Adding a PowerShell query to your node group scan options allows you to run any installed cmdlet on the remote node to return configuration. Add the following code as a custom PowerShell script to your Windows node group scan options.

Active Directory

Computers

Schema

This is currently configured to be used as a scan option on the domain controller itself. If you wish to use it as a scan option on another node, you will need to either specify the name of the DC against the “Server” parameter, or simply run the Get-ADRootDSE command without a server specified, depending on your configuration.

Users

COM+

Key Name
Leave blank.

Files and Folders

Make sure a folder is completely empty of files.

Add this as a PowerShell query scan option:

(Get-ChildItem -File -Path "C:\Folder\To\Check" | Measure-Object).Count

This should report the number of files that exist in the directory C:\Folder\To\Check. You can then create a policy check on this scanned value, making sure the value is always 0. Note that the -File part of this command makes the powershell query only check for files in that folder rather than also subdirectories.

Make sure all files in a directory are not older than 2 days

Add this as a PowerShell query scan option:

(Get-ChildItem -File -Path "C:\Folder\To\Check" | Where-Object {$_.LastWriteTime -lt (Get-Date).AddDays(-2) } ).Count

The query should count the number of files (and not subdirectories) in the directory C:\Folder\To\Check, filter for files that are older than 2 days, then count them. You can then write a policy check on this scan value enforcing that it should always be 0.

GAC

Key Name
Leave blank.

Local Group Policy

Local Security Policies

Description
Security Policies
Key Name
Name
Function Parse-SecPol($CfgFile){
    secedit /export /cfg "$CfgFile" | out-null
    $Result = @()
    $index = 0
    $contents = Get-Content $CfgFile -raw
    [regex]::Matches($contents,"(?<=\[)(.*)(?=\])") | %{
        $obj = New-Object PSObject
        $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $_
        [regex]::Matches($contents,"(?<=\]).*?((?=\[)|(\Z))", [System.Text.RegularExpressions.RegexOptions]::Singleline)[$index] | %{
            $_.value -split "\r\n" | ?{$_.length -gt 0} | %{
                $value = [regex]::Match($_,"(?<=\=).*").value
                $name = [regex]::Match($_,".*(?=\=)").value
                $obj | Add-Member -MemberType NoteProperty -Name $name.tostring().trim() -Value $value.tostring().trim() -ErrorAction SilentlyContinue | out-null
            }
        }
        $Result += $obj
        $index += 1
    }
    return $Result
}
$SecPol = Parse-SecPol -CfgFile C:\LocalSecurityPolicy.cfg
$SecPol

System Audit Policies

To add this section to a node scan:

w300shadow

Create a new powershell scan option:

Description
Local Audit
Key Name
Name
$Result = @()

$output = auditpol /list /category

$output | ForEach-Object -Process {
  $cat = $_.Trim()
  if ($cat -eq "Category/Subcategory") {
    return
  }

  $obj = New-Object psobject
  $obj | Add-Member -MemberType NoteProperty -Name "Name" -Value $cat

  auditpol /get /category:"$cat" | Foreach-Object -Process {
    $line = $_
    if (-Not $line.StartsWith("  ")) {
      return
    }

    $tokens = $line -split "  "
    $key = ""
    $val = ""
    foreach ($token in $tokens) {
      if ($token.trim() -eq "") {
        continue
      }
      if ($key -eq "") {
          $key = $token
      } else {
          $val = $token
      }
    }

    $obj | Add-Member -MemberType NoteProperty -Name $key.ToString().Trim() -Value $val.ToString().Trim() -ErrorAction SilentlyContinue
  }
  $Result += $obj
}

$Result

After scanning the node, the properties of this section should look like this.

w500

Internet Explorer

Description
Internet Explorer Version
Key Name
Leave Blank

Query

Get-ItemProperty 'hklm:\SOFTWARE\Microsoft\Internet Explorer'|Select SvcVersion

IIS

Application Pools Info

Key Name
Name

Sites Logging Enabled

Key Name
Name

Virtual Directories

Key Name
Name

Website Information

Key Name
Name

Recursive File Integrity Check