Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
MIT License
Bot releases are hidden (Show)
Published by HotCakeX about 1 year ago
Published by HotCakeX about 1 year ago
This module offers rigorous compliance verification and security assessment. It enables you to evaluate the conformity of your system based on the security standards and recommendations of this repository. The module employs various techniques such as Group Policy, Security Policy, PowerShell cmdlet and Registry keys to conduct the checks.
Compliance checking strictly follows the guidelines and security measures of this GitHub repository. Any minor deviation from them will result in a $false
value for the corresponding check.
This module verifies and validates the security measures applied by the Harden Windows Security script using the same method as the script. For example, it checks Group Policy settings if the script uses Group Policy, registry keys if the script modifies the registry, and PowerShell cmdlets if the script invokes them.
Install-Module -Name Harden-Windows-Security-Module -Force
Confirm-SystemCompliance
Protect-WindowsSecurity
Confirm-SystemCompliance [-ExportToCSV] [-ShowAsObjectsOnly]
[-ExportToCSV]
: In addition to displaying the results on the screen, also exports them in a nicely formatted CSV for easier viewing. The CSV is fully compatible with GitHub too so you can upload it to GitHub and view it.
[-ShowAsObjectsOnly]
: Instead of displaying strings on the console, outputs actionable objects and properties. You can use this parameter for when you need to store the output of the function in a variable and use it that way. This provides a very detailed nested object and suppresses the normal string output on the console.
The current max score is 89, meaning there are 89 options that produce $true
value if they are compliant. Based on the score that you get you will see a different ASCII art!
Any feedback or suggestions? Please use GitHub issues or discussions
Published by HotCakeX about 1 year ago
Published by HotCakeX about 1 year ago
Due to security reasons. removed the ability to set a password and activate built-in administrator account.
https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-built-in-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00
The lockout policy for the built-in administrator account which is disabled by default:
The new lockout behavior only affects network logons, such as RDP attempts. Console logons will still be allowed during the lockout period.
You should sign into Windows using a password-less Microsoft account and use Windows Hello for authentication.
A new custom view for Event viewer logs was added to track system restarts that were either initiated by user or by apps/system.
Changed the name of the custom view xml files from vague View_1.xml, View_2.xml etc. to proper names that clearly describe what they are for.
Published by HotCakeX over 1 year ago
This update introduces a new feature that allows you to simulate a WDAC deployment. You can read all about it in its dedicated new cmdlet.
Invoke-WDACSimulation
CmdletSet-CommonWDACConfig
Cmdlet is only for storing User Configurations.New-KernelModeWDACConfig
Cmdlet. From now on, only one reboot is required and that's only during the Audit mode. For deploying the Enforced mode policy, the module replaces the Audit mode policy with the new enforced mode and it instantly becomes operative.Set-CommonWDACConfig
Cmdlet by showing GUI for file picking.New-DenyWDACConfig
Cmdlet for creating deny rule for Windows Appx appsNew-KernelModeWDACConfig
CmdletIf you have any question or need help, feel free to open a new discussion/issue on GitHub or reach out with Email etc.
Published by HotCakeX over 1 year ago
This update to the WDACConfig module includes the BYOVD attack vector protection that I talked about previously on Twitter.
Published by HotCakeX over 1 year ago
Updated Security Baseline for Microsoft 365 Apps
Version 2306 was released yesterday, updated the links in the script accordingly.
Published by HotCakeX over 1 year ago
This is the first time I'm publishing a release and planning to do this for every new version of the hardening script or WDACConfig PowerShell module in the future.
It will send notifications to the users who are watching this repository letting them know there is a new version available.
It also allows me to offer proper change logs for each change.
The entire change log history of the hardening script is available in Excel online
PrimaryPasswordSetting
policy to Edge after confirming the bug related to it was fixed.BCDEdit /enum "{current}"
(in PowerShell) for the NX bit is OptIn
but this script sets it to AlwaysOn