Harden-Windows-Security-Module v0.0.3 Update

What's changed

1. Updated the Compliance checks to include changes in the following Harden Windows Security script update:
   https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.04

No action necessary, module auto-updates

If you've already installed the Harden Windows Security Module then you don't have to do manually update it. When you run it, it can detect new versions and auto updates itself. 🫰

Hardening script update v2023.8.4

What's changed

1. In the Bitlocker category, hibernation will only be enabled on physical machines because virtual machines such as Hyper-V VMs have other features such as Saving VM's state, Checkpoints, Pause etc. and they do not support hibernation and throw error.

2. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths

3. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths and subpaths

4. In the Miscellaneous category, added a new policy for Command line process auditing

5. In the Lock Screen category, changed the anti-hammering feature for lock screen by lowering the number of subsequent failed sign-in attempts from 6 to 5.

6. In the Lock screen category, added a new policy for Account lockout threshold and set it to 5.

7. In the Lock screen category, added a new policy for Reset account lockout counter and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

8. In the Lock screen category, added a new policy for Account lockout duration and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

9. In the Miscellaneous category, added a new policy for enabling the RPC Endpoint Mapper Client Authentication policy

10. In the Miscellaneous category, added a new policy to set the Restrict Unauthenticated RPC Clients policy to "Authenticated without exceptions"

11. In the Lock Screen category, added the following PIN Complexity rules for Windows Hello

    1. Must include digits
    2. Expires every 180 days (default behavior is to never expire)
    3. History of the 3 most recent selected PINs is preserved to prevent the user from reusing them
    4. Must include lower-case letters

12. In the non-admin category, removed the registry keys related to security measures for disabling toast/push notifications on lock screen, because Microsoft security baselines already apply them.

13. In the non-admin category, added a new security measure for disabling "Show reminders and incoming VoIP calls on the lock screen" in the Settings > System > Notifications

Harden-Windows-Security-Module v0.0.2 Update

What's changed

1. Added self-updating mechanism
2. Added the missing categories: Optional Windows Features category and Top Security category
3. Added Bitlocker DMA protection check
4. Fixed the CSV output to stop repeating the headers for each category
5. Improved the ASCII arts and their colors
6. Added Total number of checks to the output
7. Improved the displayed output to include checks that do not output bool value by adding an extra property called Compliant to each item
8. Improved the module's PowerShell gallery page (Description, image)
9. Added a new optional parameter called "-DetailedDisplay" to show the output in a detailed list instead of the default table format

Module's documentation

Hardening script update v2023.7.29

Change log

1. Added Intel TDT (Threat Detection Technology) to the Microsoft Defender category, more info here.
2. Added a new Item to the Overrides for Microsoft Security Baseline: This item Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
3. Added a new Event Viewer custom view for USB connects & disconnects, this helps to easily monitor and view the logs of USB storage devices that were connected or disconnected from your system.

Harden-Windows-Security-Module v0.0.1

Harden-Windows-Security-Module

This module offers rigorous compliance verification and security assessment. It enables you to evaluate the conformity of your system based on the security standards and recommendations of this repository. The module employs various techniques such as Group Policy, Security Policy, PowerShell cmdlet and Registry keys to conduct the checks.

Compliance checking strictly follows the guidelines and security measures of this GitHub repository. Any minor deviation from them will result in a $false value for the corresponding check.

How it works

This module verifies and validates the security measures applied by the Harden Windows Security script using the same method as the script. For example, it checks Group Policy settings if the script uses Group Policy, registry keys if the script modifies the registry, and PowerShell cmdlets if the script invokes them.

Quick demo

Harden-Windows-Security-Module.mp4

Requirements

• Administrator privileges for compliance checking
• Administrator OR Standard user privileges for the hardening mode, just like the Harden Windows Security script
• PowerShell core version 7.3 and above

How to install and use

You can install this module from PowerShell gallery

Install-Module -Name Harden-Windows-Security-Module -Force

Perform Compliance test

Confirm-SystemCompliance

Apply the Hardening measures described in the Readme

Protect-WindowsSecurity

Available parameters

Confirm-SystemCompliance [-ExportToCSV] [-ShowAsObjectsOnly]

The module has 2 optional parameters, they can be used together or individually.

• [-ExportToCSV]: In addition to displaying the results on the screen, also exports them in a nicely formatted CSV for easier viewing. The CSV is fully compatible with GitHub too so you can upload it to GitHub and view it.

• [-ShowAsObjectsOnly]: Instead of displaying strings on the console, outputs actionable objects and properties. You can use this parameter for when you need to store the output of the function in a variable and use it that way. This provides a very detailed nested object and suppresses the normal string output on the console.

Security Scoring System

The current max score is 89, meaning there are 89 options that produce $true value if they are compliant. Based on the score that you get you will see a different ASCII art!

Any feedback or suggestions? Please use GitHub issues or discussions

Hardening script update v2023.7.25

Change log

Removed built-in admin account activation option from the script - e7d5e8e

Due to security reasons. removed the ability to set a password and activate built-in administrator account.
https://support.microsoft.com/en-us/topic/kb5020282-account-lockout-available-for-built-in-local-administrators-bce45c4d-f28d-43ad-b6fe-70156cb2dc00

The lockout policy for the built-in administrator account which is disabled by default:
The new lockout behavior only affects network logons, such as RDP attempts. Console logons will still be allowed during the lockout period.

You should sign into Windows using a password-less Microsoft account and use Windows Hello for authentication.

Added Custom event log view for restarts - aa4381a

A new custom view for Event viewer logs was added to track system restarts that were either initiated by user or by apps/system.

Made the Event viewer custom view names more user friendly - aa4381a

Changed the name of the custom view xml files from vague View_1.xml, View_2.xml etc. to proper names that clearly describe what they are for.

Added custom event views for 2 new events - 1bf0411

• One of them to track wrong entered PINS at lock screen
• The other for tracking workstation locks and unlocks

Hardening script update v2023.6.30

Updated Security Baseline for Microsoft 365 Apps

Version 2306 was released yesterday, updated the links in the script accordingly.

more info:
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-m365-apps-for-enterprise-v2306/ba-p/3858702

Hardening script update v2023.6.29

First release of this repository 🥳

This is the first time I'm publishing a release and planning to do this for every new version of the hardening script or WDACConfig PowerShell module in the future.

It will send notifications to the users who are watching this repository letting them know there is a new version available.
It also allows me to offer proper change logs for each change.

The entire change log history of the hardening script is available in Excel online

Change log:

1. Added Exploit Protection/Process Mitigations for various apps such as Microsoft Edge (All channels), Quick Assist and some system processes. More apps and processes will be added to the list once they are properly validated and confirmed to be fully compatible.
   • Thanks to everyone participated in this issue
2. Added back the PrimaryPasswordSetting policy to Edge after confirming the bug related to it was fixed.
3. Added a new hardening measure that turns on Data Execution Prevention (DEP) for all applications, including 32-bit programs. By default, the output of BCDEdit /enum "{current}" (in PowerShell) for the NX bit is OptIn but this script sets it to AlwaysOn