Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Some paths are accessible to any user, while others are restricted to Administrator-level privileges. These paths have different security levels and non-elevated processes cannot access them. Based on these facts, the WDACConfig module has been upgraded to utilize the more secure paths.
Install Directory
If the WDACConfig module is located in the Documents folder, which is the default setting, a malicious program without elevated privileges could manipulate its files and interfere with its functionality.
Therefore, it is strongly advised to install it with the AllUsers scope
Install-Module -name 'WDACConfig' -Scope AllUsers
Which will increase its protection against unauthorized access by installing it in the following path
C:\Program Files\PowerShell\Modules\WDACConfig
Which is guarded by Administrator privileges. When the module auto-updates, it will also be installed in that path.
User Configurations Directory
Previously, the WDACConfig module saved user configurations in the following path
This directory is accessible to any user, and a malicious program or process without elevated privileges could manipulate its files. Therefore, the WDACConfig module has been upgraded to save user configurations in the following path
[!NOTE]\
In this release, the module automatically moves the user configuration file from the old location to the new one if it doesn't already exist in the new location. This feature is only added temporarily to smooth the transition and will be removed in the next version.
Staging Areas
The module now uses a secure staging area located in
C:\Program Files\WDACConfig\StagingArea
for all of its operations, including but not limited to: creating, modifying, signing, generating, removing, and simulating WDAC policies. This directory is cleaned up after each operation unless the -Debug parameter is used with the cmdlets that support it. No file operation is performed outside of this area.
Other Changes
Assigned WHQLFilePublisher as the default value for -Level and FilePublisher, Hash as the default value for -Fallback parameters in all of the cmdlets that support them. This increases security by taking into account the WHQL EKU of any possible drivers in the files being scanned. Read about the comparison of each level in this document.
Previously, the default level was FilePublisher and the default fallback was Hash.
Added a new parameter called -CipFile to the Test-CiPolicy cmdlet for displaying signer information in the signed .CIP files. This is done because the normal Get-AuthenticodeSignature cmdlet does not reveal a .CIP file's signatures.
Enabled OS indicators during WDAC Simulation, this enables Windows Terminal and the taskbar to display little indicators about the progress of the simulation. Also made the progress bar fancier by showing dynamic colors.
Improved the speed of WDAC Simulation when calculating the Authenticode file hashes.
Added a new parameter called -CSVOutput to Invoke-WDACSimulation cmdlet, indicating the cmdlet will create a CSV file containing the simulation results. Previously, this parameter didn't exist and the cmdlet would always create the CSV output. Now users have more options to control that behavior.
Added a confirmation check to the Remove-CommonWDACConfig cmdlet when invoking it without any additional parameters, because in that mode it deletes all of the saved user configurations for the WDACConfig so as a relatively high risk action it is now put behind an extra check. It can be bypassed with the familiar -Force parameter.
What's Changed
Threat Model Upgrade
Some paths are accessible to any user, while others are restricted to Administrator-level privileges. These paths have different security levels and non-elevated processes cannot access them. Based on these facts, the WDACConfig module has been upgraded to utilize the more secure paths.
Install Directory
If the WDACConfig module is located in the Documents folder, which is the default setting, a malicious program without elevated privileges could manipulate its files and interfere with its functionality.
Therefore, it is strongly advised to install it with the AllUsers scope
Which will increase its protection against unauthorized access by installing it in the following path
Which is guarded by Administrator privileges. When the module auto-updates, it will also be installed in that path.
User Configurations Directory
Previously, the WDACConfig module saved user configurations in the following path
This directory is accessible to any user, and a malicious program or process without elevated privileges could manipulate its files. Therefore, the WDACConfig module has been upgraded to save user configurations in the following path
Staging Areas
The module now uses a secure staging area located in
for all of its operations, including but not limited to: creating, modifying, signing, generating, removing, and simulating WDAC policies. This directory is cleaned up after each operation unless the
-Debugparameter is used with the cmdlets that support it. No file operation is performed outside of this area.Other Changes
Assigned
WHQLFilePublisheras the default value for-LevelandFilePublisher, Hashas the default value for-Fallbackparameters in all of the cmdlets that support them. This increases security by taking into account the WHQL EKU of any possible drivers in the files being scanned. Read about the comparison of each level in this document.FilePublisherand the default fallback wasHash.Added a new parameter called
-CipFileto the Test-CiPolicy cmdlet for displaying signer information in the signed.CIPfiles. This is done because the normalGet-AuthenticodeSignaturecmdlet does not reveal a.CIPfile's signatures.Enabled OS indicators during WDAC Simulation, this enables Windows Terminal and the taskbar to display little indicators about the progress of the simulation. Also made the progress bar fancier by showing dynamic colors.
Improved the speed of WDAC Simulation when calculating the Authenticode file hashes.
Added a new parameter called
-CSVOutputto Invoke-WDACSimulation cmdlet, indicating the cmdlet will create a CSV file containing the simulation results. Previously, this parameter didn't exist and the cmdlet would always create the CSV output. Now users have more options to control that behavior.Added a confirmation check to the Remove-CommonWDACConfig cmdlet when invoking it without any additional parameters, because in that mode it deletes all of the saved user configurations for the WDACConfig so as a relatively high risk action it is now put behind an extra check. It can be bypassed with the familiar
-Forceparameter.Added file picker GUI to various parameters of the Edit-SignedWDACConfig and Edit-WDACConfig cmdlets.
Hardened more variable types.
Improved Certificate common name detection by using Windows APIs instead of custom regex patterns.
Refined the logic for both Edit-SignedWDACConfig -UpdateBasePolicy and Edit-WDACConfig -UpdateBasePolicy to handle the case where multiple policies with the same name are deployed and the user selects that name.
Simplified the parameters of the New-KernelModeWDACConfig cmdlet.
Added progress bars to ConvertTo-WDACPolicy.
Lots of code optimization and refactoring that led to reduced code base while adding more functionality at the same time.