# ============================================================= # AUDITORÍA SOLO-LECTURA (EXPORTA A C:\Users\jhigueros\Downloads\audit_YYYYMMDD_HHMM\) # Windows Server 2019 Standard # Copiar/pegar en PowerShell (Administrador). No modifica configuraciones. # ============================================================= # --- 0) Preparar carpeta base en Downloads --- $DL = "C:\Users\jhigueros\Downloads" $STAMP = Get-Date -Format "yyyyMMdd_HHmm" $BASE = Join-Path $DL ("audit_" + $STAMP) New-Item -ItemType Directory $BASE -Force | Out-Null Set-Location $DL "$BASE" # --- 1) Exportes del estado actual --- secedit /export /cfg "$BASE\secpol_current.inf" gpresult /h "$BASE\gpresult.html" /f auditpol /get /category:* | Out-File "$BASE\auditpol_full.txt" -Encoding UTF8 netsh advfirewall show allprofiles | Out-File "$BASE\firewall.txt" wmic qfe list | Out-File "$BASE\patches_wmic.txt" Get-HotFix | Sort-Object InstalledOn -Descending | Format-Table -Auto | Out-File "$BASE\patches_gethotfix.txt" systeminfo | Out-File "$BASE\systeminfo.txt" Get-ComputerInfo | Out-File "$BASE\computerinfo.txt" # --- 2) LGPO: backup (para comparar en Policy Analyzer) --- & "$DL\LGPO\lgpo.exe" /b "$BASE\lgpo-backup" # --- 3) Mapeo de GUIDs en \GPOs a nombres legibles (para elegir baseline correcto) --- $GPOs = Join-Path $DL "GPOs" Get-ChildItem -Path $GPOs -Directory | ForEach-Object { $xml = Join-Path $_.FullName "GPO.xml" if (Test-Path $xml) { $name = ([xml](Get-Content $xml)).GPO.DisplayName "{0}`t{1}" -f $name,$_.FullName } } | Tee-Object "$BASE\GPO_Map.tsv" # --- 4) Abrir Policy Analyzer (comparación visual y export desde la UI) --- # Pasos en la UI: # a) Add... -> selecciona baselines de *Member Server* desde $DL\GPOs\{GUID}\ # b) Add... -> agrega el backup: $BASE\lgpo-backup # c) Compare -> Show only differences (opcional) # d) File -> Export -> guarda CSV/HTML en $BASE\PolicyAnalyzer_Report.csv Start-Process "$DL\PolicyAnalyzer\PolicyAnalyzer.exe" # --- 5) Consultas de registro de controles clave (solo lectura) --- reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /v ConsentPromptBehaviorUser /v FilterAdministratorToken /v InactivityTimeoutSecs /v LocalAccountTokenFilterPolicy > "$BASE\reg_uac.txt" reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v requiresecuritysignature > "$BASE\reg_smb_server.txt" reg query "HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters" /v RequireSecuritySignature > "$BASE\reg_smb_workstation.txt" reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" /v NTLMMinClientSec /v NTLMMinServerSec > "$BASE\reg_ntlm.txt" reg query "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v EnableICMPRedirect > "$BASE\reg_icmp.txt" # --- 6) (Opcional) Sysinternals si están en Downloads\Sysinternals (solo auditoría) --- if (Test-Path "$DL\Sysinternals\autoruns.exe") { & "$DL\Sysinternals\autoruns.exe" /accepteula /nologo /quiet /log "$BASE\autoruns.csv" } if (Test-Path "$DL\Sysinternals\sigcheck.exe") { & "$DL\Sysinternals\sigcheck.exe" -u -e C:\Windows\System32 > "$BASE\sigcheck_untrusted.txt" } if (Test-Path "$DL\Sysinternals\accesschk.exe") { & "$DL\Sysinternals\accesschk.exe" -dqv "C:\Program Files" > "$BASE\accesschk_programfiles.txt" } # --- 7) (Opcional) Attack Surface Analyzer si está en Downloads\ASA (snapshot de solo lectura) --- if (Test-Path "$DL\ASA\asa.exe") { & "$DL\ASA\asa.exe" collect --preset full --output "$BASE\asa_snapshot" } # --- 8) (Opcional) WinAudit si está en Downloads\WinAudit --- if (Test-Path "$DL\WinAudit\WinAudit.exe") { & "$DL\WinAudit\WinAudit.exe" /r=all /f="$BASE\winaudit.html" /format=html } # --- 9) Resultado --- "$BASE" 10) # Ruta base en Downloads (toma el audit_* más reciente) # 1) Variables y carpeta base (en Downloads) $DL = "C:\Users\jhigueros\Downloads" $STAMP= Get-Date -Format "yyyyMMdd_HHmm" $BASE = Join-Path $DL ("audit_" + $STAMP) New-Item -ItemType Directory $BASE -Force | Out-Null $BKP = Join-Path $BASE "lgpo-backup" $LGPO = Join-Path $DL "LGPO\lgpo.exe" $BASE, $BKP, $LGPO Get-ChildItem $DL -Recurse -File | Unblock-File -ErrorAction SilentlyContinue if (Test-Path $BKP) { Remove-Item $BKP -Recurse -Force } & $LGPO /b $BKP $LASTEXITCODE # 4) Verificación: deben aparecer Registry.pol en Machine y User Test-Path (Join-Path $BKP "Machine\Registry.pol") Test-Path (Join-Path $BKP "User\Registry.pol") Get-ChildItem -Recurse $BKP | Select-Object FullName,Length | Format-Table -Auto # 5) Fallback: ejecutar LGPO desde su propia carpeta (a veces la ruta actual importa) Push-Location (Split-Path $LGPO) if (Test-Path $BKP) { Remove-Item $BKP -Recurse -Force } & .\lgpo.exe /b $BKP Pop-Location Get-ChildItem -Recurse $BKP | Select-Object FullName,Length | Format-Table -Auto # 6) Si aún no se crea, imprime ayuda y entorno para ver el motivo & $LGPO /? | Out-String [Environment]::OSVersion.VersionString whoami /groups # Abrir Policy Analyzer y la carpeta de evidencias Start-Process (Join-Path $DL "PolicyAnalyzer\PolicyAnalyzer.exe") explorer.exe $BASE