What's changed

1. Added self-updating mechanism
2. Added the missing categories: Optional Windows Features category and Top Security category
3. Added Bitlocker DMA protection check
4. Fixed the CSV output to stop repeating the headers for each category
5. Improved the ASCII arts and their colors
6. Added Total number of checks to the output
7. Improved the displayed output to include checks that do not output bool value by adding an extra property called Compliant to each item
8. Improved the module's PowerShell gallery page (Description, image)
9. Added a new optional parameter called "-DetailedDisplay" to show the output in a detailed list instead of the default table format

Module's documentation

Harden-Windows-Security-Module

This module offers rigorous compliance verification and security assessment. It enables you to evaluate the conformity of your system based on the security standards and recommendations of this repository. The module employs various techniques such as Group Policy, Security Policy, PowerShell cmdlet and Registry keys to conduct the checks.

Compliance checking strictly follows the guidelines and security measures of this GitHub repository. Any minor deviation from them will result in a $false value for the corresponding check.

How it works

This module verifies and validates the security measures applied by the Harden Windows Security script using the same method as the script. For example, it checks Group Policy settings if the script uses Group Policy, registry keys if the script modifies the registry, and PowerShell cmdlets if the script invokes them.

Quick demo

https://github.com/HotCakeX/Harden-Windows-Security/assets/118815227/0fdbd34b-6bf6-4eae-b081-83b43d60bd0d

Requirements

• Administrator privileges for compliance checking
• Administrator OR Standard user privileges for the hardening mode, just like the Harden Windows Security script
• PowerShell core version 7.3 and above

How to install and use

You can install this module from PowerShell gallery

Install-Module -Name Harden-Windows-Security-Module -Force

Perform Compliance test

Confirm-SystemCompliance

Apply the Hardening measures described in the Readme

Protect-WindowsSecurity

Available parameters

Confirm-SystemCompliance [-ExportToCSV] [-ShowAsObjectsOnly]

The module has 2 optional parameters, they can be used together or individually.

• [-ExportToCSV]: In addition to displaying the results on the screen, also exports them in a nicely formatted CSV for easier viewing. The CSV is fully compatible with GitHub too so you can upload it to GitHub and view it.

• [-ShowAsObjectsOnly]: Instead of displaying strings on the console, outputs actionable objects and properties. You can use this parameter for when you need to store the output of the function in a variable and use it that way. This provides a very detailed nested object and suppresses the normal string output on the console.

Security Scoring System

The current max score is 89, meaning there are 89 options that produce $true value if they are compliant. Based on the score that you get you will see a different ASCII art!

Any feedback or suggestions? Please use GitHub issues or discussions

Change log

1. Added Intel TDT (Threat Detection Technology) to the Microsoft Defender category, more info here.
2. Added a new Item to the Overrides for Microsoft Security Baseline: This item Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
3. Added a new Event Viewer custom view for USB connects & disconnects, this helps to easily monitor and view the logs of USB storage devices that were connected or disconnected from your system.

Change log

Removed built-in admin account activation option from the script - https://github.com/HotCakeX/Harden-Windows-Security/commit/e7d5e8ebbeea9888ab62055587b457948da89e0a

Due to security reasons. removed the ability to set a password and activate built-in administrator account.
https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-built-in-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00

The lockout policy for the built-in administrator account which is disabled by default:
The new lockout behavior only affects network logons, such as RDP attempts. Console logons will still be allowed during the lockout period.

You should sign into Windows using a password-less Microsoft account and use Windows Hello for authentication.

Added Custom event log view for restarts - https://github.com/HotCakeX/Harden-Windows-Security/commit/aa4381a3e5b61e8e459214fbdc8fa18858ca67f4

A new custom view for Event viewer logs was added to track system restarts that were either initiated by user or by apps/system.

Made the Event viewer custom view names more user friendly - https://github.com/HotCakeX/Harden-Windows-Security/commit/aa4381a3e5b61e8e459214fbdc8fa18858ca67f4

Changed the name of the custom view xml files from vague View_1.xml, View_2.xml etc. to proper names that clearly describe what they are for.

Added custom event views for 2 new events - https://github.com/HotCakeX/Harden-Windows-Security/commit/1bf0411a2da1f613c01a5f1b4e4757b8576faf5c

• One of them to track wrong entered PINS at lock screen
• The other for tracking workstation locks and unlocks

WDACConfig module update v0.2.0

This update introduces a new feature that allows you to simulate a WDAC deployment. You can read all about it in its dedicated new cmdlet.

Change log

1. Added WDAC Simulation using the new Invoke-WDACSimulation Cmdlet
2. Added Get-CommonWDACConfig Cmdlet dedicated only to querying the User Configs and reading them. Set-CommonWDACConfig Cmdlet is only for storing User Configurations.
3. Eliminated the need for an extra reboot in New-KernelModeWDACConfig Cmdlet. From now on, only one reboot is required and that's only during the Audit mode. For deploying the Enforced mode policy, the module replaces the Audit mode policy with the new enforced mode and it instantly becomes operative.
4. Improved the argument completers of the Set-CommonWDACConfig Cmdlet by showing GUI for file picking.
5. Added new parameter to the New-DenyWDACConfig Cmdlet for creating deny rule for Windows Appx apps
6. Improved the parameter usage logic in New-KernelModeWDACConfig Cmdlet

Continue reading

• Added more content to the WDAC Notes wiki related to the new cmdlet and how WDAC works

If you have any question or need help, feel free to open a new discussion/issue on GitHub or reach out with Email etc.

WDACConfig module - BYOVD update

This update to the WDACConfig module includes the BYOVD attack vector protection that I talked about previously on Twitter.

Changes in the v0.1.9:

1. Improved the New-WDACConfig -MakePolicyFromAuditLogs by accounting for situations where event viewer logs don't contain any files that are no longer on the disk even though user chooses to include them.
2. Added new functionality and cmdlet New-KernelModeWDACConfig, capable of providing complete protection against all BYOVD (Bring Your Own Vulnerable Driver) scenarios
3. Improved the Set-CommonWDACConfig argument completers by showing a file picker GUI when selecting certificates or browsing for custom SignTool.exe path.

More info

• WDAC policy for BYOVD Kernel mode only protection

• New‐KernelModeWDACConfig

Updated Security Baseline for Microsoft 365 Apps

Version 2306 was released yesterday, updated the links in the script accordingly.

more info:
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702

First release of this repository 🥳

This is the first time I'm publishing a release and planning to do this for every new version of the hardening script or WDACConfig PowerShell module in the future.

It will send notifications to the users who are watching this repository letting them know there is a new version available.
It also allows me to offer proper change logs for each change.

The entire change log history of the hardening script is available in Excel online

Change log:

1. Added Exploit Protection/Process Mitigations for various apps such as Microsoft Edge (All channels), Quick Assist and some system processes. More apps and processes will be added to the list once they are properly validated and confirmed to be fully compatible.
   • Thanks to everyone participated in this issue
2. Added back the PrimaryPasswordSetting policy to Edge after confirming the bug related to it was fixed.
3. Added a new hardening measure that turns on Data Execution Prevention (DEP) for all applications, including 32-bit programs. By default, the output of BCDEdit /enum "{current}" (in PowerShell) for the NX bit is OptIn but this script sets it to AlwaysOn