restrict-anonymous-access-disabled: Restrict Anonymous Access Disabled

id: restrict-anonymous-access-disabled

info:
  name: Restrict Anonymous Access Disabled
  author: princechaddha
  severity: high
  description: Verifies if anonymous access restrictions are disabled.
  impact: |
    Disabling restrictions on anonymous access could expose sensitive information and increase the attack surface.
  remediation: |
    Enable anonymous access restrictions by setting the RestrictAnonymous registry key to 1 or 2.
  tags: windows,anonymous-access,code,windows-audit

self-contained: true

code:
  - pre-condition: |
      IsWindows();
    engine:
      - powershell
      - powershell.exe
    args:
      - -ExecutionPolicy
      - Bypass
    pattern: "*.ps1"
    source: |
      $restrictAnonymous = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name 'RestrictAnonymous'
      Write-Host "RestrictAnonymous: $($restrictAnonymous.RestrictAnonymous)"

    matchers:
      - type: word
        words:
          - "RestrictAnonymous: 0"
# digest: 490a004630440220302018a51e25deddf2e713e2f715feaa0d993f330bc3540a1231daa119016f1a022050ed95a1686cf7d7d92fd816f602bf5ce499511b1081ff5ef4d7556e778aafef:922c64590222798bb761d5b6d8e72950