BaselineManagement

2.4.2000

Helpers/Enumerations.ps1

$AuditHash = @{ 
"0cce9210-69ae-11d9-bed3-505054503030" = "Audit_System_SecurityStateChange";
"0cce9211-69ae-11d9-bed3-505054503030" = "Audit_System_SecuritySubsystemExtension";
"0cce9212-69ae-11d9-bed3-505054503030" = "Audit_System_Integrity";
"0cce9213-69ae-11d9-bed3-505054503030" = "Audit_System_IPSecDriverEvents";
"0cce9214-69ae-11d9-bed3-505054503030" = "Audit_System_Others";
"0cce9215-69ae-11d9-bed3-505054503030" = "Audit_Logon_Logon";
"0cce9216-69ae-11d9-bed3-505054503030" = "Audit_Logon_Logoff";
"0cce9217-69ae-11d9-bed3-505054503030" = "Audit_Logon_AccountLockout";
"0cce9218-69ae-11d9-bed3-505054503030" = "Audit_Logon_IPSecMainMode";
"0cce9219-69ae-11d9-bed3-505054503030" = "Audit_Logon_IPSecQuickMode";
"0cce921a-69ae-11d9-bed3-505054503030" = "Audit_Logon_IPSecUserMode";
"0cce921b-69ae-11d9-bed3-505054503030" = "Audit_Logon_SpecialLogon";
"0cce921c-69ae-11d9-bed3-505054503030" = "Audit_Logon_Others";
"0cce921d-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_FileSystem";
"0cce921e-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Registry";
"0cce921f-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Kernel";
"0cce9220-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Sam";
"0cce9221-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_CertificationServices";
"0cce9222-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_ApplicationGenerated";
"0cce9223-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Handle";
"0cce9224-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Share";
"0cce9225-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_FirewallPacketDrops";
"0cce9226-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_FirewallConnection";
"0cce9227-69ae-11d9-bed3-505054503030" = "Audit_ObjectAccess_Other";
"0cce9228-69ae-11d9-bed3-505054503030" = "Audit_PrivilegeUse_Sensitive";
"0cce9229-69ae-11d9-bed3-505054503030" = "Audit_PrivilegeUse_NonSensitive";
"0cce922a-69ae-11d9-bed3-505054503030" = "Audit_PrivilegeUse_Others";
"0cce922b-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_ProcessCreation";
"0cce922c-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_ProcessTermination";
"0cce922d-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_DpapiActivity";
"0cce922e-69ae-11d9-bed3-505054503030" = "Audit_DetailedTracking_RpcCall";
"0cce922f-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_AuditPolicy";
"0cce9230-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_AuthenticationPolicy";
"0cce9231-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_AuthorizationPolicy";
"0cce9232-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_MpsscvRulePolicy";
"0cce9233-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_WfpIPSecPolicy";
"0cce9234-69ae-11d9-bed3-505054503030" = "Audit_PolicyChange_Others";
"0cce9235-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_UserAccount";
"0cce9236-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_ComputerAccount";
"0cce9237-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_SecurityGroup";
"0cce9238-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_DistributionGroup";
"0cce9239-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_ApplicationGroup";
"0cce923a-69ae-11d9-bed3-505054503030" = "Audit_AccountManagement_Others";
"0cce923b-69ae-11d9-bed3-505054503030" = "Audit_DSAccess_DSAccess";
"0cce923c-69ae-11d9-bed3-505054503030" = "Audit_DsAccess_AdAuditChanges";
"0cce923d-69ae-11d9-bed3-505054503030" = "Audit_Ds_Replication";
"0CCE9244-69AE-11D9-BED3-505054503030" = "Detailed File Share";
"0cce923e-69ae-11d9-bed3-505054503030" = "Audit_Ds_DetailedReplication";
"0cce923f-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_CredentialValidation";
"0cce9240-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_Kerberos";
"0cce9241-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_Others";
"0cce9242-69ae-11d9-bed3-505054503030" = "Audit_AccountLogon_KerbCredentialValidation";
"0cce9243-69ae-11d9-bed3-505054503030" = "Audit_Logon_NPS";
}

$AuditSubCategoryHash = @{
"0CCE9211-69AE-11D9-BED3-505054503030" = "Security System Extension";
"0CCE9212-69AE-11D9-BED3-505054503030" = "System Integrity";
"0CCE9213-69AE-11D9-BED3-505054503030" = "IPsec Driver";
"0CCE9214-69AE-11D9-BED3-505054503030" = "Other System Events";
"0CCE9210-69AE-11D9-BED3-505054503030" = "Security State Change";
"0CCE9215-69AE-11D9-BED3-505054503030" = "Logon";
"0CCE9216-69AE-11D9-BED3-505054503030" = "Logoff";
"0CCE9217-69AE-11D9-BED3-505054503030" = "Account Lockout"
"0CCE9218-69AE-11D9-BED3-505054503030" = "IPsec Main Mode";
"0CCE9219-69AE-11D9-BED3-505054503030" = "IPsec Quick Mode";
"0CCE921A-69AE-11D9-BED3-505054503030" = "IPsec Extended Mode";
"0CCE921B-69AE-11D9-BED3-505054503030" = "Special Logon";
"0CCE921C-69AE-11D9-BED3-505054503030" = "Other Logon/Logoff Events";
"0CCE9243-69AE-11D9-BED3-505054503030" = "Network Policy Server";
"0cce9247-69ae-11d9-bed3-505054503030" = "User / Device Claims";
"0cce9249-69ae-11d9-bed3-505054503030" = "Group Membership";
"0CCE921D-69AE-11D9-BED3-505054503030" = "File System";
"0CCE921E-69AE-11D9-BED3-505054503030" = "Registry";
"0CCE921F-69AE-11D9-BED3-505054503030" = "Kernel Object";
"0CCE9220-69AE-11D9-BED3-505054503030" = "SAM";
"0CCE9221-69AE-11D9-BED3-505054503030" = "Certification Services";
"0CCE9222-69AE-11D9-BED3-505054503030" = "Application Generated";
"0CCE9223-69AE-11D9-BED3-505054503030" = "Handle Manipulation";
"0CCE9224-69AE-11D9-BED3-505054503030" = "File Share";
"0CCE9225-69AE-11D9-BED3-505054503030" = "Filtering Platform Packet Drop";
"0CCE9226-69AE-11D9-BED3-505054503030" = "Filtering Platform Connection";
"0CCE9227-69AE-11D9-BED3-505054503030" = "Other Object Access Events";
"0CCE9244-69AE-11D9-BED3-505054503030" = "Detailed File Share";
"0CCE9245-69AE-11D9-BED3-505054503030" = "Removable Storage";
"0CCE9246-69AE-11D9-BED3-505054503030" = "Central Policy Staging";
"0CCE9229-69AE-11D9-BED3-505054503030" = "Non Sensitive Privilege Use";
"0CCE922A-69AE-11D9-BED3-505054503030" = "Other Privilege Use Events";
"0CCE9228-69AE-11D9-BED3-505054503030" = "Sensitive Privilege Use";
"0CCE922B-69AE-11D9-BED3-505054503030" = "Process Creation";
"0CCE922C-69AE-11D9-BED3-505054503030" = "Process Termination";
"0CCE922D-69AE-11D9-BED3-505054503030" = "DPAPI Activity";
"0CCE922E-69AE-11D9-BED3-505054503030" = "RPC Events";
"0cce9248-69ae-11d9-bed3-505054503030" = "Plug and Play Events";
"0CCE9230-69AE-11D9-BED3-505054503030" = "Authentication Policy Change";
"0CCE9231-69AE-11D9-BED3-505054503030" = "Authorization Policy Change";
"0CCE9232-69AE-11D9-BED3-505054503030" = "MPSSVC Rule-Level Policy Change";
"0CCE9233-69AE-11D9-BED3-505054503030" = "Filtering Platform Policy Change";
"0CCE9234-69AE-11D9-BED3-505054503030" = "Other Policy Change Events";
"0CCE922F-69AE-11D9-BED3-505054503030" = "Audit Policy Change";
"0CCE9235-69AE-11D9-BED3-505054503030" = "User Account Management";
"0CCE9236-69AE-11D9-BED3-505054503030" = "Computer Account Management";
"0CCE9237-69AE-11D9-BED3-505054503030" = "Security Group Management";
"0CCE9238-69AE-11D9-BED3-505054503030" = "Distribution Group Management";
"0CCE9239-69AE-11D9-BED3-505054503030" = "Application Group Management";
"0CCE923A-69AE-11D9-BED3-505054503030" = "Other Account Management Events";
"0CCE923C-69AE-11D9-BED3-505054503030" = "Directory Service Changes";
"0CCE923D-69AE-11D9-BED3-505054503030" = "Directory Service Replication";
"0CCE923E-69AE-11D9-BED3-505054503030" = "Detailed Directory Service Replication";
"0CCE923B-69AE-11D9-BED3-505054503030" = "Directory Service Access";
"0CCE9240-69AE-11D9-BED3-505054503030" = "Kerberos Service Ticket Operations";
"0CCE9241-69AE-11D9-BED3-505054503030" = "Other Account Logon Events";
"0CCE9242-69AE-11D9-BED3-505054503030" = "Kerberos Authentication Service";
"0CCE923F-69AE-11D9-BED3-505054503030" = "Credential Validation";
}

$AuditCategoryHash = @{
"AuditSystemEvents" = @( 
                        "Security System Extension",
                        "System Integrity",
                        "IPsec Driver",
                        "Other System Events",
                        "Security State Change"
                       )
"AuditLogonEvents" = @(
                        "Logon",
                        "Logoff",
                        "Account Lockout",
                        "IPsec Main Mode",
                        "IPsec Quick Mode",
                        "IPsec Extended Mode",
                        "Special Logon",
                        "Other Logon/Logoff Events",
                        "Network Policy Server"
                      )

"AuditObjectAccess"    = @(
                        "File System",
                        "Registry",
                        "Kernel Object",
                        "SAM",
                        "Certification Services",
                        "Application Generated",
                        "Handle Manipulation",
                        "File Share",
                        "Filtering Platform Packet Drop",
                        "Filtering Platform Connection",
                        "Other Object Access Events"
                       )
"AuditPrivilegeUse"    = @(
                        "Sensitive Privilege Use",
                        "Non Sensitive Privilege Use",
                        "Other Privilege Use Events"
                       )
"AuditProcessTracking" = @(
                            "Process Termination",
                            "DPAPI Activity",
                            "RPC Events",
                            "Process Creation"
                          )
"AuditPolicyChange" = @(
                        "Audit Policy Change",
                        "Authentication Policy Change",
                        "Authorization Policy Change",
                        "MPSSVC Rule-Level Policy Change",
                        "Filtering Platform Policy Change",
                        "Other Policy Change Events"
                       )
"AuditAccountManage" = @(
                            "User Account Management",
                            "Computer Account Management",
                            "Security Group Management",
                            "Distribution Group Management",
                            "Application Group Management",
                            "Other Account Management Events"
                        )
"AuditDSAccess"    = @(
                        "Directory Service Changes",
                        "Directory Service Replication",
                        "Detailed Directory Service Replication",
                        "Directory Service Access"
                    )
"AuditAccountLogon" = @(
                        "Kerberos Service Ticket Operations",
                        "Other Account Logon Events",
                        "Kerberos Authentication Service",
                        "Credential Validation"
                       )
}

$UserRightsHash = @{
"SeTrustedCredManAccessPrivilege" = "Access_Credential_Manager_as_a_trusted_caller"
"SeNetworkLogonRight" = "Access_this_computer_from_the_network"
"SeTcbPrivilege" = "Act_as_part_of_the_operating_system"
"SeMachineAccountPrivilege" = "Add_workstations_to_domain"
"SeIncreaseQuotaPrivilege" = "Adjust_memory_quotas_for_a_process"
"SeInteractiveLogonRight" = "Allow_log_on_locally"
"SeRemoteInteractiveLogonRight" = "Allow_log_on_through_Remote_Desktop_Services"
"SeBackupPrivilege" = "Back_up_files_and_directories"
"SeChangeNotifyPrivilege" = "Bypass_traverse_checking" 
"SeSystemtimePrivilege" = "Change_the_system_time"
"SeTimeZonePrivilege" = "Change_the_time_zone"
"SeCreatePagefilePrivilege" = "Create_a_pagefile" 
"SeCreateTokenPrivilege" = "Create_a_token_object"
"SeCreateGlobalPrivilege" = "Create_global_objects"
"SeCreatePermanentPrivilege" = "Create_permanent_shared_objects"
"SeCreateSymbolicLinkPrivilege" = "Create_symbolic_links"
"SeDebugPrivilege" = "Debug_programs"
"SeDenyNetworkLogonRight" = "Deny_access_to_this_computer_from_the_network" 
"SeDenyBatchLogonRight" = "Deny_log_on_as_a_batch_job"
"SeDenyServiceLogonRight" = "Deny_log_on_as_a_service"
"SeDenyInteractiveLogonRight" = "Deny_log_on_locally"
"SeDenyRemoteInteractiveLogonRight" = "Deny_log_on_through_Remote_Desktop_Services"
"SeEnableDelegationPrivilege" = "Enable_computer_and_user_accounts_to_be_trusted_for_delegation"
"SeRemoteShutdownPrivilege" = "Force_shutdown_from_a_remote_system"
"SeAuditPrivilege" = "Generate_security_audits"
"SeImpersonatePrivilege" = "Impersonate_a_client_after_authentication"
"SeIncreaseWorkingSetPrivilege" = "Increase_a_process_working_set"
"SeIncreaseBasePriorityPrivilege" = "Increase_scheduling_priority"
"SeLoadDriverPrivilege" = "Load_and_unload_device_drivers"
"SeLockMemoryPrivilege" = "Lock_pages_in_memory"
"SeBatchLogonRight" = "Log_on_as_a_batch_job"
"SeServiceLogonRight" = "Log_on_as_a_service"
"SeSecurityPrivilege" = "Manage_auditing_and_security_log"
"SeRelabelPrivilege" = "Modify_an_object_label"
"SeSystemEnvironmentPrivilege" = "Modify_firmware_environment_values"
"SeManageVolumePrivilege" = "Perform_volume_maintenance_tasks"
"SeProfileSingleProcessPrivilege" = "Profile_single_process"
"SeSystemProfilePrivilege" = "Profile_system_performance"
"SeUndockPrivilege" = "Remove_computer_from_docking_station"
"SeAssignPrimaryTokenPrivilege" = "Replace_a_process_level_token"
"SeRestorePrivilege" = "Restore_files_and_directories"
"SeShutdownPrivilege" = "Shut_down_the_system"
"SeSyncAgentPrivilege" = "Synchronize_directory_service_data"
"SeTakeOwnershipPrivilege" =  "Take_ownership_of_files_or_other_objects"
}

$SecuritySettings = "MinimumPasswordAge", "MaximumPasswordAge", "MinimumPasswordLength", "PasswordComplexity", "PasswordHistorySize", "LockoutBadCount", "ForceLogoffWhenHourExpire", "NewAdministratorName", "NewGuestName", "ClearTextPassword", "LSAAnonymousNameLookup", "EnableAdminAccount", "EnableGuestAccount", "ResetLockoutCount", "LockoutDuration", "MaxServiceAge", "MaxTicketAge", "MaxRenewAge", "MaxClockSkew", "TicketValidateClient"