Assess Windows Security with cnspec
Assess Windows Security with cnspec
Rely on cnspec to ensure your Windows systems follow security best practices, such as enforcing password policies, hardening Remote Desktop Protocol (RDP), securing SMB settings, configuring User Account Control (UAC), managing audit and logging policies, and restricting network access.
Before you begin
- cnspec installed on your workstation
- Access to the target system (local, SSH, or WinRM)
Scan a Windows asset
Scan the local machine
To scan the machine cnspec is running on:
cnspec scanScan a remote machine over SSH
To scan a remote Windows machine using SSH:
cnspec scan ssh user@IP_ADDRESSScan a remote machine over WinRM
To scan a remote Windows machine using WinRM with password authentication:
cnspec scan winrm Administrator@IP_ADDRESS --ask-passTo use WinRM with SSL:
cnspec scan winrm Administrator@IP_ADDRESS --ask-pass --sslUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure minimum password length is 14 characters or more
✕ Fail: Ensure Windows Firewall is enabled for the Domain profile
✓ Pass: Ensure Remote Desktop requires Network Level AuthenticationAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
cnspec automatically detects the platform and applies Mondoo's out-of-the-box Windows Security policy, which covers password policies, RDP hardening, SMB security, UAC, audit policies, firewall, and more. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
Run cnspec shell (or cnspec shell winrm Administrator@IP_ADDRESS --ask-pass for remote systems) to open the cnspec interactive shell. From there you can make checks like the examples below.
Ensure minimum password length is 14 characters or more
cnspec> secpol.systemaccess["MinimumPasswordLength"] >= 14
[ok] value: 14Ensure Remote Desktop connection requires Network Level Authentication
cnspec> registrykey.property(path: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services', name: 'UserAuthentication') { data == 1 }
[ok] value: 1Ensure Windows Firewall is enabled for the Domain profile
cnspec> registrykey.property(path: 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile', name: 'EnableFirewall') { data == 1 }
[ok] value: 1Ensure password history is configured to remember at least 24 passwords
cnspec> secpol.systemaccess["PasswordHistorySize"] >= 24
[ok] value: 24Ensure maximum password age is 365 days or fewer
cnspec> secpol.systemaccess["MaximumPasswordAge"] <= 365
[ok] value: 90Ensure audit policy tracks logon events
cnspec> secpol.eventaudit["AuditLogonEvents"] >= 1
[ok] value: 3These are just a few examples. The Windows Security policy includes dozens more checks covering RDP hardening, SMB security, UAC, audit policies, and more.
Continuously scan your fleet
To move beyond one-off scans, register cnspec with Mondoo Platform. You get continuous monitoring across your Windows fleet, a dashboard to track security posture over time, and integration with ticketing systems to manage remediation.
Learn more
-
To learn how to run ad hoc checks interactively, read Create Checks in cnspec Shell.
-
For a list of all the OS resources and fields you can query, read the Mondoo Operating Systems (OS) Resource Pack Reference and Mondoo Core Resource Pack Reference.
-
To learn more about how MQL works, read Write Effective MQL.