WDACConfig module v0.2.0 - WDAC Simulation

WDACConfig module update v0.2.0

This update introduces a new feature that allows you to simulate a WDAC deployment. You can read all about it in its dedicated new cmdlet.

Change log

1. Added WDAC Simulation using the new Invoke-WDACSimulation Cmdlet
2. Added Get-CommonWDACConfig Cmdlet dedicated only to querying the User Configs and reading them. Set-CommonWDACConfig Cmdlet is only for storing User Configurations.
3. Eliminated the need for an extra reboot in New-KernelModeWDACConfig Cmdlet. From now on, only one reboot is required and that's only during the Audit mode. For deploying the Enforced mode policy, the module replaces the Audit mode policy with the new enforced mode and it instantly becomes operative.
4. Improved the argument completers of the Set-CommonWDACConfig Cmdlet by showing GUI for file picking.
5. Added new parameter to the New-DenyWDACConfig Cmdlet for creating deny rule for Windows Appx apps
6. Improved the parameter usage logic in New-KernelModeWDACConfig Cmdlet

Continue reading

• Added more content to the WDAC Notes wiki related to the new cmdlet and how WDAC works

If you have any question or need help, feel free to open a new discussion/issue on GitHub or reach out with Email etc.

WDACConfig module v0.1.9 - BYOVD update ❤️‍🔥

WDACConfig module - BYOVD update

This update to the WDACConfig module includes the BYOVD attack vector protection that I talked about previously on Twitter.

YOUTUBE VIDEO: How to easily protect against BYOVD attack scenarios with WDAC policy in Windows

Changes in the v0.1.9:

1. Improved the New-WDACConfig -MakePolicyFromAuditLogs by accounting for situations where event viewer logs don't contain any files that are no longer on the disk even though user chooses to include them.
2. Added new functionality and cmdlet New-KernelModeWDACConfig, capable of providing complete protection against all BYOVD (Bring Your Own Vulnerable Driver) scenarios
3. Improved the Set-CommonWDACConfig argument completers by showing a file picker GUI when selecting certificates or browsing for custom SignTool.exe path.

More info

• WDAC policy for BYOVD Kernel mode only protection

• New‐KernelModeWDACConfig

Hardening script update v2023.8.11

What's changed

1. Removed the Windows Kernel Information Disclosure CVE-2023-32019 category and security measures described in the KB5028407 document page, KB5027231, because it's now enabled by default in Windows and is no longer necessary.

The resolution described in this article has been released enabled by default. To apply the enabled by default resolution, install the Windows update that is dated on or after August 8, 2023. No further user action is required.

2. Enhanced the clarity and security of the script’s code by employing single quotation marks instead of double quotation marks wherever feasible and rigorously/explicitly specifying the types of the variables.

3. Changed the security measure related to Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. The majority of this security measure has been implemented by default in Windows now, leaving only a minor portion outstanding. This final segment is also provisional and will soon be fully activated by default as the document indicates. Once this occurs, it will become superfluous and this script will cease to incorporate it.

As always, the paramount thing you have to do is to ensure your operating system (OS) is always up to date and latest version.

4. In the Miscellaneous category, when adding all user accounts to the Hyper-V security group, the group is now detected using its SID rather than name. This makes it work on systems with non-English locales.

5. The "Restrict Unauthenticated RPC Clients" policy when set to "Authenticated without exceptions" prevents Windows Sandbox from working. So, that policy which was added 3 days ago is now removed.

   • Microsoft Security Baseline sets it to the correct secure value which is "Authenticated" but "Authenticated without exceptions" is more restrict and causes that problem.

   • All you have to do to revert it back is to run the script again, specially the Microsoft Security Baseline category, so that it will change to the correct value and you will be able to use Windows Sandbox again.

Harden-Windows-Security-Module v0.0.8 Update

What's changed

1. The compliance checking module now uses registry instead of group policy, this was done because group policies are translated in different languages and locales so the old method couldn't be used by users using non-English system locales.

2. This also saves about 1000 lines of code, makes the compliance checking faster and generates more detailed output.

3. Overall it's a positive change.

P.S When you invoke the confirm-SystemCompliance cmdlet, the module automatically checks for updates and updates itself if a new version is available.

Hardening script update v2023.8.8

What's changed

1. Removed Edge browser policies that are not applicable when you sign in using a persoanl Microsoft account instead of Microsoft Entra ID. This is a new security change by Microsoft that is coming into effect starting Edge version 116, few days from now. Edge Group Policies documentation, clearly mentions which policies are like that. There is nothing to be worried about, you can configure these settings from Edge browser settings page. In Edge browser versions 116 and above, the status of these policies in edge://policy/ are "Ignored" when signed in with a personal Microsoft account. You don't have to take any additional acctions, the script automatically takes care of removing them if they exist. Policies with "Ignored" status do not cause any problem, but to keep things clean, removing the following Edge browser policies from the Windows Hardening script:

   1. WebRtcLocalhostIpHandling
   2. SSLErrorOverrideAllowed
   3. PrimaryPasswordSetting
   4. PDFSecureMode
   5. NewPDFReaderEnabled

2. Removed the Top Security category and instead placed each hardening measure that was in there into its correct category. This way users have more granular control and can enable individual hardening measures instead of using all of them at once. Some of them cause inconvenience more than the others while providing security, please check out the description of each of them in the Readme.

   1. Added "Don't display last signed-in" to the Lock Screen category.
   2. Added "Blocking Untrusted Fonts" to the Miscellaneous category.
   3. Added "Automatically deny all UAC prompts on Standard accounts" to the User Account Control category.
   4. Added "Hides the entry points for Fast User Switching" to the User Account Control category.
   5. Added "Only elevate executables that are signed and validated" to the User Account Control category.

3. In the Readme, made it clear that individual hardening measures that prompt for additional confirmation before running, like the ones mentioned above, are marked with icon.

4. In the Readme, added a note to "Hides the entry points for Fast User Switching" in User Account Control Category and "Don't display last signed-in" in Lock screen category policies that require additional confirmation before running. If any of those 2 policies is used, you won't be able to use "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.

   • As mentioned earlier, they were previously in the Top Security category, now they are part of their correct categories, and just like before they are not applied by default unless you manually confirm them to be applied.

5. When running the Harden Windows Security script with PowerShell core, you will see better new styling now.

6. Added a new hardening measure in the Lock screen category. It sets Windows Hello PIN as the default Credential Provider and excludes the Credential Providers listed below. We do this because if the "Don't display last signed-in" policy is used, it defaults to Password on logon screen. Smart cards are old and insecure compared to Windows Hello or WHfB, if Microsoft account password sign-in is available it defeats the purpose of having a local PIN that's tied to a device. Goes without saying that you shouldn't use this policy if local password or Smart card is the only way you use to log in. If that's the case then first connect your Windows account to Microsoft account and then use this policy. List of the Credential Providers that are blocked by this policy:

   • Smartcard Reader Selection Provider - {1b283861-754f-4022-ad47-a5eaaa618894}
   • Smartcard WinRT Provider - {1ee7337f-85ac-45e2-a23c-37c753209769}
   • Smartcard Credential Provider - {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
   • WLIDCredentialProvider (Microsoft Account Password sign-in on logon screen, not applicable if your Microsoft account is password-less) - {F8A0B131-5F68-486c-8040-7E8FC3C85BB6}
   • PasswordProvider - {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}

Harden-Windows-Security-Module v0.0.7 Update

What's changed

1. Changed the Hyper-V Administrators security group members detection from using name to SID to make it compatible with non-English system locales.

2. Improved the code security and readability by adding explicit types to many variables and using single quotes instead of double quotes wherever possible.

P.S the module auto updates when you run it, so no manual action is needed.

Harden-Windows-Security-Module v0.0.4-6 Update

What's changed

In version 0.0.4

• Updated the Compliance checks to include changes in the following Harden Windows Security update

• Changed Windows Firewall category from using cmdlets to Group policy xml parsing, fixing this bug

In version 0.0.5

• Very small update to improve the auto-updating mechanism

In version 0.0.6

• Fixed the URL for Group-Policies.json

Harden-Windows-Security-Module v0.0.3 Update

What's changed

1. Updated the Compliance checks to include changes in the following Harden Windows Security script update:
   https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/v2023.08.04

No action necessary, module auto-updates

If you've already installed the Harden Windows Security Module then you don't have to do manually update it. When you run it, it can detect new versions and auto updates itself. 🫰

Hardening script update v2023.8.4

What's changed

1. In the Bitlocker category, hibernation will only be enabled on physical machines because virtual machines such as Hyper-V VMs have other features such as Saving VM's state, Checkpoints, Pause etc. and they do not support hibernation and throw error.

2. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths

3. Added a new group policy to the Windows Networking category to clear all the entries for Remotely accessible registry paths and subpaths

4. In the Miscellaneous category, added a new policy for Command line process auditing

5. In the Lock Screen category, changed the anti-hammering feature for lock screen by lowering the number of subsequent failed sign-in attempts from 6 to 5.

6. In the Lock screen category, added a new policy for Account lockout threshold and set it to 5.

7. In the Lock screen category, added a new policy for Reset account lockout counter and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

8. In the Lock screen category, added a new policy for Account lockout duration and set it to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts.

9. In the Miscellaneous category, added a new policy for enabling the RPC Endpoint Mapper Client Authentication policy

10. In the Miscellaneous category, added a new policy to set the Restrict Unauthenticated RPC Clients policy to "Authenticated without exceptions"

11. In the Lock Screen category, added the following PIN Complexity rules for Windows Hello

    1. Must include digits
    2. Expires every 180 days (default behavior is to never expire)
    3. History of the 3 most recent selected PINs is preserved to prevent the user from reusing them
    4. Must include lower-case letters

12. In the non-admin category, removed the registry keys related to security measures for disabling toast/push notifications on lock screen, because Microsoft security baselines already apply them.

13. In the non-admin category, added a new security measure for disabling "Show reminders and incoming VoIP calls on the lock screen" in the Settings > System > Notifications

Harden-Windows-Security-Module v0.0.2 Update

What's changed

1. Added self-updating mechanism
2. Added the missing categories: Optional Windows Features category and Top Security category
3. Added Bitlocker DMA protection check
4. Fixed the CSV output to stop repeating the headers for each category
5. Improved the ASCII arts and their colors
6. Added Total number of checks to the output
7. Improved the displayed output to include checks that do not output bool value by adding an extra property called Compliant to each item
8. Improved the module's PowerShell gallery page (Description, image)
9. Added a new optional parameter called "-DetailedDisplay" to show the output in a detailed list instead of the default table format

Module's documentation