search

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.57k stars 122 forks source link

[Suggestion]: Run the Unprotect script before the Protect script (Hardening Module) #188

Closed JuliusBairaktaris closed 7 months ago

JuliusBairaktaris commented 7 months ago

Are you sure the Security measure is not already implemented?

Please explain your new Security measure suggestion

Sometimes the module drops hardening measures and doesn't override them afterwards, e.g., Defender CPU utilization. To prevent issues in the future, like #139, I would suggest returning to a default state utilizing the unprotect script before applying security measures by default. It's also easier to maintain for you since you don't always have to take care of overrides, etc.

Kind regards.

HotCakeX commented 7 months ago

Hi, I don't think running the Unprotect-WindowsSecurity automatically is a good idea because there is no guarantee that the user will apply all of the categories again, so it can leave their systems unprotected. It also won't work when user is running the Protect-WindowsSecurity directly from GitHub.

The exploit protection settings are automatically removed and reapplied again every time the Defender category is run.

I've also been precisely documenting every change in the release notes, but I agree there must be more automation done in that area.

So from now on, if a hardening measure is removed, I will implement extra code to revert it back to the default state, and this will be done in the Protect-WindowsSecurity so no additional steps need to be taken by user.

If the hardening measure is applied by cmdlets then undoing it will also utilize cmdlets. If it's applied by registry keys, then the same registry key will be set to its default state and if by default it doesn't exist then it will be removed.

Group policies however are a bit tricky, setting them to the default state is the same as removing them. For example, if a policy is set to "Enabled" and I want to revert it, I can't just set it to "Not configured" because that won't actually set it to "Not configured" on the user's system when applying it. I'd have to set it to "Disabled".

These actions will only happen when user runs the Protect-WindowsSecurity, either as a script from GitHub or part of the module.

How does that sound?

JuliusBairaktaris commented 7 months ago

Sounds very good. Great Idea!

HotCakeX commented 7 months ago

Awesome! :)