Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
The Downloads Defense Measures category now has an optional sub-category that allows you to choose a new type of WDAC policy to deploy automatically. This policy blocks dangerous and very old components on Windows. Please read this post for all the info about them..
Some 3rd party programs might still attempt to use these. Remember that you can easily remove the policy using the Unprotect-WindowsSecurity command at any time.
The components blocked by this optional WDAC policy are:
wscript.exe
mshta.exe
cscript.exe
Improved the overall performance and speed of the Harden Windows Security module through internal reconstruction.
Changed the Attack Surface reduction Rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion from Block to Bock and Warn, which means it will allow the System Administrator to be able to allow the blocked file or app if they wish to without the need to use group policy editor. This should make it easier for developers or people that want to install newly released versions of programs before their reputation is determined by the system. This doesn't change the threat model whatsoever since you still need to have Administrator privileges to allow a blocked app, just like you need to have Administrator privileges to change the group policies.
Changed the Clipboard syncing in the Non-Admin category to be an optional sub-category instead of applying by default in that category.
The Confirm-SystemCompliance now takes into account the type of the registry keys too when performing compliance checks. When the registry key path, name and value match but the type doesn't match, (E.g., the module expects a DWORD but the value is QWORD or String), then that item will be shown as false. This further improves the accuracy and trustworthiness of the results.
The Microsoft Defender category now detects when GitHub Desktop or Git (standalone version) is installed and automatically adds their executables to the exceptions for mandatory ASLR as they are not compatible. More info here - Was also mentioned in this issue
What's New
The Downloads Defense Measures category now has an optional sub-category that allows you to choose a new type of WDAC policy to deploy automatically. This policy blocks dangerous and very old components on Windows. Please read this post for all the info about them..
Some 3rd party programs might still attempt to use these. Remember that you can easily remove the policy using the Unprotect-WindowsSecurity command at any time.
The components blocked by this optional WDAC policy are:
Improved the overall performance and speed of the Harden Windows Security module through internal reconstruction.
Added a new Attack Surface Reduction rule: Block Webshell creation for Servers to the ASR Category.
Changed the Attack Surface reduction Rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion from
BlocktoBock and Warn, which means it will allow the System Administrator to be able to allow the blocked file or app if they wish to without the need to use group policy editor. This should make it easier for developers or people that want to install newly released versions of programs before their reputation is determined by the system. This doesn't change the threat model whatsoever since you still need to have Administrator privileges to allow a blocked app, just like you need to have Administrator privileges to change the group policies.Changed the Clipboard syncing in the Non-Admin category to be an optional sub-category instead of applying by default in that category.
The
Confirm-SystemCompliancenow takes into account the type of the registry keys too when performing compliance checks. When the registry key path, name and value match but the type doesn't match, (E.g., the module expects aDWORDbut the value isQWORDorString), then that item will be shown as false. This further improves the accuracy and trustworthiness of the results.The Microsoft Defender category now detects when GitHub Desktop or Git (standalone version) is installed and automatically adds their executables to the exceptions for mandatory ASLR as they are not compatible. More info here - Was also mentioned in this issue