a$Password = "CyberPatriotsP@ssw0rd"
# Users
$response
# Are Files Made?
$response = Read-Host "Have you made users.txt and admins.txt on your desktop? (Y/n)"
$answer = $false
# Check the user's response
if ($response -eq "y" -or $response -eq "Y") {
$answer = $true
}
if ($answer -eq $true) {
# Makes List of Current Users
$allUsers = Get-WmiObject -Class Win32_UserAccount
# Define an array of default user names to exclude
$defaultUserNames = @(
"Administrator",
"Guest",
"DefaultAccount",
"WDAGUtilityAccount"
)
# Filter and collect user names, excluding default accounts
$filteredUsers = $allUsers | Where-Object { $defaultUserNames -notcontains $_.Name } | ForEach-Object { $_.Name }
# Display a message to indicate the user names have been collected
Write-Host "User names have been collected into an array."
# Make Admin List
# Define the path to the text file on your desktop
$filePath = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('Desktop'), 'admins.txt')
# Check if the file exists
if (Test-Path -Path $filePath -PathType Leaf) {
# Read the contents of the file into an array with each line as a separate element
$adminArray = Get-Content -Path $filePath
} else {
Write-Host "admins.txt file does not exist."
exit
}
# Make Users List
# Define the path to the text file on your desktop
$filePath = [System.IO.Path]::Combine([System.Environment]::GetFolderPath('Desktop'), 'users.txt')
# Check if the file exists
if (Test-Path -Path $filePath -PathType Leaf) {
#Read the contents of the file into an array with each line as a separate element
$userArray = Get-Content -Path $filePath
} else {
Write-Host "users.txt file does not exist."
exit
}
# Create user list
$Users = $adminArray
foreach ($value in $userArray) {
$Users += $value
}
# Delete Users
# Create New Users
$password = ConvertTo-SecureString -AsPlainText -Force $Password
foreach ($value in $Users) {
if ($value -in $filteredUsers) {
Write-Host "$value is good"
} else {
New-LocalUser -Name $value -Password $password
Write-host "$value has been created"
Write-Host "the password for $value has been set to $password"
}
}
# Delete Extra users
foreach ($value in $filteredUsers) {
if ($value -in $Users) {
} else {
Remove-LocalUser -Name $value
Write-Host "$value has been removed"
}
}
# Configure Admin
$allUsers = Get-WmiObject -Class Win32_UserAccount
# Define an array of default user names to exclude
$defaultUserNames = @(
"Administrator",
"Guest",
"DefaultAccount",
"WDAGUtilityAccount"
)
# Filter and collect user names, excluding default accounts
$filteredUsers = $allUsers | Where-Object { $defaultUserNames -notcontains $_.Name } | ForEach-Object { $_.Name }
foreach ($value in $filteredUsers) {
if ($value -in $adminArray) {
# Check if the user is already a member of the Administrators group
$isMember = (Get-LocalGroupMember -Group "Administrators" -Member $value -ErrorAction SilentlyContinue)
if ($null -eq $isMember) {
# The user is not already an administrator, so add them
try {
Add-LocalGroupMember -Group "Administrators" -Member $value -ErrorAction Stop
Write-Host "$value is now an administrator."
}
catch {
Write-Host "An error occurred while adding $value to the Administrators group: $_"
}
}
else {
Write-Host "$value is already an administrator."
}
}
}
foreach ($value in $filteredUsers) {
if ($value -in $userArray) {
# The user is not already an administrator, so add them
try {
Remove-LocalGroupMember -Group "Administrators" -Member $value -ErrorAction Stop
Write-Host "$value is no longer an administrator."
}
catch {
Write-Host "$value is not an administrator."
}
}
else {
}
}
foreach ($value in $adminArray) {
$passwordchange = Read-Host "Would you like to change the password for ${value}? (Y/n)"
if ($passwordchange -eq "y" -or $passwordchange -eq "Y") {
$defaultpasswd = Read-Host "Would you like to use the default password ${value}? (Y/n)"
if ($defaultpasswd -eq "y" -or $defaultpasswd -eq "Y") {
Set-LocalUser -Name $value -Password $password
Write-Host "Password has been changed for ${value}"
} else {
$NewPassword = Read-Host "Password:"
$EncPassword = ConvertTo-SecureString -AsPlainText -Force $NewPassword
Set-LocalUser -Name $value -Password $EncPassword
Write-Host "Password has been changed for ${value}"
}
}
}
$ans
$res = Read-Host "Would you like to make a new User? (Y/n)"
if ($res -eq "y" -or $res -eq "Y") {
$ans = $true
} else {
$ans = $false
}
if ($ans -eq $true) {
$newuser = Read-Host "What is the username?"
$userpassword = Read-Host "What is the password?"
$Userpassword = ConvertTo-SecureString -AsPlainText -Force $userpassword
New-LocalUser -Name $newuser -Password $UserPassword
$res = Read-Host "Would you like to add this user to a group? (Y/n)"
if ($res -eq "y" -or $res -eq "Y") {
$ans = $true
} else {
$ans = $false
}
if ($ans -eq $true) {
$usergroupname = Read-Host "What group would you like to add the user to?"
Add-LocalGroupMember -Group $usergroupname -Member $newuser -ErrorAction Stop
}
}
}
$answer = $false
if ($true) {
$response = Read-Host "Do you want to proceed? (Y/n)"
# Check the user's response
if ($response -eq "y" -or $response -eq "Y") {
$answer = $true
}
}
if ($answer -eq $false) {
exit
}
# Get a list of all shares
$shares = Get-WmiObject -Query "SELECT * FROM Win32_Share" | Where-Object { $_.Name -notlike "*$" }
# Loop through the shares and prompt the user before removing
foreach ($share in $shares) {
$shareName = $share.Name
# Prompt the user for confirmation
$confirmation = Read-Host "Do you want to disable the share '$shareName'? (Y/N)"
if ($confirmation -eq 'Y' -or $confirmation -eq 'y') {
Write-Host "Disabling share: $shareName..."
$share.Delete()
} else {
Write-Host "Skipped share: $shareName"
}
}
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Sense" -Name "Start" -Value "2"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WdNisSvc" -Name "Start" -Value "2"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\WinDefend" -Name "Start" -Value "2"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\mpssvc" -Name "Start" -Value "2"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\RpcSs" -Name "Start" -Value "2"
# Password Policies
secedit /export /cfg c:\secpol.cfg
$content = Get-Content C:\secpol.cfg
$content = $content -replace "PasswordComplexity = 0", "PasswordComplexity = 1"
Write-Host "Password Complexity Configured"
$content = $content -replace "PasswordHistorySize =", "PasswordHistorySize = 3"
Write-Host "Password History Configured"
$content = $content -replace "MinimumPasswordLength =", "MinimumPasswordLength = 12"
Write-Host "Minimum Password Length Configured"
$content = $content -replace "MinimumPasswordAge =", "MinimumPasswordAge = 7"
Write-Host "Minimim Password Age Configured"
$content = $content -replace "MaximumPasswordAge =", "MaximumPasswordAge = 90"
Write-Host "Minimum Passworf Configured"
$content = $content -replace "ClearTextPassword = 0", "ClearTextPassword = 1"
Write-Host "Reverse Encryption Configured"
# Account Lockout
$content = $content -replace "LockoutBadCount =", "LockoutBadCount = 10"
Write-Host "Password Lockout Configured"
$content = $content -replace "ResetLockoutCount =", "ResetLockoutCount = 10"
Write-Host "Reset Lockout Configured"
$content = $content -replace "LockoutDuration =", "LockoutDuration = 10"
Write-Host "Lockout Duration Configured"
(GC C:\secpol.cfg) -Replace "AllowAdministratorLockout = 0","AllowAdministratorLockout = 1" | Out-File C:\secpol.cfg
Write-Host "Administrator Lockout Configured"
# Auditing
# Disable the Administrator account
$adminAccount = "Administrator"
$guestAccount = "Guest"
if (Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System") {
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 0
}
# Disable the Guest account
net user $adminAccount /active:no
net user $guestAccount /active:no
Write-Host "Administrator account has been disabled."
Write-Host "Guest account has been disabled."
# Security Policy
$content = $content -replace "LimitBlankPasswordUse=", "LimitBlankPasswordUse=4,1"
$content | Set-Content C:\secpol.cfg
Write-Host "Limit local account use of blank passwords - Enable"
$content = $content -replace "AllocateCDRoms", "AllocateCDRoms=1,`"1`""
$content | Set-Content C:\secpol.cfg
Write-Host "Restrict CD-Rom access to locally logged-on user - Enable"
$content = $content -replace "AllocateFloppies = 0", "AllocateFloppies=1,`"1`""
$content | Set-Content C:\secpol.cfg
Write-Host "Restrict Floppy access to locally logged-on user - Enable"
$content = $content -replace "DisableCAD", "DisableCAD=4,0"
$content | Set-Content C:\secpol.cfg
Write-Host "Do not require CTRL + ALT + DEL - Disable"
$content = $content -replace "DontDisplayLastUserName", "DontDisplayLastUserName=4,1"
$content | Set-Content C:\secpol.cfg
Write-Host "Do not display last user name - Enable"
$content = $content -replace "EveryoneIncludesAnonymous", "EveryoneIncludesAnonymous=4,0"
$content | Set-Content C:\secpol.cfg
Write-Host "Let Everyone permissions apply to anonymous user - Disable"
$content = $content -replace "RequireSecuritySignature = 0", "RequireSecuritySignature=4,1"
$content | Set-Content C:\secpol.cfg
Write-Host "Digitally sign communications (always) - Enable"
$content = $content -replace "EnablePlainTextPassword", "EnablePlainTextPassword=4,0"
$content | Set-Content C:\secpol.cfg
Write-Host "Send unencrypted password to third-party SMB Server - Disable"
$content = $content -replace "RestrictAnonymous", "RestrictAnonymous=4,1"
$content | Set-Content C:\secpol.cfg
Write-Host "Allow anonymous SID/Name translation - Disable"
$content = $content -replace "RestrictAnonymousSAM", "RestrictAnonymousSAM=4,1"
$content | Set-Content C:\secpol.cfg
Write-Host "Do not allow anonymous enumeration of SAM accounts and shares - Enable"
secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY
Remove-Item C:\secpol.cfg -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity" -Value 1
Write-Host "Member: LDAP server signing requirements - Enable"
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters"
-Name "RequireSecuritySignature" -Value 1
Write-Host "Member: Digitally encrypt or sign secure channel data (always) - Enable"
# Enable Firewall
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True
# TCP
$tcpportsToBlock = @(21, 22, 23, 25, 80, 161, 162, 3389, 4444, 8080, 8088, 8888)
foreach ($port in $tcpportsToBlock) {
$ruleDisplayName = "Block Outbound Port $port"
try {
New-NetFirewallRule -DisplayName $ruleDisplayName -Direction Inbound -LocalPort $port -Protocol TCP -Action Block -ErrorAction Stop
Write-Host "Rule created for $ruleDisplayName on port $port"
}
catch {
Write-Host "Error creating rule for $ruleDisplayName on port ${port}: $_.Exception.Message"
}
}
# UDP
$udpportsToBlock = @(3389, 161, 162, 389, 636)
foreach ($port in $udpportsToBlock) {
$ruleDisplayName = "Block Outbound Port $port"
try {
New-NetFirewallRule -DisplayName $ruleDisplayName -Direction Inbound -LocalPort $port -Protocol TCP -Action Block -ErrorAction Stop
Write-Host "Rule created for $ruleDisplayName on port $port"
}
catch {
Write-Host "Error creating rule for $ruleDisplayName on port ${port}: $_.Exception.Message"
}
}
# Disable the Administrator account
$adminAccount = "Administrator"
$guestAccount = "Guest"
if (Test-Path -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System") {
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 0
}
# Disable the Guest account
net user $adminAccount /active:no
net user $guestAccount /active:no
Write-Host "Administrator account has been disabled."
Write-Host "Guest account has been disabled."
# Security and maintenance
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows\System' -Name 'EnableSmartScreen' -Value 1
Set-MpPreference -DisableRealtimeMonitoring 0
Set-MpPreference -SubmitSamplesConsent 1
# Remote Connections
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1
Stop-Service -Name TermService -Force
# Network Adapter Settings
# Get the active network adapter
$adapter = Get-NetAdapter | Where-Object { $_.Status -eq 'Up' -and $_.Name -like 'Ethernet*' } | Select-Object -First 1
Write-Host "Gathering Adapter Data"
# NetBios
if ($adapter) {
$adapterName = $adapter.Name
$netBiosOptions = 0
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\$
($adapter.MacAddress)"
if (-not (Test-Path $registryPath)) {
New-Item -Path $registryPath -Force
}
Set-ItemProperty -Path $registryPath -Name "NetbiosOptions" -Value $netBiosOptions
Set-DnsClient -InterfaceAlias $adapterName -RegisterThisConnectionsAddress $false
}
Write-Host "NetBios Configured"
# Wifi Sense
# Disable auto-connect to open hotspots
# Specify the wireless network profile name
$profileName = "Hotspot-Name" # Replace with the name of the hotspot
# Get the list of available wireless network profiles
$profiles = Get-NetConnectionProfile
# Loop through the profiles and disable auto-connect for the specified hotspot
foreach ($profile in $profiles) {
if ($profile.Name -eq $profileName) {
Write-Host "Disabling auto-connect for $profileName..."
Set-ConnectionProfile -Name $profileName -ConnectAutomatically 0
}
}
Write-Host "Auto-connect to $profileName has been disabled."
# Disable Services
$services = @(
"TermService",
"PlugPlay",
"W3SVC",
"FTPsvc",
"mnmsrvc",
"SessionEnv",
"RemoteRegistry",
"RemoteAccess",
"SSDPSRV",
"TlntSvr",
"MSFTPSVC",
"Messenger",
"RpcLocator",
"SNMPTRAP",
"lmhosts",
"SharedAccess" # ICS (SharedAccess) is included here
)
# Stop and disable services and their dependencies
foreach ($service in $services) {
# Attempt to stop the service and its dependencies
if (Get-Service -Name $service -ErrorAction SilentlyContinue) {
try {
Stop-Service -Name $service -Force
Write-Host "Successfully stopped $service"
}
catch
{
Write-Host "Error stopping $service"
}
}
# Attempt to disable the service
if (Get-Service -Name $service -ErrorAction SilentlyContinue) {
try {
Set-Service -Name $service -StartupType Disabled
Write-Host "Successfully disabled $service"
}
catch{}
}
}
# Disable Windows features
$featuresToDisable = @(
"Telnet-Client",
"TFTP",
"SMB1Protocol",
"SMB1Protocol-Client",
"SMB1Protocol-Server",
"SMBServer",
"SMB1Protocol-DirList",
"SNMP",
"RIPListener"
)
foreach ($feature in $featuresToDisable) {
try {
Disable-WindowsOptionalFeature -Online -FeatureName $feature -ErrorAction Stop
Write-Host "Successfully disabled feature: $feature"
}
catch {
Write-Host "Error disabling feature ${feature}: $_"
}
}
# UAC
# Define the UAC level setting (AlwaysNotify)
$UACLevel = 1
# Set UAC to "Always notify me" (1)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value $UACLevel
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorUser" -Value $UACLevel
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" -Value 1
Write-Host "UAC Configured"
# Startup Apps
#Define an array of default startup entries
tStartupEntries = @(
'LM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run',
'LM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce',
'CU:\Software\Microsoft\Windows\CurrentVersion\Run',
'CU:\Software\Microsoft\Windows\CurrentVersion\RunOnce'
)
# Loop through each startup entry and disable non-default ones
foreach ($entryPath in $defaultStartupEntries) {
$entry = Get-ItemProperty -Path $entryPath -ErrorAction SilentlyContinue
if ($entry) {
Write-Host "Disabling: $entryPath"
Set-ItemProperty -Path $entryPath -Name 'Enabled' -Value 0
}
}
#Write-Host "Non-default startup apps have been disabled."
#Godmode
# Define the path to the file you want to check
$filePath = "$env:USERPROFILE\Desktop\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}"
# Check if the file exists
if (Test-Path -Path "$env:USERPROFILE\Desktop\GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" -PathType Leaf) {
} else {
try {
New-Item -Path "$filepath" -ItemType Directory
Write-Host "Godmode has Been Added to your Desktop"
} catch {
Write-Host "Godmode is already on your desktop"
}
}
Write-Host "-----------------------------------------------------------------"
Write-Host "The Default Password for new users is $Password"
Write-Host "-----------------------------------------------------------------"
Write-Host "Things left to do"
Write-Host "Go through UnwantedFiles.txt on your desktop"
Write-Host "Update Auditing in Local Security Policy"
Write-Host "Update Administrative settings in Group Policy"
Write-Host "Uninstall/Update Applications"
Write-Host "Run an Actual antivirus scanner"
Write-Host "Look through browser settings"
Write-Host "No users should be able to act as a part of the operating system"
Write-Host "Security/Windows Defender Options"
Write-Host "System Updates"
Write-Host "Restart Computer"
Write-Host "-----------------------------------------------------------------"
$antivirus = Read-Host "Would you like to install an AntiVirus? (Y/n)"
$virus = $false
$websiteurl = "https://www.malwarebytes.com/mwb-download
# Check the user's response
if ($antivirus -eq "y" -or $antivirus -eq "Y") {
$virus = $true
}
if ($virus -eq $true) {
Start-Process $websiteurl
}