Releases: HotCakeX/Harden-Windows-Security
Harden Windows Security Module v.0.4.3
What's New
- TPM is no longer a hard requirement for using the hardening script or running the
Protect-WindowsSecuritycmdlet. Now if the system is detected to not have TPM, only the BitLocker category will become automatically unavailable to run. - Reduced the number of times the
Get-MpComputerStatuscmdlet is called, now saving the results to a variable and using it for subsequent queries.
PR: #262
Harden Windows Security Module v.0.4.2
What's New
- Added an
-offlineparameter for the Confirm-SystemCompliance cmdlet, it will skip the online update check when used. => related issue - Changed the way Controlled Folder Access's status is detected. This change will also detect if it was applied through Intune policies. => related issue
- Improved the GUI experience. Now when the hardening commands are running, the categories and subcategories are no longer disabled, allowing you to plan your next run while commands are running in the background.
PR: #256
Harden Windows Security Module v.0.4.1
What's New
Improved Multi-Threading in GUI
- Completely reworked the multi-threading aspects of the GUI. Now it's high performance, resilient and no longer freezes the GUI when long or heavy tasks run in the background. This allows you to move the GUI window around or resize it at any time just like you would on any native application.
- Applied code optimizations that resulted in using a lot less code than before to achieve even more.
- The Microsoft Defender category now checks for the availability of the ConfigDefender module's parameters before using them and informs the user that there is a system restart pending if they are unavailable. See this and this for more info.
- Increased PowerShell version requirement from
7.4.1to7.4.2.
As always, the module automatically updates when you run any of its cmdlets/commands and when there is a new version available on PowerShell Gallery, so you don't have to manually update it.
PR: #251
Harden Windows Security Module v.0.4.0
WDACConfig module update v0.3.8
What's New
-
Introduced functionality to create a Supplemental policy based on certificate files. This enhancement enables administrators to select
.cercertificate files and authorize them within a policy. Consequently, any files signed with these certificates will be permitted to execute. The primary motivation behind this feature is to streamline the deployment and utilization of Script Enforcement scenarios.- This capability has been added to the New-SupplementalWDACConfig cmdlet.
-
Developed comprehensive and user-friendly documentation aimed at system administrators seeking to leverage the Script Enforcement feature within Application Control policies (WDAC). This documentation provides clear guidelines for establishing stringent boundaries around script engines, including PowerShell and similar tools.
-
Improved the resiliency of log parsing functions.
-
Added new parameter called
EnableScriptEnforcementto the New-WDACConfig cmdlet which will enable script enforcement for the base policies it creates. -
Enhanced the robustness of certificate details retrieval functions for WDAC Simulation.
PR: #245
Harden Windows Security Module v.0.3.9
What's New
- Added support for Windows Home edition, this means the module and script can run on Windows home editions but the categories are applied in best effort fashion and not all of them are available since many features such as group policy or attack surface reduction rules are simply not available in the home edition. More features might be specialized and implemented for home editions only, in the future.
- You can now choose which categories to check compliance for using the Confirm-SystemCompliance cmdlet. Previously it would check all categories. If no category is selected, all categories are checked.
- Overall code improvements and refactoring.
PR: #244
WDACConfig module update v0.3.7
What's New
- Added support for EVTX logs file parsing. Now, you can quickly create Application Control (WDAC) policies using EVTX logs from any computer. Just export the Code Integrity and/or AppLocker logs and use the WDACConfig module to turn them into WDAC policies. This feature provides a consistent and user-friendly experience similar to what’s available for MDE Advanced Hunting logs and Local logs, utilizing the ConvertTo-WDACPolicy cmdlet for streamlined policy creation.
- Overall code improvements
PR: #241
WDACConfig module update v0.3.6
What's New
Microsoft Defender for Endpoint - Advanced Hunting
You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.
Demo Video
The systematic approach to converting the query results to WDAC policy is as follows:
- If a file is unsigned then a hash rule will be created for it.
- If a file is signed then there are multiple possibilities:
- If the file is signed and the MDE AH results contain the file's version as well as at least one of the following file attributes (Original Name, Internal Name, Description, Product Name), then a File Publisher rule will be created for it.
- If the file is signed but the file attributes are not present in the results, Publisher level rule will be created for it.
These levels are selected based on their security. You can read more about the levels security comparison in this article.
Simple Yet Comprehensive
What WDACConfig requires for MDE Advanced Hunting
DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
or ActionType startswith "AppControlCIScriptBlocked"
or ActionType startswith "AppControlCIScriptAudited"As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.
Comparison
| Supported Features | WDACConfig | WDAC Wizard |
|---|---|---|
| Log types | Code Integrity + AppLocker | Code Integrity |
| Generated Rules | File Publisher, Publisher, Leaf Certificate, Hash | Publisher, Hash |
| Requires Custom CSV Formatting | No - Accepts RAW data | Yes |
| Required Query Size | Small | Large |
Important
WDAC Wizard is a great tool, it offers a GUI and can be downloaded from here
Other Changes
- Significantly Improved the performance when parsing the Code Integrity related event logs.
- In addition to the Code Integrity logs, now AppLocker logs are also processed by the WDACConfig module. This allows it to capture and create rules for blocked/audited MSI files as well.
- Bumped the required PowerShell version from 7.4.1 to 7.4.2 because it has WDAC related improvements.
- Fixed this issue: #225
PR: #218
Harden Windows Security Module v.0.3.8
What's New
- Toast Notification is now displayed upon completion of operation when using the GUI to operate the Harden Windows Security module and script.
- Improved the logging style when using the GUI, both in the log file and the displayed logs on the GUI.
- Added a new parameter
-OnlyCountryIPBlockingFirewallRulesto the Unprotect-WindowsSecurity cmdlet. It allows you to only remove the country IP blocking firewall rules without removing anything else. - Overall code improvements
PR: #235
Harden Windows Security Module v.0.3.7
What's Changed
This update is in response to the changes made today to the Windows Boot Manager revocations for Secure Boot in this blog post.
You can find all of the necessary information in that post.
To Summarize:
- The procedures required to apply the Windows Boot Manager revocations for Secure Boot changes have changed significantly and the current category that applies them has been removed.
- The new procedures are very extensive and require lots of work that might have adverse effect if automated at this point in time. According to the post, it requires new updated bootable media which haven't been released yet by Microsoft. It would also trigger BitLocker's recovery screen so user would need to keep the 48-digit recovery code accessible during the procedure.
- Microsoft is planning to apply these changes automatically in the future through Windows Update.
- Once updated bootable media (ISO files) have been released by Microsoft on July 9, 2024, I'll re-evaluate the procedures as to whether add automation for them in the Harden Windows Security Module or not.
As always, make sure you're using the latest version of the OS to stay safe and secure with the latest patches.
Today's patch Tuesday update:
https://support.microsoft.com/en-gb/topic/april-9-2024-kb5036893-os-builds-22621-3447-and-22631-3447-a674a67b-85f5-4a40-8d74-5f8af8ead5bb
Related discussion announcement: #230
FAQ
-
Q: What about the old procedure?
-
A: If you applied the old procedure either manually by following the official article or using the Harden Windows Security module, then you're good to go and don't need to make any more changes. If you never applied the mitigations, you can read the article and see if you want to follow it and apply the new mitigations manually, or just wait until they are automatically applied to your device in the near future through Windows Update.
PR: #229