Harden Windows Security Module v.0.3.8

What's New

• Toast Notification is now displayed upon completion of operation when using the GUI to operate the Harden Windows Security module and script.
• Improved the logging style when using the GUI, both in the log file and the displayed logs on the GUI.
• Added a new parameter -OnlyCountryIPBlockingFirewallRules to the Unprotect-WindowsSecurity cmdlet. It allows you to only remove the country IP blocking firewall rules without removing anything else.
• Overall code improvements

PR: #235

Harden Windows Security Module v.0.3.7

What's Changed

This update is in response to the changes made today to the Windows Boot Manager revocations for Secure Boot in this blog post.

You can find all of the necessary information in that post.

To Summarize:

1. The procedures required to apply the Windows Boot Manager revocations for Secure Boot changes have changed significantly and the current category that applies them has been removed.
2. The new procedures are very extensive and require lots of work that might have adverse effect if automated at this point in time. According to the post, it requires new updated bootable media which haven't been released yet by Microsoft. It would also trigger BitLocker's recovery screen so user would need to keep the 48-digit recovery code accessible during the procedure.
3. Microsoft is planning to apply these changes automatically in the future through Windows Update.
4. Once updated bootable media (ISO files) have been released by Microsoft on July 9, 2024, I'll re-evaluate the procedures as to whether add automation for them in the Harden Windows Security Module or not.

As always, make sure you're using the latest version of the OS to stay safe and secure with the latest patches.

Today's patch Tuesday update:
https://support.microsoft.com/en-gb/topic/april-9-2024-kb5036893-os-builds-22621-3447-and-22631-3447-a674a67b-85f5-4a40-8d74-5f8af8ead5bb

Related discussion announcement: #230

FAQ

• Q: What about the old procedure?

• A: If you applied the old procedure either manually by following the official article or using the Harden Windows Security module, then you're good to go and don't need to make any more changes. If you never applied the mitigations, you can read the article and see if you want to follow it and apply the new mitigations manually, or just wait until they are automatically applied to your device in the near future through Windows Update.

PR: #229

Harden Windows Security Module v.0.3.6

What's New

GUI (Graphical User Interface)

• The Harden Windows Security Module (and script) now feature a user-friendly Graphical User Interface (GUI). This allows users the flexibility to apply security hardening measures through either the traditional Command Line Interface (CLI) or the intuitive new GUI, catering to both advanced users and those who prefer a more visual approach.

• This version aims to be more informative and engaging, emphasizing the added convenience and user choice.

• The GUI was created with accessibility in mind. It is responsive and does not need any dependency or additional files. You can even run it fileless by using the GitHub link from this repository and pasting it on your PowerShell console.

• If you have any feedbacks, feel free to open new issues, I already have some improvements in mind that will be introduced in later versions of the module.

• The GUI works for both offline and online modes

YouTube Video & Demo

Link: https://youtu.be/a8YbihowTVg

How To Launch The GUI

Protect-WindowsSecurity -GUI

Other Changes

• Added a file picker GUI for the LogPath parameter of the Protect-WindowsSecurity cmdlet.

PR: #221

Harden Windows Security Module v.0.3.5

What's Changed

• Set Block use of copied or impersonated system tools Attack Surface Reduction rule to Warn and block instead of block. In this mode, it will block the action but display a notification toast allowing you to unblock the action if you want. It's in preview state so this change should allow you to have more control over its operation in case it inadvertently blocks a process. If you want to apply this new change just run the ASR category again.

  • The compliance checking marks this ASR rule as compliant if it's either in warn & block or block mode.

Thanks to @agpt8 for the post about this.

PR: #220

WDACConfig module update v0.3.5

What's Changed

• Improved SignTool.exe path acquisition logic.
• Fixed a bug where multiple deployed policies triggered the same event log to be generated multiple times and one of the internal functions couldn't properly find the correct one.
• Removed the temporary measure introduced in the previous release where the user configurations file would automatically be moved to the new location. More info in the previous release note.

PR: #211

Harden Windows Security Module v.0.3.4

What's Changed

New ASR Rules - Attack Surface Reduction

• Block use of copied or impersonated system tools
• Block rebooting machine in Safe Mode

Other Changes

• Removed enablement of VirtualMachinePlatform from the Optional Windows Features category since WSA is deprecated.

PR: #212

Harden Windows Security Module v.0.3.3

What's Changed

New Microsoft Defender Features

• Configures the Brute-Force Protection to use cloud aggregation to block IP addresses that are over 99% likely malicious CSP

  • This setting has a higher level protection level that will be added in a next version after more testing.

• Configures the Brute-Force Protection to detect and block attempts to forcibly sign in and initiate sessions CSP

• Sets the internal feature logic to determine blocking time for the Brute-Force Protections CSP

• Configures the Remote Encryption Protection to use cloud intel and context, and block when confidence level is above 90% CSP

• Configures the Remote Encryption Protection to detect and block attempts to replace local files with encrypted versions from another device CSP

• Sets the internal feature logic to determine blocking time for the Remote Encryption Protection CSP

Other Changes

• To leverage the new features, the minimum required OS version has been increased from 22621.2428 to 22621.3155. It was released on February 13 2024 and is a non-preview, stable build of Windows 11.

• Added new parameter -OnlyDownloadsDefenseMeasures to Unprotect-WindowsSecurity cmdlet which allows you to only remove the Downloads Defense Measures without changing anything else.

• Removed certain built-in executables such as SystemSettings.exe, ngen.exe, LSASS.exe, RuntimeBroker.exe and ngentask.exe from the Unprotect-WindowsSecurity cmdlet because they have pre-existing mitigations applied to them and the cmdlet shouldn't remove them.

PR: #210

WDACConfig module update v0.3.4

What's Changed

Threat Model Upgrade

Some paths are accessible to any user, while others are restricted to Administrator-level privileges. These paths have different security levels and non-elevated processes cannot access them. Based on these facts, the WDACConfig module has been upgraded to utilize the more secure paths.

Install Directory

If the WDACConfig module is located in the Documents folder, which is the default setting, a malicious program without elevated privileges could manipulate its files and interfere with its functionality.

Therefore, it is strongly advised to install it with the AllUsers scope

Install-Module -name 'WDACConfig' -Scope AllUsers

Which will increase its protection against unauthorized access by installing it in the following path

C:\Program Files\PowerShell\Modules\WDACConfig

Which is guarded by Administrator privileges. When the module auto-updates, it will also be installed in that path.

User Configurations Directory

Previously, the WDACConfig module saved user configurations in the following path

C:\Users\UserName\.WDACConfig\UserConfigurations.json

This directory is accessible to any user, and a malicious program or process without elevated privileges could manipulate its files. Therefore, the WDACConfig module has been upgraded to save user configurations in the following path

C:\Program Files\WDACConfig\UserConfigurations\UserConfigurations.json

Note

In this release, the module automatically moves the user configuration file from the old location to the new one if it doesn't already exist in the new location. This feature is only added temporarily to smooth the transition and will be removed in the next version.

Staging Areas

The module now uses a secure staging area located in

C:\Program Files\WDACConfig\StagingArea

for all of its operations, including but not limited to: creating, modifying, signing, generating, removing, and simulating WDAC policies. This directory is cleaned up after each operation unless the -Debug parameter is used with the cmdlets that support it. No file operation is performed outside of this area.
 

Other Changes

• Assigned WHQLFilePublisher as the default value for -Level and FilePublisher, Hash as the default value for -Fallback parameters in all of the cmdlets that support them. This increases security by taking into account the WHQL EKU of any possible drivers in the files being scanned. Read about the comparison of each level in this document.

  • Previously, the default level was FilePublisher and the default fallback was Hash.

• Added a new parameter called -CipFile to the Test-CiPolicy cmdlet for displaying signer information in the signed .CIP files. This is done because the normal Get-AuthenticodeSignature cmdlet does not reveal a .CIP file's signatures.

• Enabled OS indicators during WDAC Simulation, this enables Windows Terminal and the taskbar to display little indicators about the progress of the simulation. Also made the progress bar fancier by showing dynamic colors.

• Improved the speed of WDAC Simulation when calculating the Authenticode file hashes.

• Added a new parameter called -CSVOutput to Invoke-WDACSimulation cmdlet, indicating the cmdlet will create a CSV file containing the simulation results. Previously, this parameter didn't exist and the cmdlet would always create the CSV output. Now users have more options to control that behavior.

• Added a confirmation check to the Remove-CommonWDACConfig cmdlet when invoking it without any additional parameters, because in that mode it deletes all of the saved user configurations for the WDACConfig so as a relatively high risk action it is now put behind an extra check. It can be bypassed with the familiar -Force parameter.

• Added file picker GUI to various parameters of the Edit-SignedWDACConfig and Edit-WDACConfig cmdlets.

• Hardened more variable types.

• Improved Certificate common name detection by using Windows APIs instead of custom regex patterns.

• Refined the logic for both Edit-SignedWDACConfig -UpdateBasePolicy and Edit-WDACConfig -UpdateBasePolicy to handle the case where multiple policies with the same name are deployed and the user selects that name.

• Simplified the parameters of the New-KernelModeWDACConfig cmdlet.

• Added progress bars to ConvertTo-WDACPolicy.

• Lots of code optimization and refactoring that led to reduced code base while adding more functionality at the same time. Thanks to @mklement0 for his help with parts of this.

PR: #206

Harden Windows Security Module v.0.3.2

What's Changed

Added 3 new policies to the Optional Overrides. These 3 policies alter the settings that are applied by Microsoft Security baselines.

Disabled "Turn off Microsoft Consumer Experiences"

in Computer Configuration -> Administrative Templates -> Windows Components -> Cloud Content

The reason is that in Windows 11 build 22635.3209, which is currently in the Windows insider Beta channel, new features are available in settings

If that policy was left in the enabled state, the settings page would look like this

Which is obviously not desired as the Harden Windows Security module should not create obstacles or cause difficulties for using built-in features.

Thanks @agpt8 for reporting it!

Disabled "Configure password backup directory"

in Computer Configuration -> Administrative Templates -> System -> LAPS

Microsoft Security Baselines set it to this value

But since the Harden Windows Security module does not apply to computers managed by domain controllers or Entra ID, there is no need for this policy to be active. That is why the policy is now set to this state

Enabled "Apply UAC restrictions to local accounts on network logons"

in Computer Configuration -> Administrative Templates -> MS Security Guide

Microsoft Security baselines set it to Disabled state. Not sure why exactly, probably a legacy feature in domain controller environments rely on it.

Either way, it's a security feature that is enabled by default in Windows, so the Optional Overrides set it back to the enabled state.

You can learn more about that feature in here

Other Changes

• Improved the progress bars in the module

PR: #207

WDACConfig module update v0.3.3

What's Changed

General Improvements

• Changed -LogSize parameter types to unsigned integers since they do not accept negative values. Made the same change internally to a few variables.
• Removed -Level and -Fallbacks parameters from New-DenyWDACConfig -Drivers and instead assigned WHQLFilePublisher to the level and None to the fallbacks. The created policies always enforce WHQL criteria and since the drivers are being scanned, WHQLFilePublisher is the best level to use.
• Improved event logs collection and processing by making it more resilient and to prevent repetitive codes in the module. Now only one function is used whenever event logs need to be collected anywhere in the module.
  • This new function collects every piece of available information about each event, groups similar correlated events together and processes them properly for extreme visibility.
• New cmdlet 🧁 Get-CiFileHashes 🧁 calculates SHA1 and SHA2-256 Authenticode and first Page hash of the PE files. For non-conformant files, it calculates the Flat file hashes. All calculations happen according to the WDAC and Code Integrity requirements in Windows.
• New cmdlet 🧁 ConvertTo-WDACPolicy 🧁 presents the Code Integrity logs in a graphical interface (GUI) and enables the user to choose the logs. The logs can be filtered in various ways, such as Date, Type, Policy that generated them, and so on.

WDAC Simulation

• Since .bat and .ocx file types do not support Authenticode signing, the simulation no longer checks for their signature, leading to overall performance improvements.
• Improved performance of the simulation by handling non-conformant files faster using WDACConfig module itself.

PR: #202