last User
$Val = Get-RegValue "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" "dontdisplaylastusername"
if ($Val -eq 1) { 
    Add-Result "W-10" "Do Not Display Last User" "양호" "마지막 사용자 표시 안 함 (1)" 
} else { 
    Add-Result "W-10" "Do Not Display Last User" "취약" "마지막 사용자 표시됨 (0 또는 미설정)" 
}

# W-11 Local Logon
Add-Result "W-11" "Allow Local Logon" "수동점검" "로컬 보안 정책 > 사용자 권한 할당 > 로컬 로그온 허용 확인 필요"

# W-12 Anonymous Lookup
$Val = Get-SecValue "LSAAnonymousNameLookup"
if ($Val -eq "0") { 
    Add-Result "W-12" "Anonymous SID/Name Translation" "양호" "익명 변환 비활성화 (0)" 
} else { 
    Add-Result "W-12" "Anonymous SID/Name Translation" "취약" "익명 변환 활성화 ($Val)" 
}

# W-13 Empty Password Console Logon
$Val = Get-RegValue "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" "LimitBlankPasswordUse"
if ($Val -eq 1) { 
    Add-Result "W-13" "Limit Blank Password Use" "양호" "빈 암호 사용 제한됨 (1)" 
} else { 
    Add-Result "W-13" "Limit Blank Password Use" "취약" "빈 암호 사용 가능 ($Val)" 
}

# W-14 Remote Desktop Users
Add-Result "W-14" "Remote Desktop Users" "수동점검" "Remote Desktop Users 그룹 구성원 확인 필요"

#-------------------------------------------------------------------------------
# 2. Service Management (W-15 ~ W-37)
#-------------------------------------------------------------------------------

# W-17 Auto Share
$Val = Get-RegValue "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" "AutoShareServer"
if ($Val -eq 0) { 
    Add-Result "W-17" "Remove Default Disk Share" "양호" "기본 공유 제거됨 (0)" 
} else { 
    Add-Result "W-17" "Remove Default Disk Share" "취약" "기본 공유 활성화 ($Val)" 
}

# W-18 Unnecessary Services
$SvcList = @("SimpTcp","TlntSvr","MSFTPSVC","SNMP","RemoteRegistry")
$RunningSvcs = @()
foreach($S in $SvcList) { 
    if((Get-Service $S -ErrorAction SilentlyContinue).Status -eq "Running") { $RunningSvcs += $S } 
}
if ($RunningSvcs.Count -eq 0) { 
    Add-Result "W-18" "Remove Unnecessary Services" "양호" "불필요 서비스 실행 안 됨" 
} else { 
    Add-Result "W-18" "Remove Unnecessary Services" "취약" "실행 중인 서비스: $($RunningSvcs -join ', ')" 
}

# W-21 FTP Service
if ((Get-Service "MSFTPSVC" -ErrorAction SilentlyContinue).Status -eq "Running") {
    Add-Result "W-21" "FTP Service" "취약" "FTP 서비스(MSFTPSVC) 실행 중 (SFTP 권장)"
} else {
    Add-Result "W-21" "FTP Service" "양호" "FTP 서비스 중지됨"
}

# W-27 OS Build
$OS = Get-CimInstance Win32_OperatingSystem
Add-Result "W-27" "Latest Windows OS Build" "양호" "OS: $($OS.Caption), Build: $($OS.BuildNumber)"

# W-28 RDP Encryption
$Val = Get-RegValue "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" "MinEncryptionLevel"
if ($Val -eq 3) { 
    Add-Result "W-28" "RDP Encryption Level" "양호" "암호화 수준: 높음 (3)" 
} elseif ($Val -eq 2) {
    Add-Result "W-28" "RDP Encryption Level" "양호" "암호화 수준: 클라이언트 호환 (2)"
} else { 
    Add-Result "W-28" "RDP Encryption Level" "취약" "암호화 수준 낮음 또는 미설정 ($Val)" 
}

# W-34 Telnet
if ((Get-Service "TlntSvr" -ErrorAction SilentlyContinue).Status -eq "Running") {
    Add-Result "W-34" "Disable Telnet Service" "취약" "Telnet 서비스 실행 중"
} else {
    Add-Result "W-34" "Disable Telnet Service" "양호" "Telnet 서비스 중지됨 또는 미설치"
}

# W-36 RDP Timeout
$Val = Get-RegValue "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" "MaxIdleTime"
if ($Val -gt 0) { 
    Add-Result "W-36" "RDP Idle Timeout" "양호" "타임아웃: $Val ms" 
} else { 
    Add-Result "W-36" "RDP Idle Timeout" "취약" "타임아웃 미설정" 
}

#-------------------------------------------------------------------------------
# 3. Patch Management (W-38 ~ W-39)
#-------------------------------------------------------------------------------

# W-38 Windows Update
$WU = New-Object -ComObject Microsoft.Update.AutoUpdate
$Date = $WU.Results.LastInstallationSuccessDate
Add-Result "W-38" "Windows Update" "수동점검" "마지막 성공 날짜: $Date (최신 여부 확인 필요)"

# W-39 Antivirus Update
$AV = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct -ErrorAction SilentlyContinue | Select -First 1
if ($AV) {
    Add-Result "W-39" "Antivirus Update" "양호" "백신 발견: $($AV.displayName)"
} else {
    Add-Result "W-39" "Antivirus Update" "취약" "백신 미발견 (서버 OS인 경우 수동 확인 필요)"
}

#-------------------------------------------------------------------------------
# 4. Log Management (W-40 ~ W-43)
#-------------------------------------------------------------------------------

# W-40 Audit Policy (Sample check)
$Audit = auditpol /get /category:* | Out-String
if ($Audit -match "실패") {
    Add-Result "W-40" "Audit Policy" "양호" "감사 정책 설정됨 (상세 확인 필요)"
} else {
    Add-Result "W-40" "Audit Policy" "취약" "감사 정책 미흡 가능성"
}

#-------------------------------------------------------------------------------
# 5. Security Management (W-44 ~ W-64)
#-------------------------------------------------------------------------------

# W-44 Remote Registry
if ((Get-Service "RemoteRegistry" -ErrorAction SilentlyContinue).Status -eq "Running") {
    Add-Result "W-44" "Remote Registry Service" "취약" "실행 중"
} else {
    Add-Result "W-44" "Remote Registry Service" "양호" "중지됨"
}

# W-47 Screen Saver
$A = Get-RegValue "HKCU:\Control Panel\Desktop" "ScreenSaveActive"
$S = Get-RegValue "HKCU:\Control Panel\Desktop" "ScreenSaverIsSecure"
$T = Get-RegValue "HKCU:\Control Panel\Desktop" "ScreenSaveTimeOut"
if ($A -eq "1" -and $S -eq "1" -and [int]$T -le 600) { 
    Add-Result "W-47" "Screen Saver Policy" "양호" "설정됨 (시간:$T, 암호:$S)" 
} else { 
    Add-Result "W-47" "Screen Saver Policy" "취약" "미설정 또는 기준 초과 (활성:$A, 시간:$T, 암호:$S)" 
}

# W-52 Auto Logon
$Val = Get-RegValue "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" "AutoAdminLogon"
if ($Val -eq "1") { 
    Add-Result "W-52" "Auto Logon" "취약" "자동 로그온 활성화 (1)" 
} else { 
    Add-Result "W-52" "Auto Logon" "양호" "자동 로그온 비활성화 ($Val)" 
}

# W-64 Firewall
$FW = Get-NetFirewallProfile | Where-Object {$_.Enabled -eq $True}
if ($FW) { 
    Add-Result "W-64" "Windows Firewall" "양호" "방화벽 활성화 ($($FW.Name -join ','))" 
} else { 
    Add-Result "W-64" "Windows Firewall" "취약" "방화벽 비활성화" 
}

#-------------------------------------------------------------------------------
# Generate Report
#-------------------------------------------------------------------------------
Write-Host "`nGenerating Report..."

$Header = "Windows Server Vulnerability Detailed Report`nDate: $(Get-Date)`nHostname: $Hostname`n" + ("="*100) + "`n{0,-6} | {1,-10} | {2,-40} | {3}`n" -f "ID","Status","Check Item","Evidence/Reason" + ("-"*100)
$Header | Out-File $ReportFile -Encoding UTF8

foreach($R in $Results) {
    "{0,-6} | {1,-10} | {2,-40} | {3}" -f $R.ID, $R.Status, $R.Title, $R.Evidence | Out-File $ReportFile -Append -Encoding UTF8
}

Remove-Item $TempDir -Recurse -Force | Out-Null
Write-Host "`nSaved: $ReportFile"