Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
MIT License
Bot releases are hidden (Show)
Published by HotCakeX about 1 year ago
New-WDACConfig -MakeDefaultWindowsWithBlockRules
. They are for Scenario/variant 4
Get-CommonWDACConfig
, if the user configuration file is empty, the message is now different.Related PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/119
Thanks to @dennyamarojr for the issue https://github.com/HotCakeX/Harden-Windows-Security/issues/117
Published by HotCakeX about 1 year ago
DisableExtensionPoints
for PrintDialog.exe
and BlockDynamicCode
for Regsvr32.exe
; Could potentially prevent an edge case when user tries to print something from an RDP session, using redirected printing feature, back to the host OS. It's rare but the goal is to never break any functionality. These changes are automatically applied when you run the Microsoft Defender category using the Harden Windows Security Module.PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/112
Published by HotCakeX about 1 year ago
After performing a threat assessment, made the decision of shipping all of the important parts of the Harden Windows Security Module with itself in 1 package, so when you install it from PowerShell gallery, it no longer downloads or runs code from the GitHub, everything is available locally on your computer. This should provide more confidence and trust for the workflow of the code. Only resources such as plain text simple CSV files are downloaded from the repository. Those are explicitly and safely imported to a type defined variable.
Improved a requirement checks in the hardening measures after reporting a documentation issue and having it fixed:
https://github.com/MicrosoftDocs/microsoft-365-docs/issues/12747
Substantially improved the displayed output of the Confirm-systemCompliance
cmdlet. The values of the Compliant column, which are either True, False or N/A, are now color coded and False values blink. This makes it easier for you to quickly identify each value by simply scrolling through the result.
Added BitLocker check for the OS drive to make sure it's properly encrypted.
Removed the following items from the default security policy inf file because when they are used in Azure VMs using the Unprotect-WindowsSecurity
cmdlet, they would cause problem, since Azure VMs use built-in administrator account and those accounts are renamed when you create the VM, set to the same username you choose during VM creation.
EnableAdminAccount = 0
EnableGuestAccount = 0
NewAdministratorName = "Administrator"
NewGuestName = "Guest"
You can find the module's documentation in here
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/104
Published by HotCakeX about 1 year ago
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/102
Published by HotCakeX about 1 year ago
Invoke-WDACSimulation
cmdlet's performance. It's faster, better and outputs CSV file for the result of the simulation.Deploy-SignedWDAC
cmdlet, called -Deploy
. When used, it will deploy the signed policy on the current system, otherwise it will only create the signed policy. This is specially useful for when you want to deploy the policy somewhere else using the Citool.exe built-in tool.-Deployit
parameter names to -Deploy
.-Deploy
parameter for New-WDACConfig -PrepMSFTOnlyAudit
and New-WDACConfig -PrepDefaultWindowsAudit
. This allows you to deploy those audit policies remotely to collect audit logs.Get-CommonWDACConfig
cmdlet when the user configuration json file is nonexistent.-CertPath
parameter of all the cmdlets that use it.-DeployLatestDriverBlockRules
parameter from New-WDACConfig
cmdlet and instead added the optional -Deploy
parameter to New-WDACConfig -GetDriverBlockRules
, it does the same task.-DeployLatestBlockRules
parameter from New-WDACConfig
cmdlet and instead added the optional -Deploy
parameter to New-WDACConfig -GetBlockRules
, it does the same task.Confirm-WDACConfig
now runs all 3 checks if you use it without passing any parameters.Edit-SignedWDACConfig
, Remove-WDACConfig
and Deploy-SignedWDACConfig
Remove-WDACConfig
cmdlet wouldn't auto complete policy names if one of the policies didn't have a friendly name.Remove-WDACConfig
cmdlet now shows -PolicyNames
first above the -PolicyIDs
for more convenience.PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/101
Published by HotCakeX about 1 year ago
Pull request: https://github.com/HotCakeX/Harden-Windows-Security/pull/98
Published by HotCakeX about 1 year ago
Added Exploit Protections / Process Mitigations for Microsoft 365 apps including OneDrive - https://github.com/HotCakeX/Harden-Windows-Security/issues/49
The script now finds and adds OneDrive for business folders in addition to personal OneDrive folders to the Controlled Folder Access protections.
Improved OS version check.
Improved displayed messages.
Added checks to make sure Microsoft Defender is not running in Passive mode, before running the hardening measures, Basically checking to see all the requirements are met.
Related PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/91
PR: https://github.com/HotCakeX/Harden-Windows-Security/pull/93
Published by HotCakeX about 1 year ago
https://github.com/HotCakeX/Harden-Windows-Security/commit/0954b404c612da05736ba700c8e3563aa2053706
Published by HotCakeX about 1 year ago
Updated Confirm-SystemCompliance
and Unprotect-WindowsSecurity
cmdlets to support changes in the latest Hardening script version: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.20
Some minor code improvements and visual upgrades, you can see them in here: https://www.youtube.com/watch?v=nY_DXkZOiwc
Adjusted the Credential providers section checks in lock screen category
https://github.com/HotCakeX/Harden-Windows-Security/commit/46df4d00195fe12dea926247f81c7f61e84d7017
Published by HotCakeX about 1 year ago
Added Restore point scanning to the Microsoft Defender category
Script now disables performance mode of Microsoft Defender that applies only to the Dev drive.
Added a new feature that blocks malicious connection using network protection instead of showing warnings only
The Microsoft Security baselines category now shows an additional option for applying it with the Optional Overrides. Previously they had their own category and the options are still the same. Now you just have better management over them and you can either choose to apply Microsoft Security Baseline only or Microsoft Security Baseline + Optional Overrides.
Fixed this issue with using the script on non-English system localizations
Minor code improvements and visual upgrades. If you want to see them make sure you use PowerShell core.
https://github.com/HotCakeX/Harden-Windows-Security/commit/78a4f34993a70dd21367ce21fec9fedf712981bc
Published by HotCakeX about 1 year ago
Published by HotCakeX about 1 year ago
Unprotect-WindowsSecurity
cmdlet as requested, it can undo the Hardening measures applied by Protect-WindowsSecurity
cmdlet.Published by HotCakeX about 1 year ago
Added -AllowFileNameFallbacks
parameter by default when creating policies. It's a great parameter that helps include files that do not have an OriginalFileName.
Fixed the Microsoft recommended Block lists URLs in the code because they were changed and had to be updated - Thanks @mind777
Improved code quality (Security, readability, typos in the comments etc.)
Published by HotCakeX about 1 year ago
The resolution described in this article has been released enabled by default. To apply the enabled by default resolution, install the Windows update that is dated on or after August 8, 2023. No further user action is required.
Enhanced the clarity and security of the script’s code by employing single quotation marks instead of double quotation marks wherever feasible and rigorously/explicitly specifying the types of the variables.
Changed the security measure related to Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. The majority of this security measure has been implemented by default in Windows now, leaving only a minor portion outstanding. This final segment is also provisional and will soon be fully activated by default as the document indicates. Once this occurs, it will become superfluous and this script will cease to incorporate it.
As always, the paramount thing you have to do is to ensure your operating system (OS) is always up to date and latest version.
In the Miscellaneous category, when adding all user accounts to the Hyper-V security group, the group is now detected using its SID rather than name. This makes it work on systems with non-English locales.
The "Restrict Unauthenticated RPC Clients" policy when set to "Authenticated without exceptions" prevents Windows Sandbox from working. So, that policy which was added 3 days ago is now removed.
Microsoft Security Baseline sets it to the correct secure value which is "Authenticated" but "Authenticated without exceptions" is more restrict and causes that problem.
All you have to do to revert it back is to run the script again, specially the Microsoft Security Baseline category, so that it will change to the correct value and you will be able to use Windows Sandbox again.
Published by HotCakeX about 1 year ago
The compliance checking module now uses registry instead of group policy, this was done because group policies are translated in different languages and locales so the old method couldn't be used by users using non-English system locales.
This also saves about 1000 lines of code, makes the compliance checking faster and generates more detailed output.
Overall it's a positive change.
P.S When you invoke the confirm-SystemCompliance
cmdlet, the module automatically checks for updates and updates itself if a new version is available.
Published by HotCakeX about 1 year ago
Changed the Hyper-V Administrators security group members detection from using name to SID to make it compatible with non-English system locales.
Improved the code security and readability by adding explicit types to many variables and using single quotes instead of double quotes wherever possible.
P.S the module auto updates when you run it, so no manual action is needed.
Published by HotCakeX about 1 year ago
Updated the Compliance checks to include changes in the following Harden Windows Security update
Changed Windows Firewall category from using cmdlets to Group policy xml parsing, fixing this bug
Published by HotCakeX about 1 year ago
Removed Edge browser policies that are not applicable when you sign in using a persoanl Microsoft account instead of Microsoft Entra ID. This is a new security change by Microsoft that is coming into effect starting Edge version 116, few days from now. Edge Group Policies documentation, clearly mentions which policies are like that. There is nothing to be worried about, you can configure these settings from Edge browser settings page. In Edge browser versions 116 and above, the status of these policies in edge://policy/ are "Ignored" when signed in with a personal Microsoft account. You don't have to take any additional acctions, the script automatically takes care of removing them if they exist. Policies with "Ignored" status do not cause any problem, but to keep things clean, removing the following Edge browser policies from the Windows Hardening script:
Removed the Top Security category and instead placed each hardening measure that was in there into its correct category. This way users have more granular control and can enable individual hardening measures instead of using all of them at once. Some of them cause inconvenience more than the others while providing security, please check out the description of each of them in the Readme.
In the Readme, made it clear that individual hardening measures that prompt for additional confirmation before running, like the ones mentioned above, are marked with icon.
In the Readme, added a note to "Hides the entry points for Fast User Switching" in User Account Control Category and "Don't display last signed-in" in Lock screen category policies that require additional confirmation before running. If any of those 2 policies is used, you won't be able to use "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.
When running the Harden Windows Security script with PowerShell core, you will see better new styling now.
Added a new hardening measure in the Lock screen category. It sets Windows Hello PIN as the default Credential Provider and excludes the Credential Providers listed below. We do this because if the "Don't display last signed-in" policy is used, it defaults to Password on logon screen. Smart cards are old and insecure compared to Windows Hello or WHfB, if Microsoft account password sign-in is available it defeats the purpose of having a local PIN that's tied to a device. Goes without saying that you shouldn't use this policy if local password or Smart card is the only way you use to log in. If that's the case then first connect your Windows account to Microsoft account and then use this policy. List of the Credential Providers that are blocked by this policy:
{1b283861-754f-4022-ad47-a5eaaa618894}
{1ee7337f-85ac-45e2-a23c-37c753209769}
{8FD7E19C-3BF7-489B-A72C-846AB3678C96}
{F8A0B131-5F68-486c-8040-7E8FC3C85BB6}
{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
Published by HotCakeX about 1 year ago
If you've already installed the Harden Windows Security Module then you don't have to do manually update it. When you run it, it can detect new versions and auto updates itself. 🫰
Published by HotCakeX about 1 year ago
In the Bitlocker category, hibernation will only be enabled on physical machines because virtual machines such as Hyper-V VMs have other features such as Saving VM's state, Checkpoints, Pause etc. and they do not support hibernation and throw error.
Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths
Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths and subpaths
In the Miscellaneous category, added a new policy for Command line process auditing
In the Lock Screen category, changed the anti-hammering feature for lock screen by lowering the number of subsequent failed sign-in attempts from 6 to 5.
In the Lock screen category, added a new policy for Account lockout threshold and set it to 5.
In the Lock screen category, added a new policy for Reset account lockout counter and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.
In the Lock screen category, added a new policy for Account lockout duration and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.
In the Miscellaneous category, added a new policy for enabling the RPC Endpoint Mapper Client Authentication policy
In the Miscellaneous category, added a new policy to set the Restrict Unauthenticated RPC Clients policy to "Authenticated without exceptions"
In the Lock Screen category, added the following PIN Complexity rules for Windows Hello
In the non-admin category, removed the registry keys related to security measures for disabling toast/push notifications on lock screen, because Microsoft security baselines already apply them.
In the non-admin category, added a new security measure for disabling "Show reminders and incoming VoIP calls on the lock screen" in the Settings > System > Notifications