Harden Windows Security module v0.2.8

[HotCakeX]

What's Changed

Complete Redesign

Revamped the architecture of the Harden Windows Security script. The new versatile design enables a single file to function as an independent script and as a component of the Harden Windows Security module, at the same time.

The All New Hybrid Mode of Operation

The Harden Windows Security module now supports headless or silent mode of operation. This mode enables you to run the module without any interaction on the PowerShell console. You simply choose the categories you wish to apply automatically, and the module will perform them for you. If a selected category requires Administrator privileges and the module is running with Standard privileges, that category is skipped.

Facilitating Large-Scale Deployments

This modification, in conjunction with other improvements in this version, prepare the Harden Windows Security module for deployments at a large scale.

Available Parameters for Protect-WindowsSecurity Cmdlet

Protect-WindowsSecurity [[-Categories] <String[]>] [<CommonParameters>]

The following parameters are only for the headless/silent mode of operation.

• -Categories: Optional; Specify the hardening categories that you want to apply. This will tell the module to operate in non-interactive or headless/silent mode which won't ask for confirmation before running each selected categories. You can specify multiple categories by separating them with a comma. If you don't specify any category, the cmdlet will run in interactive mode. Use this parameter for deployments at a large scale. If a selected category requires Administrator privileges and the module is running with Standard privileges, that category is skipped.

  • This parameter has automatic tab completion. You can press the Tab key to see the available categories.

• -Verbose: Optional; Shows verbose messages on the console about what the cmdlet is doing.

[!NOTE]\ You can further control the sub-categories of each category by using the following switch parameters. Pay attention to the naming convention of them. They are named after the category they belong to. For example, the switch parameter -MSFTDefender_SAC belongs to the MicrosoftDefender category. The switch parameters are dynamic and will only appear if you specify the corresponding category in the -Categories parameter. For example, if you don't specify the MicrosoftDefender category in the -Categories parameter, the switch parameters related to it won't appear. The following table shows the available switch parameters and their corresponding categories.

Parameter Name	Description	Required Category
-SecBaselines_NoOverrides	Applies the Microsoft Security Baselines without the optional overrides	MicrosoftSecurityBaselines
-MSFTDefender_SAC	Enables Smart App Control	MicrosoftDefender
-MSFTDefender_NoDiagData	Will not enable optional diagnostics data required for Smart App Control (Does not have any effect if Smart App Control is already turned on)	MicrosoftDefender
-MSFTDefender_NoScheduledTask	Will not create scheduled task for fast MSFT driver block rules	MicrosoftDefender
-MSFTDefender_BetaChannels	Set Defender Engine and Intelligence update channels to beta	MicrosoftDefender
-LockScreen_CtrlAltDel	Require CTRL + ALT + Delete at lock screen	LockScreen
-LockScreen_NoLastSignedIn	Will not display the last signed in user at the lock screen	LockScreen
-UAC_NoFastSwitching	Hide entry points for fast user switching	UserAccountControl
-UAC_OnlyElevateSigned	Only elevate signed and validated executables	UserAccountControl
-CountryIPBlocking_OFAC	Include the IP ranges of OFAC Sanctioned Countries in the firewall block rules	CountryIPBlocking

What if You Don’t Configure the Sub-Categories?

If you do not specify any sub-categories using the switch parameters above, the following sub-category configuration will be applied when the corresponding category exists in the -Categories parameter.

| Indicator| Sub-Category Status | |:--------:|:-----------------------------:| | | Is Applied | | | Is Not Applied |

• Windows Boot Manager Revocations
• Microsoft Security Baselines
  • Yes, With the Optional Overrides (Recommended)
  • Yes
• Microsoft 365 Apps Security Baselines
• Microsoft Defender
  • Smart App Control enablement
  • Enable advanced diagnostic data if Smart App Control is on
  • Scheduled task creation for fast weekly MSFT driver block list update
  • Set engine and intelligence update channels to beta
• Attack Surface Reduction Rules
• BitLocker Settings
  • Normal: TPM + Startup PIN + Recovery Password
  • Enhanced: TPM + Startup PIN + Startup Key + Recovery Password
  • Skip encryptions altogether
• TLS Security
• Lock Screen
  • Don't display last signed-in
  • Require CTRL + ALT + DEL on lock screen
• User Account Control
  • Only elevate signed and validated executables
  • Hide the entry points for Fast User Switching
• Windows Firewall
• Optional Windows Features
• Windows Networking
• Miscellaneous Configurations
• Windows Update Configurations
• Edge Browser Configurations
• Certificate Checking Commands
• Country IP Blocking
  • Block State Sponsors of Terrorism IP blocks
  • Block OFAC Sanctioned Countries IP blocks
• Downloads Defense Measures
• Non-Admin Commands

[!IMPORTANT]\ It is highly recommended to always include the Microsoft Security Baselines category and place it first as it forms the foundation of all subsequent categories.

Example 1

If you run the module like this without specifying any categories, the module will run in interactive mode and the usual beautiful prompts will be displayed to the user.

Protect-WindowsSecurity

Example 2

If you run the module like this, the 2 categories will be executed automatically without requiring any user input. The results will be displayed on the console.

Protect-WindowsSecurity -Categories MicrosoftDefender, AttackSurfaceReductionRules

Example 3

This example will apply the Microsoft Defender category with the Smart App Control sub-category, without the need for user interaction, and will show verbose messages.

Protect-WindowsSecurity -Categories MicrosoftDefender -MSFTDefender_SAC -Verbose

Example 4

This example will apply the Microsoft Security Baselines, BitLocker, User Account Control, Lock Screen and Downloads Defense Measures categories. It will also apply the "Only Elevate Signed and Validated Executables" sub-category of the User Account Control category, and the "Require CTRL + ALT + DEL on Lock Screen" sub-category of the Lock Screen category.

Protect-WindowsSecurity -Categories MicrosoftSecurityBaselines,BitLockerSettings,UserAccountControl,LockScreen,DownloadsDefenseMeasures -UAC_OnlyElevateSigned -LockScreen_CtrlAltDel

More Secure Than Ever

The previous design necessitated downloading the essential files from the GitHub repository regardless of the execution mode, either as a script or as a module's cmdlets. The current design optimizes this process by only fetching the vital payload files when the script is invoked from GitHub as follows:

irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' | iex

By installing and utilizing the Harden Windows Security module via the Protect-WindowsSecurity command, the essential files are pre-included in the module and thus eliminate the need for downloading them separately. This enhances the security level and offers more peace of mind to the users.

No Support for The Legacy Windows PowerShell

The new code excludes support for the old Windows PowerShell version 5.1, the default version installed with Windows. It was impeding the advancement and innovation in the code due to lack of compatibility with new features. Consequently, the new code base is more concise than before (despite offering more functionalities), more intelligent and more legible.

It is extremely easy to install the new modern PowerShell. The safest, fastest and best way to do so is through 🛍️ Microsoft Store.

By default, Windows Store packages run in an application sandbox that virtualizes access to some filesystem and registry locations. Changes to virtualized file and registry locations don't persist outside of the application sandbox.

This sandbox blocks all changes to the application's root folder. Any system-level configuration settings stored in $PSHOME can't be modified.

Alternatively, you can install PowerShell using Winget

Winget install Microsoft.PowerShell

PowerShell is modern and leverages the most recent .NET version and features. It is widely adopted in business and enterprise environments, and it eliminates the need and the rationale for relying on the archaic and old Windows PowerShell.

Downloads Defense Measures

To combat the threat of more sophisticated malware, a preemptive measure is taken by creating and deploying a WDAC policy on the system. This policy blocks the execution of executables and other potentially harmful file types in the Downloads folder, using the WDACConfig module.

This policy defends the system from malware that can launch itself automatically after being downloaded from the Internet. The user must ensure the file's safety and explicitly transfer it to a different folder before running it.

The WDAC policy employs a wildcard pattern to prevent any file from running in the Downloads folder. Additionally, it verifies that the system downloads folder in the user directory matches the downloads folder in the Edge browser's settings. If there is a discrepancy, a warning message is displayed on the console.

The policy can be removed by the Unprotect-WindowsSecurity or Remove-WDACConfig cmdlets.

It is an ongoing process so expect more WDAC integrations like this in the Harden Windows Security module.

Improved Auto Updating Experience

Whenever you execute any of the cmdlets, the Harden Windows Security module will verify if there is a newer version available and update itself automatically if needed. You no longer have to repeat your command after the update, as it will resume seamlessly.

[!NOTE]\ When auto updating from version 0.2.7 to 0.2.8, you will see the message "Update successful, please run the cmdlet again.", instead of doing that, please close and reopen your PowerShell tab/window, otherwise you may encounter an error. It is totally harmless though and you won't see it anymore. This is due to a bug in version 0.2.7 that prevents it from properly disposing the secure constant variables. This bug is resolved in version 0.2.8.

Other Changes And Improvements

• Set the MDAG to be disabled instead of enabled: https://github.com/HotCakeX/Harden-Windows-Security/issues/170
• Added verbose messages to the module's cmdlets so you can take a peek at what's happening under the hood during the execution. Use the -Verbose parameter with each cmdlet.
• Removed Launch Renderer processes into an App Container policy from Edge category because it's now enabled by default in Edge browser since version 120.
• Added verifying the 3 built-in Firewall rules (for all 3 profiles) for Multicast DNS (mDNS) UDP-in are disabled, to the Confirm-SystemCompliance.

What's Next

• Total offline operation for air gapped computers.
• Generating detailed log file for the activities of the Protect-WindowsSecurity cmdlet
• Possible Windows Server support
• And more...

Feel free to open pull requests if you want to contribute by implementing any of the mentioned features.

[agpt8]

Does this pull request also implements the latest M365 baselines? The official documentation hasnt been updated in a long time for some reason. These are the links linked in the README as well: https://learn.microsoft.com/en-us/deployoffice/security/security-baseline https://learn.microsoft.com/en-us/windows/security/operating-system-security/device-management/windows-security-configuration-framework/get-support-for-security-baselines#version-matrix

The latest available version is 2312, released on Dec 14, 2023: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines

Apologies if this is not the right place for this..

[HotCakeX]

@agpt8 Thank u! nice catch, I'll definitely update the code to the new version

[HotCakeX]

@agpt8 After checking the code I think we're already using the latest version which is 2306.

https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/Microsoft%20365%20Apps%20for%20Enterprise%202306.zip

This page doesn't give me any newer version https://www.microsoft.com/en-us/download/details.aspx?id=55319

The tech community post mentions "Microsoft 365 Apps for enterprise version 2312" but looks like it's just a refresh of 2306. They do need to update the docs though

[agpt8]

What about the excel sheet that they have attached in that post? Can we manually apply those, if not already applied by the script?

It's so weird that they haven't updated the docs or the download page.

[HotCakeX]

I made some comments under the tech community post, hopefully they will reply soon, the changes in v5423 aren't in the available zip package...I checked the excel sheet included in the package and it didn't have those new policies.

It shouldn't be hard to create a GPO based on those 4 new items though