Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Microsoft Security Baselines updated to version 2023 (23H2) which was released an hour ago, another link. The time is relative to the creation of this PR release note.
Improved the Readme with the new changes described in this release notes.
Changes in Microsoft Defender Category
Improved Process Mitigations (More about them below). Simply running the Microsoft Defender category will remove old mitigations and will apply the new ones automatically. Some mitigations such as Hardware Enforced Shadow Stack Protection (a.k.a Kernel CFG or KCFG) that are very powerful features against exploits, are only available on new CPUs, starting with Intel 12th gen CPUs. On older CPUs they simply do not have any effects.
Reduced the number of days the quarantined items will be kept to 1 day from the previous 3 days.
In Microsoft Defender category, Enhanced phishing protection, removed Notify password reuse, Notify malicious, Service enabled and Notify unsafe app, because they are already applied by Microsoft Security baselines. The only option that is applied by Harden Windows Security module for Enhanced Phishing Protection is Automatic data collection (formerly known as Capture Threat Windows), it's for security analysis from a suspicious website or app.
The entire Device Guard category is removed. Microsoft Security Baseline 23H2 implements the entire feature set of Device Guard in the most secure state just like the Harden Windows Security module did, so it's no longer necessary to have it as a separate and/or duplicate category. The documents related to Device Guard and Virtualization Based Security in Windows is available in the wiki.
Changes in BitLocker Category
Improved BitLocker related code, specifically the BitLocker category for non-OS drives now has a more elaborate and slightly faster performing code. Also Improved the messages displayed on the console for non-OS drives when they are already encrypted.
Removed Enhanced PIN for BitLocker policy because Microsoft Security baselines already apply it.
Removed disabling power states S1-S3 policies because Microsoft Security Baselines already apply it.
Added new policy for ensuring network connectivity in standby state on modern standby capable devices. This allows Security updates for Microsoft Defender and Windows to be downloaded and installed automatically.
Changes in Windows Networking Category
Removed the policy that disables the LLMNR protocol (Link Local Multicast Name Resolution) because it's already applied by Microsoft Security Baselines.
It's more important than ever to apply the Microsoft Security Baselines category now that it applies many of the security measures.
Nothing from compliance checking is removed. The policies that are removed because Microsoft Security Baselines already implement them, can be all verified using the Confirm-SystemCompliance cmdlet.
What's New in Process Mitigations / Exploit Protections
Added thorough explanations to each process mitigation in the CSV file, that will explain why they are used.
This approach logically considers each use case of the mitigations and only implements them if there is enough information about that process that guarantees it will work 100% with the mitigation and also it makes sense to apply that mitigation in terms of security while also considering usability.
Removed ForceRelocateImages and RequireInfo from all 1st party executables in the process mitigations list.
The reason is because the former is already enabled by default system-wide and the latter is only applicable to older programs. RequireInfo still exist for 3rd party programs such as Adobe Acrobat but for 1st party programs released by Microsoft it's removed, because 1st party programs do not need it and even if hypothetically some 1st party program was missing RequireInfo, it still would do more harm than good by crashing that 1st party program.
Removed EnableExportAddressFilter and EnableExportAddressFilterPlus from some processes that might not be compatible with it.
This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.
Those processes that used them are likely to fall in the categories mentioned above, so to prevent any possible issues or crashes in the future, removed them from the process mitigations as a pre-emptive measure.
Import Address Filtering should ideally be used in conjunction with Export Address filtering in order for it to be effective. If an attacker knows you are using Import Address Filtering without Export Address Filtering, they "could" use the export method to get the address(s) for their shellcode, and vice versa.
Removed DisableNonSystemFonts from Edge browser process mitigations because it uses DirectWrite instead of GDI and this mitigation is not required for it.
Removed EnableRopSimExec as it only applies to 32-bit applications. Quick Assist and Adobe Acrobat that were using it are 64-bit.
What's New
Changes in Microsoft Defender Category
Changes in Device Guard Category
Changes in BitLocker Category
Changes in Windows Networking Category
Note
Confirm-SystemCompliancecmdlet.What's New in Process Mitigations / Exploit Protections
Added thorough explanations to each process mitigation in the CSV file, that will explain why they are used.
This approach logically considers each use case of the mitigations and only implements them if there is enough information about that process that guarantees it will work 100% with the mitigation and also it makes sense to apply that mitigation in terms of security while also considering usability.
You can always find more info about them in here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference
Removed
ForceRelocateImagesandRequireInfofrom all 1st party executables in the process mitigations list.RequireInfostill exist for 3rd party programs such as Adobe Acrobat but for 1st party programs released by Microsoft it's removed, because 1st party programs do not need it and even if hypothetically some 1st party program was missingRequireInfo, it still would do more harm than good by crashing that 1st party program.Removed
EnableExportAddressFilterandEnableExportAddressFilterPlusfrom some processes that might not be compatible with it.This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.
Those processes that used them are likely to fall in the categories mentioned above, so to prevent any possible issues or crashes in the future, removed them from the process mitigations as a pre-emptive measure.
Import Address Filtering should ideally be used in conjunction with Export Address filtering in order for it to be effective. If an attacker knows you are using Import Address Filtering without Export Address Filtering, they "could" use the export method to get the address(s) for their shellcode, and vice versa.
Removed
DisableNonSystemFontsfrom Edge browser process mitigations because it uses DirectWrite instead of GDI and this mitigation is not required for it.Removed
EnableRopSimExecas it only applies to 32-bit applications. Quick Assist and Adobe Acrobat that were using it are 64-bit.Added Hardware Enforced Shadow Stack Protection Strict mode to Edge browser and Quick Assist.