Validation Scripts

Real-time alerts, dashboards & structured search analysis

Image Description

Establish best practices across your infrastructure

Free 30-day evaluation

Out-of-the-box security controls

Simplified compliance

SVG

Flexible Dashboards

Help you keep an eye on important metrics to ensure you stay up to date.

SVG

Reporting

Includes ready-to-run reports that can be scheduled, emailed or run on-demand.

SVG

Full SIEM

EventSentry includes log, FIM, AD & network traffic monitoring - in one single product.

SVG

Security

Alert on suspicious processes, malicious network activity, port scans and more.

SVG

Validation

Validate security settings across your entire Windows network against required and recommended settings.

SVG

Health / Inventory

EventSentry also offers a complete software, hardware inventory along with health monitoring.

"In a day and age where everything has a maintenance agreement, this is one of the few that stand out as being genuinely worthwhile. The technician support is fantastic, the updates are regular and timely, and the product works like it is supposed to." >> READ MORE  

Jamie H. (Director of IS&T, HIPAA Security Officer, PrimeWest Health)

"EventSentry’s multifaceted feature set has helped NMFTA predict and avoid Windows Server® crashes, Microsoft® SQL Server® failures, configuration problems in its VMware® environment, and malicious attacks against workstations and servers." >> READ MORE  

Urban Jonson (CTO of NMFTA)

Perpetual License

You own the license

No Data Limit

Avoid unexpected costs

No Sensor Limit

Full visibility of your network

Your metrics at a glance

Built-in dashboards:

  • Active Directory Changes
  • Network Traffic / Bandwidth
  • Heartbeat / Availability
  • Server Health
  • Performance

Easily create your own dashboards

Normalized Security Events

EventSentry translates complex security events into easy to understand, actionable reports.

Logon Failures

Affordable Event Log Monitoring Software

  • 1

    Start an evaluation

    FREE fully functional for 30-days

  • 2

    Install EventSentry

    Quick installation / Monitor in minutes

  • 3

    Monitor your infrastructure

    Peace of mind included

Complete list of Validation Scripts



Accounts: Administrator accounts must not be enumerated during elevation
Accounts: Automatic logons must be disabled
Accounts: Block Microsoft accounts
Accounts: Built-in Administrator account must be renamed
Accounts: Built-in Guest account must be renamed
Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts
Accounts: Enable computer and user accounts to be trusted for delegation user right must not be assigned to any groups or accounts on domain-joined and standalone
Accounts: Enable computer and user accounts to be trusted for delegation user right must only be assigned to the Administrators group on domain controllers
Accounts: Local accounts with blank passwords must be restricted to prevent access from the network
Accounts: Local Admin accounts must have their privileged token filtered to prevent elevated privileges used over the network
Accounts: Local Administrator account should be disabled
Accounts: Local Guest account should be disabled
Accounts: Lockout duration must be configured to 15 minutes or greater
Accounts: must be configured to enable Remote host allows delegation of non-exportable credentials
Accounts: must disable automatically signing in the last interactive user after a system-initiated restart
Accounts: Must have the built-in Windows password complexity policy enabled
Accounts: Must have the period of time before the bad logon counter is reset configured to 15 minutes or greater
Accounts: Must require passwords
Accounts: Reversible password encryption must be disabled
Accounts: The number of allowed bad logon attempts must be configured to three or less
Accounts: UIAccess applications must not be allowed to prompt for elevation without using the secure desktop
Accounts: User Account Control (UAC) approval mode for the built-in Administrator must be enabled
Accounts: User Account Control (UAC) must automatically deny standard user requests for elevation
Accounts: User Account Control (UAC) must be configured to detect application installations and prompt for elevation
Accounts: User Account Control (UAC) must run all administrators in Admin Approval Mode, enabling UAC
Accounts: User Account Control (UAC) must virtualize file and registry write failures to per-user locations
Accounts: User Account Control (UAC) must, at a minimum, prompt administrators for consent on the secure desktop
Accounts: User Account Control must only elevate UIAccess applications that are installed in secure locations
Accounts: Users must be prompted to authenticate when the system wakes from sleep (on battery)
Accounts: Users must be prompted to authenticate when the system wakes from sleep (plugged in)
Accounts: Users must be required to enter a password to access private keys stored on the computer
Auditing: Command line data must be included in process creation events
Auditing: Event Log / Viewer must be protected from unauthorized modification and deletion
Auditing: Event Log size for Application log must be at least 32768 KB
Auditing: Event Log size for Security log must be at least 196608 KB
Auditing: Event Log size for System log must be at least 32768 KB
Auditing: Must force audit policy subcategory settings to override audit policy category settings
Auditing: Permissions for the Security event log must prevent access by non-privileged accounts
Auditing: Permissions for the System event log must prevent access by non-privileged accounts
Auditing: Removable Storage
Autoplay: Must be turned off for non-volume devices
Autoplay: Should be disabled for all drives
Autorun: behavior must be configured to prevent Autorun commands
Compliance: BitLocker should be configured in FIPS mode
Compliance: BitLocker should use AES 256 encryption
Credentials: WDigest Authentication must be disabled
Debug Programs: User right must only be assigned to the Administrators group
Directory Size: WinSxs\Temp\PendingDeletes
Domain Controller: Health - DCDiag - Warnings and Errors
Domain Controller: IPv6 Should be enabled
Domain Controller: Must be configured to allow reset of machine account passwords
Domain Controller: Must require LDAP access signing
Domain Controller: Permissions on the Active Directory data files must only allow System and Administrators access
Domain Controller: SYSVOL directory must have proper access control permissions
Domain Controller: The password for the krbtgt account on a domain must be reset at least every 180 days
Domain Controllers: Accounts: Deny log on locally user right must be configured to prevent access from highly privileged domain accounts
Domain Member: Must be running Credential Guard on domain-joined members
Domain Member: Caching of logon credentials must be limited
Domain Member: Digitally encrypt or sign secure channel data (always) must be configured to Enabled
Domain Member: Digitally encrypt secure channel data (when possible) must be configured to enabled
Domain Member: Digitally sign secure channel data (when possible) must be configured to Enabled
Domain Member: Group policy objects must be reprocessed even if they have not changed
Domain Member: Hardened UNC paths must require mutual authentication & integrity for at least \\*\SYSVOL and \\*\NETLOGON shares
Domain Member: LDAP client signing requirements
Domain Member: Local users on domain-joined member servers must not be enumerated
Domain Member: Maximum age for machine account passwords must be configured to 30 days or less
Domain Member: Windows Server must limit the caching of logon credentials to four or less
Exchange Server: Build Version Check (Exchange Updated)
Exploit Protection: Structured Exception Handling Overwrite Protection (SEHOP) must be enabled
Exploit Protection: system-level mitigation, Validate exception chains (SEHOP) must be on
File System: Back up files and directories user right must only be assigned to the Administrators group
File System: File Explorer shell protocol must run in protected mode
File System: Local volumes must be formatted with NTFS
File System: Windows must prevent Indexing of encrypted files
FIPS 140: Security Requirements for Cryptographic Modules
General: AntiVirus/Antimalware Status
General: Downloading print driver packages over HTTP must be turned off
General: Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad
General: Internet Information System (IIS) or its subcomponents must not be installed on a workstation
General: Machine inactivity limit must be set to 15 minutes or less, locking the system with the screen saver
General: Printing over HTTP must be turned off
General: Solicited Remote Assistance must not be allowed
General: Windows Defender SmartScreen must be enabled (Desktop)
General: Windows Defender SmartScreen must be enabled (Server)
General: Windows firewall status
General: Windows must prevent the display of slide shows on the lock screen
Info: Check Windows 11 Upgrade Readiness
Internet Browser: Attachments must be prevented from being downloaded from RSS feeds
Internet Browser: Basic authentication for RSS feeds over HTTP must not be used
Internet Browser: Check digital signature of executables
Internet Browser: Software must be disallowed to run or install with invalid signatures
Logon: Enable Display Last Logon Info
Logon: Network selection UI must not be displayed
Logon: Require CTRL+ALT+DEL for interactive logons
Logon: Required legal notice must be configured to display before console logon
Microsoft Edge: The Windows Defender SmartScreen filter for Microsoft Edge must be enabled (Windows 10)
Microsoft Edge: Users must not be allowed to ignore SmartScreen filter warnings for unverified files (Windows 10)
Microsoft Edge: Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites (Windows 10)
Microsoft Edge: Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge (Windows 10)
Microsoft Office: Application Guard for Office should be enabled
Microsoft Office: Check Activation Status
Network Access: Do not allow anonymous enumeration of SAM accounts and shares
Network Access: Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites
Network Access: LAN Manager authentication level must be configured to send NTLMv2 response only and refuse LM and NTLM
Network Access: Microsoft network Client: Digitally sign communications (always) must be configured to Enabled
Network Access: Microsoft network Client: Digitally sign communications (if server agrees) must be configured to Enabled
Network Access: Microsoft network Server: Digitally sign communications (always) must be configured to Enabled
Network Access: Microsoft network Server: Digitally sign communications (if client agrees) must be configured to Enabled
Network Access: Must be configured to prevent anonymous users from having the same permissions as the Everyone group
Network Access: Must Have the Server Message Block (SMB) v1 protocol disabled on the SMB client
Network Access: Must have the Server Message Block (SMB) v1 protocol disabled on the SMB server
Network Access: Must prevent NTLM from falling back to a Null session
Network Access: Restrict anonymous access to Named Pipes and Shares
Network Access: Restrict remote calls to the Security Account Manager [SAM] to Administrators
Network Access: Services using Local System when reverting to NTLM authentication must use computer identity
Network Access: Session security for NTLM SSP-based CLIENTS must require NTLMv2 session security and 128-bit encryption
Network Access: Session security for NTLM SSP-based SERVERS must require NTLMv2 session security and 128-bit encryption
Network Access: Setting Microsoft network server: Digitally sign communications (if client agrees) must be Enabled
Network Access: Unencrypted passwords must not be sent to third-party Server Message Block (SMB) servers
Network Access: Windows must not have the Server Message Block (SMB) v1 protocol installed
Network: Internet Protocol version 6 (IPv6) source routing must use highest protection level to prevent IP source routing
Network: Simple TCP/IP Services must not be installed on the system
Network: Source routing must be configured to the highest protection level to prevent Internet Protocol (IP) source routing
Passwords: Enforce history
Passwords: Maximum Age
Passwords: Minimum length
Passwords: Minimum Password Age
Passwords: must be configured to expire
Passwords: Storing LAN Manager hash
PowerShell: Script block logging must be enabled
PowerShell: v2 should not be installed / enabled
Printing: Prevent users from installing printer drivers
Privacy: Application Compatibility Program Inventory must not collect and send data to Microsoft
Privacy: Windows location services should be disabled
Privacy: Windows Telemetry Should Be Disabled
Remote Desktop Services: Idle session time limit
Remote Desktop Services: Must always prompt a client for passwords upon connection
Remote Desktop Services: Must be configured to set a time limit for disconnected sessions (Server 2012)
Remote Desktop Services: Must be configured with the client connection encryption set to High Level
Remote Desktop Services: Must not save passwords in the Remote Desktop Client
Remote Desktop Services: Must prevent drive redirection
Remote Desktop Services: Must require secure Remote Procedure Call (RPC) communications
Remote Management: Unauthenticated RPC clients must be restricted from connecting to the RPC server
Remote Management: Windows Remote Management (WinRM) client must not allow unencrypted traffic
Remote Management: Windows Remote Management (WinRM) client must not use Basic authentication
Remote Management: Windows Remote Management (WinRM) client must not use Digest authentication
Security Hardening: Check if Sysmon is installed and running
Security: Kernel (Direct Memory Access) DMA Protection must be enabled
Security: TLS/SSL Insecure Ciphers (SCHANNEL)
Security: Virtualization-based security must be enabled with platform security level set to Secure Boot
Services: List services containing a space in service path not enclosed in quotes
Shutdown: Clear virtual memory pagefile
Threat Intel: Attack Vector: Credential dumping protections using LSA Protection
Threat Intel: Attack Vector: Disable LLMNR
Threat Intel: Attack Vector: Disable Windows Event Logging
Threat Intel: Attack Vector: Disable WinRM (Windows Remote Management)
Threat Intel: Attack Vector: Preventing Unauthorized Application Execution
Threat Intel: Attack Vector: Windows downgrade attacks
Threat Intel: Confluence Security Advisory 2022-06-02 - CVE-2022-26134 - Critical
Threat Intel: Log4j Remote Code Execution - CVE-2021-44228/CVE-2021-45046
Threat Intel: Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190
Threat Intel: Persistence - AppInit DLLs
Threat Intel: PetitPotam Certificate Enrollment Web Service on Domain Controller
Threat Intel: PetitPotam NTLM Relay Attack: Disable NTLM Incoming Traffic on DCs
Threat Intel: Windows TCP/IP (v6) Remote Code Execution Vulnerability CVE 2024 38063
Tracking: The location feature must be turned off
Tracking: Windows Telemetry must not be set to Full
Virtualization: Hyper-V: Virtual Disks Folder Free Space Under 2GB
Virtualization: VirtualBox Tools Installed
Virtualization: VMWare Tools Installed
Windows Installer: Disable -Always install with elevated privileges- option
Windows Installer: Must prevent users from changing installation options
Windows Installer: Users must be notified if a web-based program attempts to install software
Windows OS: Build Version Check (End Of Life)
Windows OS: Build Version Check (OS Updated)
Windows OS: Data Execution Prevention (DEP) must be configured to at least OptOut
Windows OS: Must have the DoD Root Certificate Authority (CA) certificates installed in the Trusted Root Store
Windows OS: Must not have the Fax Server role installed
Windows OS: Must not have the Microsoft FTP service installed
Windows OS: Must not have the Peer Name Resolution Protocol installed
Windows OS: Must not have the Telnet Client Installed
Windows OS: Must not have the TFTP Client Installed
Windows OS: Secure Boot must be enabled
Windows OS: Windows Activation Status
Windows OS: Windows Update must not obtain updates from other PCs on the internet
Windows Update: Windows Recovery Partition Size

We now include 186 validation scripts out of the box!
Full tag list
compliance-server (131) server (111) stig-medium-server (109) compliance-desktop (108) desktop (106) security-server (103) nist800-53-server (86) stig-medium-desktop (86) nist800-53-desktop (85) security-desktop (85) nist800-171-server (78) nist800-171-desktop (61) cmmc2-l2-server (58) cmmc2-l2-desktop (46) cis-csc-server (36) pci-dss-v4-server (31) cis-csc-desktop (31) bestpractice-desktop (29) mitre-att-desktop (24) mitre-att-server (24) bestpractice-server (24) pci-dss-v4-desktop (24) stig-high-desktop (20) cmmc2-l1-server (20) stig-high-server (19) cmmc2-l1-desktop (18) tisax (16) pci-dss-v3.2-server (16) domainmember (15) domaincontroller (14) threat-intel-server (13) threat-intel-desktop (11) cmmc2-l3-server (11) pci-dss-v3.2-desktop (11) nist-privacy-server (10) sig-server (9) sec-hardening-server (8) sec-hardening-desktop (8) remote-desktop (7) health (7) nist-privacy-desktop (7) cmmc2-l3-desktop (7) privacy-server (6) privacy-desktop (6) csa-cmm-server (6) stig-low-server (5) stig-low-desktop (5) cve-server (4) stig-medium-ie (4) cve-desktop (3) cce-desktop (3) cce-server (3) niap-server (3) niap-desktop (3) fips140-2 (3) sig-desktop (3) owasptop-server (2) owasptop-desktop (2) msoffice (2) bestpractice-domaincontroller (2) hyper-v (1) mitre-desktop (1) iis-stig-high (1) bitlocker-security-desktop (1) fedramp-server (1) fedramp-desktop (1) cjis-server (1) cjis-desktop (1) ul2900-1-server (1) ul2900-1-desktop (1) csf-server (1) csf-desktop (1) info-desktop (1) csa-cmm-desktop (1) exchange-security (1) domaincontroller-health (1)