Harden Windows Security
AppControl Manager 1.7.0.0
Hardening Categories
Important
Click/Tap on Each of the Items Below to Access Them on This GitHub Repository
Note
Windows by default is secure and safe, this repository does not imply nor claim otherwise. Just like anything, you have to use it wisely and don't compromise yourself with reckless behavior and bad user configuration; Nothing is foolproof. This repository only uses the tools and features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, using well-documented, supported, recommended and official methods. Continue reading for comprehensive info.
(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'P'|iexCheck the documentation and How to use
Click/Tap here for commands
Install-Module -Name 'Harden-Windows-Security-Module' -ForceProtect-WindowsSecurity -GUIConfirm-SystemComplianceUnprotect-WindowsSecurityChanges made by this category only affect things that use Schannel SSP: that includes IIS web server, built-in inbox Windows apps and some other programs supplied by Microsoft, including Windows network communications, but not 3rd party software that use portable stacks like Java, nodejs, python or php.
If you want to read more: Demystifying Schannel
Note
This category checks whether Battle.net client is installed on the system and if it is then includes TLS_RSA_WITH_AES_256_CBC_SHA as an additional cipher suite in the policy due to a known issue. The way Battle.net client is detected is by checking the presence of Battle.net.exe or Battle.net Launcher.exe in C:Program Files (x86)Battle.net folder.
Windows updates are extremely important. They always should be installed as fast as possible to stay secure and if a reboot is required, it should be done immediately. Threat actors can weaponize publicly disclosed vulnerabilities the same day their POC (Proof-Of-Concept) is released..
In Windows by default, devices will scan daily, automatically download and install any applicable updates at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away.
The following policies the module configures make sure the default behavior explained above is tightly enforced.
You don't need Admin privileges to run this category, because no system-wide changes is made. Changes in this category only apply to the current user account that is running the PowerShell session.
This repository uses effective methods that make it easy to verify:
Change log history is present on GitHub. (Despite some of my awkward documentation typos)
Artifact attestations are used to establish provenance for builds. It guarantees that the package(s) you download from this repository are 100% created from the source code that exist in this repository.
SBOMs (Software Bill of Materials) are generated for the entire repository to comply with data protection standards and providing transparency. Together with attestation they provide SLSA L2 security level for the build process. In the future, the workflows will be upgraded to comply with SLSA L3 level.
You can open the files in Visual Studio Code / Visual Studio Code Web / GitHub CodeSpace, and view them in a nice and easy to read environment, they are well formatted, commented and indented.
Commits are verified either with my GPG key or SSH key and Vigilant mode is turned on in my GitHub account.
You can fork this repository, verify it until that point in time, then verify any subsequent changes/updates I push to this repository, at your own pace (using Sync fork and Compare options on your fork), and if you are happy with the changes, allow it to be merged with your own copy/fork on your GitHub account.
Registry.csv includes some of the security measures' registry data.
ProcessMitigations.csv includes the process mitigations data.
Default Security Policy.inf contains security policy data used during unprotect actions to restore defaults.
Registry resources.csv Includes the data used for compliance checking.
Harden-Windows-Security.ps1 is the boot-strapper for the Harden Windows Security module.
How Are Group Policies Used by the Harden Windows Security Module?
How are Group Policies for this module created and maintained?
How to verify Security-Baselines-X directory and 100% trust it?
Tip
All files in this repository are zipped and automatically submitted to VirusTotal for scanning. Any available packages in the last release is also directly uploaded for scanning. It is done through a GitHub Action that is triggered every time a release is made or a PR is merged. Find the history of the uploaded files in my Virus Total profile.
(back to top)
(back to top)
If you would like to support my work financially, your generosity is greatly appreciated. This section is specifically for those who want to make a monetary contribution. There are other ways to support such as sharing the repository on social media, starring and so on.
You can donate using the following methods:
0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D
(back to top)
