search

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.78k stars 134 forks source link

[Suggestion]: Consider enabling FIPs mode and requiring strong key protection for user key stores. #358

Open agpt8 opened 2 weeks ago

agpt8 commented 2 weeks ago

Are you sure the Security measure is not already implemented?

Please explain your new Security measure suggestion

I opened a discussion a while back about having FIPs enabled or not. While it was concluded that FIPS mode is not really necessary, I now think that it is still beneficial to have it enabled.

Along with FIPS mode, enabling System Cryptography: Force strong key protection for user keys stored on the computer -> User must enter password each time they use a key (found at GPO > Computer config > Windows Settings > Security settings > Local Policies > Security options > System Cryptography: Force strong key protection for user keys stored on the computer) would also enhance overall security of the system.

EFS (Encrypted File System) usually does not require users to enter a password when creating a cert to protect their files and folders. Enabling the above two would require that they enter a password while they export their cert the first time which in turn would require them to enter their password to access it.

Bitlocker provides good protection but only when the system is turned off and/or locked. EFS helps protect user's files/folders while they are working as they are essentially locked unless the user unlocks them for access.

Also beneficial to issue #357

image

HotCakeX commented 2 weeks ago

Since that conversation that we had in that discussion post, has anything changed to prove the points mentioned there wrong or make them invalid now?

I wouldn't really recommend relying on EFS for encryption. Try encrypting a picture with EFS then send it over to Discord to someone else, they will be able to view it just fine without having to decrypt anything.

For file encryption there is Personal Data Encryption (PDE)

I'll test the policies related to requiring password for certificates, have to see how the WDACConfig module will work with it too.

agpt8 commented 2 weeks ago

I dont think anything has changed since that discussion, or any points are invalid. FIPS would atleast make sure that stronger algorithms are used wherever applicable even if a user does not configure certain categories like TLS or networking or other related categories.

PDE requires Entra joined PCs and the user has to use Windows Hello for business. Moreover, if they use passwords (lengthy and complex ones) or security key, they cannot access PDE content.

On the other hand, certs are supported on security keys and passwords are default as well. PDE has very specific and windows centric requirements which are not supported or applicable on majority of the PCs and is still very new. EFS has been around for a while and available on all regular windows PCs (not sure if Pro is required or not, but again, this module requires Pro and up anyways so....)