Skip to content

Harden Windows Security v.0.6.5
Compare
Choose a tag to compare
@HotCakeX HotCakeX released this 05 Oct 21:55
· 67 commits to main since this release
Hardening-Module-v.0.6.5
6efeba1
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's New

  • Added a default file name which is based on the current date for when you select the Log Path button on the Protect tab. Previously the name was empty and if you wanted to quickly press the button to save the logs, you'd have to type something randomly, but now a meaningful name is available by default, reducing the need for pressing extra keys.

  • Added a new button to the Logs tab, it's called "Clear Logs" and will clear the logs on the GUI screen if pressed.

  • Added the ability to enable Sudo to the optional overrides of the Microsoft Security baselines. The baselines for 24H2 disable the ability to use Sudo. This override does not enable Sudo, it simply allows the user to enable Sudo from Windows Settings if they want to. When Microsoft Security Baselines disable Sudo, it becomes hidden from Windows Settings too. Enabling Sudo requires Administrator privileges, Standard (unelevated) users cannot enable Sudo.


Windows Networking

  • Added 2 new policies that set the minimum required version of SMB for clients and servers to be the latest version which currently is 3.1.1. Microsoft Security Baselines for 24H2 configure this policy to 3.0.0 which is too old. 3.1.1 was introduced many years ago with Windows 10 and it is the most secure SMB version.

  • Added a new policy to block NTLM completely for SMB.

  • Added a new policy to require encryption for SMB clients.

  • Moved the policy that enables SMB server encryption, from the Miscellaneous category, to the Windows Networking category, so it can be next to the rest of the relevant policies.


Device Guard

  • The Device Guard category is available again. It was previously removed and was only available for Compliance checks, because all of its security measures were applied by Microsoft Security Baselines 23H2 and later, but in build 24H2, there is a new security measure available called Machine Identity Isolation Configuration, and in this update, it is set to Enforcement mode.

  • The Device Guard category is also completely added to the Readme page with improvements. It was previously available as a Wiki page.

  • The Device Guard category is almost completely self-sufficient and doesn't rely on whether you used Microsoft Security Baselines category first or not except for 1 policy which is LSA with UEFI lock and that is applied by the Microsoft Security baselines.

  • The category has been added to the PowerShell CLI experience And GUI (Graphical User Interface) experience when applying protections.


PR: #348


Assets 2
Loading