Skip to main content

Assess Windows Security with cnspec

cnspec assesses your Windows assets for misconfigurations that put your organization at risk. You can evaluate a Windows asset for compliance with security policies created by Mondoo or the community, or create your own policies. You also can write individual tests to run on the fly or include in automated tasks.

For a list of Windows resources you can test, read Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.

Requirements

To test a Windows asset with cnspec, you must have:

Assess Windows security with policy-based scanning

The Windows Security by Mondoo policy is available to all in Mondoo's cnspec-policies GitHub repo. This collection of tests evaluates how well your environment follows fundamental Windows security best practices.

To scan a local machine using the Windows Security by Mondoo policy, run:

cnspec scan

To scan a remote machine using the Windows Security by Mondoo policy, run:

cnspec scan ssh user@IP_ADDRESS

For IP_ADDRESS, substitute the IP address of the remote Windows asset.

If you prefer WinRM for remote access, enter:

cnspec scan winrm Administrator@IP_ADDRESS --ask-pass

For IP_ADDRESS, substitute the IP address of the remote Windows asset.

cnspec finds the default policy for Windows and runs a scan based on that policy. It returns a report summarizing the scan results.

To learn more about the command, read cnspec scan.

You can also create your own policies to meet your specific needs. To learn more about policies, read Policies.

Learn more

cnspec also provides an interactive shell in which you can explore. It helps you understand the checks that cnspec policies use, and write your own as well. It’s also a great way to interact with both local and remote targets on the fly. To learn more, read Create Checks in cnspec Shell.