Harden Windows Security v.0.6.7

What's New

• Added SSH hardening by configuring the SSH client to use secure MACs (Message Authentication Codes). Closes #354

• 🎉 Added the ability to Decrypt a BitLocker encrypted drive to the Unprotect tab. You can select a drive from the list of drives in a dropdown menu and then use the button to easily decrypt it if you want to.

• Moved the security measure that sets all network profiles' locations to public from the Windows Networking category to the Windows Firewall category. Related discussion

• Added a check to the compliance checking to make sure the LanmanWorkstation service is enabled and running. Related discussion

• 🎉 Added a new feature through a new button in the ASR (Attack Surface Reduction) tab where it allows you to retrieve the current effective status of each ASR rule on the system and populate the boxes with them and then take action.

• 🎉 When modifying the ASR rules using the ASR tab, there will be detailed logging.

• Adjusted the system requirement checks to happen sooner to show proper messages to the user about any possible problems.

• Changed some of the element names in the GUI from "WDAC" to "App Control" due to name changes by Microsoft starting Windows build 24H2.

• In the Unprotect tab, the App Control policies dropdown menu now only becomes available when the other dropdown menu is set to "Only Remove The App Control Policies", improving user experience.

• Minor overall performance improvements.

• Various GUI tabs have been improved to work with very small heights. Now they will have a scrollbar whenever the height is too small so you can always work with the UI elements.

• Updated the Microsoft signed DLLs used for toast notifications to the latest versions. Wonder how it's done? Check out this Wiki article.

• The GUI is no longer draggable from anywhere on the interface by touch or mouse click, it now works like any other user interface where you use the title bar for dragging.

Tip

If you're new here, the Harden Windows Security module automatically checks for update whenever you start it so no manual work is needed to stay up to date. It does this by comparing the installed version with the version number on GitHub.

PR: #364

WDACConfig 0.4.6 + AppControl Manager 1.0.0.0

Introduction of the Modern GUI for WDACConfig

This update marks the release of the initial version of the graphical user interface (GUI) for the WDACConfig module. The application operates as a standalone tool, independent of PowerShell. It is called AppControl Manager and it offers the following key features:

• Built using WinUI3 / XAML / C#.
• Built using the latest .NET.
• Powered by the WinAppSDK (formerly Project Reunion).
• Packaged with the modern MSIX format.
• Incorporates the Mica material design for backgrounds.
• Adopts the Windows 11 Fluent design system.
• Fast execution and startup time.
• 0 required dependency.
• 0 Third-party library or file used.
• 0 Telemetry or data collection.
• 0 Windows Registry changes.
• 100% clean uninstallation.
• 100% open-source and free to use.

How To Install the AppControl Manager app

Use the following PowerShell command for Automated Installation

A familiar installation method, just like the Harden Windows Security module. Nothing else is needed to be done.

(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex

Here is a preview of it

As demonstrated in the preview, several features have already been implemented. The application leverages WebView2, which comes pre-installed with Windows, to facilitate web rendering. I've included two convenient menu items that provide direct access to both App Control resources from this repository and official Microsoft documentation, ensuring guidance and support are always just two clicks or taps away.

Features Implemented So Far

• Creating, configuring and deploying AllowMicrosoft policy
• Creating, configuring and deploying SignedAndReputable policy (based on ISG)
• Creating and deploying Microsoft recommended driver block rules
• Creating and deploying Microsoft recommended user-mode block rules
• Checking for secure policy settings on the system
• Getting the Code Integrity hashes of the files (Authenticode hash and Page hash)
• Adding/Changing/Removing User Configurations
• Configure policy rule options
• View deployed policies on the system (with filtering search)
• Remove unsigned policies from the system
• Quick access to App Control resources and documentations right within the app

More features will come very quickly in the near future.

Let's Talk Security and Threat Model

At this stage, security should be top of mind. Let's delve into how the recent developments, particularly the introduction of compiled binaries for the GUI, impact the overall security and threat model.

First and foremost, the PowerShell module will always remain available in its uncompiled form. This ensures flexibility for users who prefer or require it.

Additionally, the source code for the new MSIX-packaged AppControl Manager is fully accessible in this repository. Anyone can review the code and explore the complete Visual Studio solution provided, allowing you to easily create the MSIX package on your own.

Tip

Does this alter the threat model? Absolutely not. Here's why: When using the WDACConfig PowerShell module, you inherently grant it Administrator privileges. By doing so, you're already placing a level of trust in the module—demonstrated by running PowerShell as an Administrator and executing one of its cmdlets or commands in the terminal.

The same level of privilege applies to the new AppControl Manager application packaged in MSIX format. It will still require Administrator privileges for its operations, as it performs the same functions as the PowerShell version. In fact, 90% of the codebase remains unchanged.

Is using the MSIX package mandatory? Absolutely not. You can continue using the WDACConfig PowerShell module exactly as before—nothing has changed in that regard. The AppControl Manager application is simply a part of the development roadmap, and as promised, I'm actively working on it. Personally, this interface will make managing application controls on my systems, and those I manage, much more streamlined and easier.

Important

If you are an enterprise or business, you can have your security team code review the AppControl Manager application, and after fully verifying it, code sign it and use it in your environment.

Note

Question: Is the MSIX package pre-signed?
Answer: No.

Question: Can I (as a user) code sign it using my own certificate?
Answer: It's up to you.

If users choose to install it, the process involves generating a self-signed certificate on their device, which is then used to sign the MSIX package before installation.

This approach ensures a high level of security, as the certificate is unique to each device, and no one else has access to it. Furthermore, the certificate contains no private keys, meaning it cannot be used to sign anything else, adding an additional layer of protection.

Here is a quick technical rundown of the AppControl function that performs all of the required tasks automatically in a matter of seconds. No manual work is needed for the user to perform.

The script installs the AppControl Manager MSIX package on the system.

It does so by securely generating a unique self-signed certificate on the user's system and then using it to sign the MSIX package.

Everything happens locally and no certificate comes from outside of the device.

The certificate is added to the Local Machine's Trust Root Certification Authorities Store with only public keys, ensuring no private key exists to be used to sign anything else.

Its existence with public key is needed so that you can use the AppControl Manager app; without it the app will not launch as it will be considered untrusted by the system.

The 2 files, AppControlManager.dll and AppControlManager.exe inside of the MSIX app installation folder will be added to the Attack Surface Reduction rules exclusion list if they don't already exist in there, so the app will work properly.

The script creates a new directory in the TEMP directory for its operations and it will be deleted at the end of the script.

The script checks for the existence of any previous self-signed certificates generated by it and will remove them if it detects any, guaranteeing no unnecessary leftover remains on the user's system.

Summary

This is a new milestone in the development of the WDACConfig module. I'm personally learning a lot by doing it and the application I'm making is very useful for my needs and others I work with, by sharing it with the community, I'm hoping it will be useful for you too.

As I've thoroughly explained, the security model remains intact, decisions being made are based on logic and research with security in mind.

If you have any feedback or questions, feel free to share it. I'm always open to suggestions and improvements.

---

Other Changes

• Changed the wording in all of the documents and codes to replace "Windows Defender Application Control" with "App Control" or "App Control for Business". This aligns the documentations with the Microsoft's as they also made the same changes to their documentations.

• Updated the URLs for the Microsoft recommended block rules to point to the correct ones.

• The Set-CiRuleOptions cmdlet has been removed. You can fully configure a policy in real-time using the new AppControl Manager. I received lots of feedbacks from users that the module and its cmdlets are too advanced or the learning curve is high, that's why the AppControl Manager, which has a full featured GUI, makes everything easier to use and there is essentially no learning curve for that.

• Systematic reduction of PowerShell code and transitioning to modern C# code for improved interoperability and robustness which also unlocks many new possibilities.

• Improved startup speed of the WDACConfig module and all its cmdlets.

• WDAC Simulation has become significantly faster.

• The WDACConfig module now automatically creates log files and stores them in the secure location inside of the WDACConfig folder in Program files. The size of that folder never gets bigger than 100MB due to the checks implemented, if it does, the folder is automatically emptied. You will be able to modify this limit in the settings in a future update.

PR: #345

Harden Windows Security v.0.6.6

What's New

• Made the page transition animations faster. Helps when running in VMs with no GPU.
• The tooltips in the Protect tab now appear with more delay on hover.
• Updated required OS version from 22621.3880 to 22621.4169.
• Changed the PowerShell Gallery's icon to align with the new app icon that's been in use.

Windows Networking Category

• Added 2 policies to configure the Cipher Suites of the SMB for both server and client from the default value of AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM to AES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM. More info -> #351

• Added 2 policies to enable SMB over QUIC for both server and client. More info -> #351

• Made the NTLM blocking policy in the Windows Networking category an optional sub-category. More info -> #353

Miscellaneous Category

• Added a policy as an optional sub-category, which is responsible for enabling Windows Protected Print. More info here.

PR: #359

Harden Windows Security v.0.6.5

What's New

• Added a default file name which is based on the current date for when you select the Log Path button on the Protect tab. Previously the name was empty and if you wanted to quickly press the button to save the logs, you'd have to type something randomly, but now a meaningful name is available by default, reducing the need for pressing extra keys.

• Added a new button to the Logs tab, it's called "Clear Logs" and will clear the logs on the GUI screen if pressed.

• Added the ability to enable Sudo to the optional overrides of the Microsoft Security baselines. The baselines for 24H2 disable the ability to use Sudo. This override does not enable Sudo, it simply allows the user to enable Sudo from Windows Settings if they want to. When Microsoft Security Baselines disable Sudo, it becomes hidden from Windows Settings too. Enabling Sudo requires Administrator privileges, Standard (unelevated) users cannot enable Sudo.

Windows Networking

• Added 2 new policies that set the minimum required version of SMB for clients and servers to be the latest version which currently is 3.1.1. Microsoft Security Baselines for 24H2 configure this policy to 3.0.0 which is too old. 3.1.1 was introduced many years ago with Windows 10 and it is the most secure SMB version.

• Added a new policy to block NTLM completely for SMB.

• Added a new policy to require encryption for SMB clients.

• Moved the policy that enables SMB server encryption, from the Miscellaneous category, to the Windows Networking category, so it can be next to the rest of the relevant policies.

Device Guard

• The Device Guard category is available again. It was previously removed and was only available for Compliance checks, because all of its security measures were applied by Microsoft Security Baselines 23H2 and later, but in build 24H2, there is a new security measure available called Machine Identity Isolation Configuration, and in this update, it is set to Enforcement mode.

• The Device Guard category is also completely added to the Readme page with improvements. It was previously available as a Wiki page.

• The Device Guard category is almost completely self-sufficient and doesn't rely on whether you used Microsoft Security Baselines category first or not except for 1 policy which is LSA with UEFI lock and that is applied by the Microsoft Security baselines.

• The category has been added to the PowerShell CLI experience And GUI (Graphical User Interface) experience when applying protections.

PR: #348

Harden Windows Security v.0.6.4

What's New

This release ensures that the Harden Windows Security module/app is compatible with the Windows 11 24H2 build. The latest Windows build introduces numerous new group policies for configurations that were previously accessible only through methods like CIM. Consequently, many of these configurations are now implemented via group policies, providing a more streamlined and unified process.

The Readme content and style have been updated for better readability. A reminder that the Readme document is the main source of all of the security measures that is applied by the Harden Windows Security module/app.

All of the registry keys, policies, process mitigations and so on have been verified to continue to be compatible with the latest build of Windows, which currently is 24H2.

More policies will be added in the next update after further testing and verification.

Updated the DLLs from Microsoft Nuget packages to the latest versions.

Microsoft Defender Category

• Intel TDT policy is now applied through Group Policy.
• Disabling Performance mode of Microsoft Defender (For Dev Drives) is now applied through Group Policy.
• Real-time protection and Security Intelligence Updates during OOBE policy is now applied through Group Policy.
• Brute-Force Protection policy is now applied through Group Policy.
• Brute-Force Protection aggressiveness policy is now applied through Group Policy.
• Remote Encryption Protection policy is now applied through Group Policy.
• Remote Encryption Protection aggressiveness policy is now applied through Group Policy.

---

• New policy: Enable Network Protection to be configured into block or audit mode on Windows Server.

---

Identified 2 issues with the group policies on build 26100.1742 and 26100.1882. Mentioned them in the Microsoft Tech Community as well.

The following group policies do not actually apply the policies on the system when they are enabled in the specified build.

Windows Components\Microsoft Defender Antivirus\Network Inspection System\
Turn on asynchronous inspection

And

Windows Components\Microsoft Defender Antivirus\Network Inspection System\
Convert warn verdict to block

After applying them and checking the output of the cmdlet/CIM via the Get-MpPreference, even after system restart,
we can see that the values of EnableConvertWarnToBlock and AllowSwitchToAsyncInspection are still false.

That is why the Harden Windows Security module will continue to enforce and apply them through the CIM. The checks and balances in the module/app make sure everything stays compliant regardless of the method of enforcement.

---

• During Process mitigations compliance verification, if a process has more mitigations applied to it than the ones required by the Harden Windows Security application, it will be considered compliant. Previous behavior would only consider them compliant if they were exact match but that would miss the situations where currently applied mitigations were more than the required mitigations. The log messages have been improved to provide detailed info about each process.

BitLocker Category

• Added more logging messages during compliance checking of the BitLocker category to let user know why OS drive is not compliant.

• BitLocker group policies are completely self-sufficient and no longer depend on the Microsoft Security Baselines.

• Improved the BitLocker encryption for Non-OS Drives. The ExternalKey key protectors that belong to previous OS installations and are leftovers are now properly taken care of and renewed to be bound to the new OS Drive.

User Account Control (UAC) Category

• New Policy: Sets the behavior of the elevation prompt for Standard users to Prompt for Credentials on the Secure Desktop. Microsoft Security Baselines 23H2 would set this to Deny elevation requests but since Windows is moving towards the Adminless future, it is required to perform elevation from Standard users. This policy ensures that the elevation prompt is secure and the user is prompted to enter the credentials on the Secure Desktop.

• Added this only for compliance checking: UAC: Behavior of the elevation prompt for administrators in Enhanced Privilege Protection Mode. This policy is by default set to the most secure value, which is Prompt for Credentials on the Secure Desktop. Adding it to compliance checking in the UAC category provides easy verification for the user to ensure it is set to the correct value because it is an important policy.

• New policy: Configures the type of Admin Approval Mode to be Admin Approval Mode with enhanced privilege protection. This is another new policy added in the build 24H2.

Windows Update Category

There are no configuration changes. Only updated the group policy objects to match the new policies' locations in the 24H2 build. All of them are related to update auto-restart grace period and deadlines and how their locations are different between 23H2 and 24H2 builds.

• The SetComplianceDeadline policy is changed. In 24H2, it is broken down to 2 different policies. They are also Intune compatible which means unified compliance check between group policy or Intune deployments.

  • ConfigureDeadlineNoAutoRebootForFeatureUpdates

  • ConfigureDeadlineNoAutoRebootForQualityUpdates

Optional Windows Features

There is a bug in Windows 11 24H2 builds 26100.1742 and 26100.1882, related to the DISM module cmdlet, Get-WindowsCapability -Online and Internet Explorer mode! Watch the video:

2024-10-04.00-02-05.mp4

As a workaround, Internet explorer mode removal was moved to the end of the Optional Windows Features category instead of being in the middle. This change makes sure the category will complete successfully.

The problem with the cmdlet will most likely be fixed after a system restart. That means when Internet explorer mode which is for the legacy rendering in the Edge browser and is totally unnecessary, is removed, you will have to perform a system restart before that cmdlet can be used again.

As you can see in the video, this is not related to the Harden Windows Security.

Non-Admin Category

• Removed the 2 policies that were used to enable Clipboard syncing for the current user. They were an optional sub-category of the Non-Admin category.

PR: #347

Harden Windows Security v.0.6.3

What's New

• Closes #343
• Adjusted animations of the tooltips.
• General code improvements.
• Updated the demo Gif on the readme to display the latest changes and improvements in the GUI.

PR: #344

Harden Windows Security v.0.6.2

What's New

• Implemented a new GUI section to offer a unified place to browse for multiple files and add them all at once to multiple exclusion lists. Closes #323 - Related Discussion

• BitLocker encryption has been added to the GUI! You can now effortlessly encrypt the OS drive, non-OS drives, and removable drives directly through the graphical interface, with multiple options available for each type of encryption. With the encryption process now fully integrated into the GUI, the command-line encryption feature has been removed. Previously, encryption through the CLI was manual and limited by the terminal's capabilities. - Closes #282

• With this pull request, the Harden Windows Security project is now fully implemented in native C# code, adhering to modern best practices. For those interested in the technical details, you can find more information here. Once PowerShell 7.5 and .NET 9 reach stable release, the application will undergo a complete GUI overhaul. This update will introduce a modernized design aligned with Windows 11 aesthetics, seamless automatic dark/light mode based on your system theme, and many additional enhancements.

• When running without elevated privileges, any GUI pages requiring administrative access will no longer open automatically. Instead, a dialog box will appear, notifying you that Administrator privileges are necessary to proceed.

• On the BitLocker page, utilizing the execute button now ensures that relevant group policies are applied to facilitate proper drive encryption. These policies are essential for enabling advanced BitLocker features, such as TPM-based key protectors and Enhanced PINs.

• A new toggle has been introduced on the Logs tab, allowing users to enable or disable the logger's auto-scroll functionality with ease.

• The Logs tab now includes a convenient button for swiftly exporting all log entries to a file, streamlining the process for documentation or analysis.

• You can access the BitLocker page to view all recovery passwords for BitLocker-encrypted drives. Additionally, you can utilize the backup button to store these passwords in a file for safekeeping. The file will include all of the necessary properties in case you need to perform drive recovery in the future from the OOBE.

• Fixed an issue where Controlled Folder Access exclusions list would be cleared after using the Harden Windows Security application.

• The GUI toggle button on the Protect page used to write logs to the Windows event viewer is now disable when running without Administrator privileges as it is required for writing event logs to the designated location.

PR: #341

WDACConfig Update v0.4.5

What's New

• Improved module startup time.

• Updated the task scheduler creation logic, the one that creates a task that automatically updates Microsoft recommended drivers block list WDAC policy on the system every week. It's become more resilient.

• Implemented lots of new strict code rules to enforce best practices, optimization and correctness.

• Required PowerShell version: 7.4.3 => 7.4.4

• Closes #337

---

I wanted to thank everyone who reports issues here, you all help creating a more mature software and develop something that can benefit us all. So, Thank you 🙏

Issues/bugs always have a higher priority than feature requests for me and I try to fix any issue that is reported as soon as possible to minimize your downtime. When I fix an issue, i don't just try to quickly fix that one instance and be done with it, Instead I find the root cause of it and fix the entire category of that issue/bug so that things like that never happen again in the future.

I hope everyone has a nice day/evening/night and stay safe! 💚

PR: #340

Harden Windows Security v.0.6.1

What's New

• Added toast notifications for unprotection and ASR rule applications. Also updated the icons and images of other toast notifications for consistency. The messages on toast notifications are also useful as they provide a quick summary of the action that was just completed.

• Implemented lots of new code rules for improved strictness and optimization.

• Updated the task scheduler creation logic in the Microsoft Defender category, the one that creates a task that automatically updates Microsoft recommended drivers block list WDAC policy on the system every week. It's become more resilient.

• Closes #338

PR: #339

Harden Windows Security v.0.6.0

What's New

• Added support for writing events and logs to the Windows Event Viewer. Use the new button on the GUI to activate Event logging at any time. They will be saved in Applications log under the "Harden-Windows-Security" source. Information, Warning and Error types are properly marked for easy detection.

• Transition between different tabs of the GUI is smoother and faster.

• The progress bar that used to appear in the Protect tab now appears globally on the entire GUI when there is activity. This helps you to know that the application is working on something and is busy.

• Added a new slider to the bottom left of the GUI so you can change the transparency of the background image.

• Added a new button to the bottom left of the GUI so you can browse for custom background image.

• Improved resource management: You can now delete the entire module folder after closing the GUI or using the Protect-WindowsSecurity command in general, without the need to close PowerShell first.

• Implemented a new error handling mechanism in the GUI. When an error occurs, users will now see a prompt that clearly explains the issue and provides guidance on the next steps. Additionally, the prompt includes a button that directs users to this repository's GitHub issues page, making it easy to report the error for swift resolution.

• Fixed #334

PR: #335