Skip to content

Commit

Permalink
Merge pull request #140 from HotCakeX/Harden-Windows-Security-Module-…
Browse files Browse the repository at this point in the history 
…v0.1.9

Harden-Windows-Security-Module-v0.1.9
  • Loading branch information
@HotCakeX
HotCakeX authored Oct 17, 2023
2 parents 0a761f0 + 3008d3c commit 70628ea
Show file tree
Hide file tree
Showing 9 changed files with 156 additions and 110 deletions.
4 changes: 3 additions & 1 deletion Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,9 @@ function Confirm-SystemCompliance {
[parameter(Mandatory = $false)]
[switch]$ShowAsObjectsOnly,
[parameter(Mandatory = $false)]
[switch]$DetailedDisplay
[switch]$DetailedDisplay,
[Parameter(Mandatory = $false, DontShow = $True)] # To hide PowerShell common parameters that clutter parameter auto completion menu
$DummyParam
)
begin {
# Stop operation as soon as there is an error anywhere, unless explicitly specified otherwise
Expand Down
4 changes: 2 additions & 2 deletions Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# RootModule = ''

# Version number of this module.
ModuleVersion = '0.1.8'
ModuleVersion = '0.1.9'

# Supported PSEditions
CompatiblePSEditions = @('Core')
Expand Down Expand Up @@ -40,7 +40,7 @@ Harden Windows Safely, Securely, only with Official Microsoft methods
💠 Features of this module:
✅ Everything always stays up-to-date with the newest proactive security measures
✅ Everything always stays up-to-date with the newest proactive security measures that are industry standards and scalable.
✅ Everything is in plain text, nothing hidden, no 3rd party executable or pre-compiled binary is involved.
✅ No Windows functionality is removed/disabled against Microsoft's recommendations.
✅ The module primarily uses Group policies, the Microsoft recommended way of configuring Windows. It also uses PowerShell cmdlets where Group Policies aren't available, and finally uses a few registry keys to configure security measures that can neither be configured using Group Policies nor PowerShell cmdlets. This is why the module doesn't break anything or cause unwanted behavior.
Expand Down
35 changes: 20 additions & 15 deletions Harden-Windows-Security Module/Main files/Harden-Windows-Security.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
<#PSScriptInfo
.VERSION 2023.10.12
.VERSION 2023.10.17
.GUID d435a293-c9ee-4217-8dc1-4ad2318a5770
Expand Down Expand Up @@ -41,7 +41,7 @@
💠 Features of this Hardening script:
Always stays up-to-date with the newest security measures.
Everything always stays up-to-date with the newest proactive security measures that are industry standards and scalable.
✅ Everything is in plain text, nothing hidden, no 3rd party executable or pre-compiled binary is involved.
✅ Doesn't remove or disable Windows functionalities against Microsoft's recommendations.
✅ The script primarily uses Group policies, the Microsoft recommended way of configuring Windows. It also uses PowerShell cmdlets where Group Policies aren't available, and finally uses a few registry keys to configure security measures that can neither be configured using Group Policies nor PowerShell cmdlets. This is why the script doesn't break anything or cause unwanted behavior.
Expand Down Expand Up @@ -92,7 +92,7 @@ Set-ExecutionPolicy Bypass -Scope Process

# Defining global script variables
# Current script's version, the same as the version at the top in the script info section
[datetime]$CurrentVersion = '2023.10.12'
[datetime]$CurrentVersion = '2023.10.17'
# Minimum OS build number required for the hardening measures used in this script
[decimal]$Requiredbuild = '22621.2134'
# Fetching Temp Directory
Expand Down Expand Up @@ -277,10 +277,15 @@ function Compare-SecureString {
#endregion functions

if (Test-IsAdmin) {

# Get the current configurations and preferences of the Microsoft Defender
$MDAVConfigCurrent = Get-MpComputerStatus
$MDAVPreferencesCurrent = Get-MpPreference

# backup the current allowed apps list in Controlled folder access in order to restore them at the end of the script
# doing this so that when we Add and then Remove PowerShell executables in Controlled folder access exclusions
# no user customization will be affected
[string[]]$CFAAllowedAppsBackup = (Get-MpPreference).ControlledFolderAccessAllowedApplications
[string[]]$CFAAllowedAppsBackup = $MDAVPreferencesCurrent.ControlledFolderAccessAllowedApplications

# Temporarily allow the currently running PowerShell executables to the Controlled Folder Access allowed apps
# so that the script can run without interruption. This change is reverted at the end.
Expand Down Expand Up @@ -360,9 +365,6 @@ try {
Write-Error 'TPM is not available or enabled, please go to your UEFI settings to enable it and then try again.'
break
}

# Get the current configuration of the Microsoft Defender
$MDAVConfigCurrent = Get-MpComputerStatus

if (-NOT ($MDAVConfigCurrent.AMServiceEnabled -eq $true)) {
Write-Error 'Microsoft Defender Anti Malware service is not enabled, please enable it and then try again.'
Expand Down Expand Up @@ -677,14 +679,17 @@ try {
}
}

# Set Microsoft Defender engine and platform update channel to beta - Devices in the Windows Insider Program are subscribed to this channel by default.
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nSet Microsoft Defender engine and platform update channel to beta ?") {
'Yes' {
Set-MpPreference -EngineUpdatesChannel beta
Set-MpPreference -PlatformUpdatesChannel beta
} 'No' { break }
'Exit' { &$CleanUp }
}
# Only show this prompt if Engine and Platform update channels are not already set to Beta
if ( ($MDAVPreferencesCurrent.EngineUpdatesChannel -ne '2') -or ($MDAVPreferencesCurrent.PlatformUpdatesChannel -ne '2') ) {
# Set Microsoft Defender engine and platform update channel to beta - Devices in the Windows Insider Program are subscribed to this channel by default.
switch (Select-Option -SubCategory -Options 'Yes', 'No', 'Exit' -Message "`nSet Microsoft Defender engine and platform update channel to beta ?") {
'Yes' {
Set-MpPreference -EngineUpdatesChannel beta
Set-MpPreference -PlatformUpdatesChannel beta
} 'No' { break }
'Exit' { &$CleanUp }
}
}

} 'No' { break }
'Exit' { &$CleanUp }
Expand Down
151 changes: 88 additions & 63 deletions Harden-Windows-Security Module/Main files/Unprotect-WindowsSecurity.psm1
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,11 @@
Function Unprotect-WindowsSecurity {
[CmdletBinding()]
param (
[Parameter(Mandatory = $false)]
[switch]$OnlyProcessMitigations,
[Parameter(Mandatory = $false, DontShow = $True)] # To hide PowerShell common parameters that clutter parameter auto completion menu
$DummyParam
)
# Stop the execution when there is an error
$global:ErrorActionPreference = 'Stop'

Expand All @@ -18,13 +25,16 @@ Function Unprotect-WindowsSecurity {
[scriptblock]$WriteOrange = { Write-Host "$($PSStyle.Foreground.FromRGB(255,165,0))$($args[0])$($PSStyle.Reset)" }
[scriptblock]$WriteMintGreen = { Write-Host "$($PSStyle.Foreground.FromRGB(152,255,152))$($args[0])$($PSStyle.Reset)" }

&$WriteOrange "`r`n"
&$WriteOrange "###############################################################################################`r`n"
&$WriteMintGreen "## This will remove all of the hardening measures applied by Protect-WindowsSecurity cmdlet ##`r`n"
&$WriteOrange "###############################################################################################`r`n"
# Only run this if -OnlyProcessMitigations parameter is passed
if (!$OnlyProcessMitigations) {
&$WriteOrange "`r`n"
&$WriteOrange "###############################################################################################`r`n"
&$WriteMintGreen "## This Will Remove the Hardening Measures Applied by Protect-WindowsSecurity Cmdlet ##`r`n"
&$WriteOrange "###############################################################################################`r`n"

# Give user a chance to exit if they accidentally ran this
Pause
# Give user a chance to exit if they accidentally ran this
Pause
}

# doing a try-finally block on the entire script so that when CTRL + C is pressed to forcefully exit the script,
# or break is passed, clean up will still happen for secure exit
Expand Down Expand Up @@ -83,58 +93,62 @@ Function Unprotect-WindowsSecurity {
&$CleanUp
}

Write-Progress -Activity 'Deleting all group policies' -Status 'Processing' -PercentComplete 45
# Only run this if -OnlyProcessMitigations parameter is NOT passed
if (!$OnlyProcessMitigations) {

if (Test-Path -Path 'C:\Windows\System32\GroupPolicy') {
Remove-Item -Path 'C:\Windows\System32\GroupPolicy' -Recurse -Force
}
Write-Progress -Activity 'Deleting all group policies' -Status 'Processing' -PercentComplete 45

if (Test-Path -Path 'C:\Windows\System32\GroupPolicy') {
Remove-Item -Path 'C:\Windows\System32\GroupPolicy' -Recurse -Force
}

Write-Progress -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status 'Processing' -PercentComplete 60
Write-Progress -Activity 'Deleting all the registry keys created by the Protect-WindowsSecurity cmdlet' -Status 'Processing' -PercentComplete 60

[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if (Test-Path -Path $item.path) {
Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
}
}

# To completely remove the Edge policy since only its sub-keys are removed by the command above
Remove-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList' -Force -Recurse -ErrorAction SilentlyContinue
[System.Object[]]$Items = Import-Csv '.\Registry.csv' -Delimiter ','
foreach ($Item in $Items) {
if (Test-Path -Path $item.path) {
Remove-ItemProperty -Path $Item.path -Name $Item.key -Force -ErrorAction SilentlyContinue
}
}

# To completely remove the Edge policy since only its sub-keys are removed by the command above
Remove-Item -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\TLSCipherSuiteDenyList' -Force -Recurse -ErrorAction SilentlyContinue

# Restore Security group policies back to their default states
# Restore Security group policies back to their default states

Write-Progress -Activity 'Restoring the default Security group policies' -Status 'Processing' -PercentComplete 70
Write-Progress -Activity 'Restoring the default Security group policies' -Status 'Processing' -PercentComplete 70

Invoke-WithoutProgress {
# Download LGPO program from Microsoft servers
Invoke-WebRequest -Uri 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip' -OutFile '.\LGPO.zip'
}
Invoke-WithoutProgress {
# Download LGPO program from Microsoft servers
Invoke-WebRequest -Uri 'https://download.microsoft.com/download/8/5/C/85C25433-A1B0-4FFA-9429-7E023E7DA8D8/LGPO.zip' -OutFile '.\LGPO.zip'
}

# unzip the LGPO file
Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
.\'LGPO_30\LGPO.exe' /s "$psscriptroot\Resources\Default Security Policy.inf"
# unzip the LGPO file
Expand-Archive -Path .\LGPO.zip -DestinationPath .\ -Force
.\'LGPO_30\LGPO.exe' /s "$psscriptroot\Resources\Default Security Policy.inf"

# Enable LMHOSTS lookup protocol on all network adapters again
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord
# Enable LMHOSTS lookup protocol on all network adapters again
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -Value '1' -Type DWord

# Disable restart notification for Windows update
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -Value '0' -Type DWord
# Disable restart notification for Windows update
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -Value '0' -Type DWord

# Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable | Out-Null
# Re-enables the XblGameSave Standby Task that gets disabled by Microsoft Security Baselines
SCHTASKS.EXE /Change /TN \Microsoft\XblGameSave\XblGameSaveTask /Enable | Out-Null

Write-Progress -Activity 'Restoring Microsoft Defender configurations back to their default states' -Status 'Processing' -PercentComplete 80
Write-Progress -Activity 'Restoring Microsoft Defender configs back to their default states' -Status 'Processing' -PercentComplete 80

# Disable the advanced new security features of the Microsoft Defender
Set-MpPreference -AllowSwitchToAsyncInspection $False
Set-MpPreference -OobeEnableRtpAndSigUpdate $False
Set-MpPreference -IntelTDTEnabled $False
Set-MpPreference -DisableRestorePoint $True
Set-MpPreference -PerformanceModeStatus Enabled
Set-MpPreference -EnableConvertWarnToBlock $False
# Set Microsoft Defender engine and platform update channels to NotConfigured State
Set-MpPreference -EngineUpdatesChannel NotConfigured
Set-MpPreference -PlatformUpdatesChannel NotConfigured
# Disable the advanced new security features of the Microsoft Defender
Set-MpPreference -AllowSwitchToAsyncInspection $False
Set-MpPreference -OobeEnableRtpAndSigUpdate $False
Set-MpPreference -IntelTDTEnabled $False
Set-MpPreference -DisableRestorePoint $True
Set-MpPreference -PerformanceModeStatus Enabled
Set-MpPreference -EnableConvertWarnToBlock $False
# Set Microsoft Defender engine and platform update channels to NotConfigured State
Set-MpPreference -EngineUpdatesChannel NotConfigured
Set-MpPreference -PlatformUpdatesChannel NotConfigured
}

# Disable Mandatory ASLR
Set-ProcessMitigation -System -Disable ForceRelocateImages
Expand All @@ -159,29 +173,34 @@ Function Unprotect-WindowsSecurity {
elseif ($Group.Name -in $AllAvailableMitigations.pschildname) {
Remove-Item -Path "Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$($Group.Name)" -Recurse -Force
}
}
}

# Only run this if -OnlyProcessMitigations parameter is NOT passed
if (!$OnlyProcessMitigations) {

# Set Data Execution Prevention (DEP) back to its default value
bcdedit.exe /set '{current}' nx OptIn | Out-Null
# Set Data Execution Prevention (DEP) back to its default value
bcdedit.exe /set '{current}' nx OptIn | Out-Null

# Remove the scheduled task that keeps the Microsoft recommended driver block rules updated
# Remove the scheduled task that keeps the Microsoft recommended driver block rules updated

# Define the name and path of the task
[string]$taskName = 'MSFT Driver Block list update'
[string]$taskPath = '\MSFT Driver Block list update\'
# Define the name and path of the task
[string]$taskName = 'MSFT Driver Block list update'
[string]$taskPath = '\MSFT Driver Block list update\'

if (Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath -ErrorAction SilentlyContinue) {
Unregister-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Confirm:$false | Out-Null
}
if (Get-ScheduledTask -TaskName $taskName -TaskPath $taskPath -ErrorAction SilentlyContinue) {
Unregister-ScheduledTask -TaskName $taskName -TaskPath $taskPath -Confirm:$false | Out-Null
}

# Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
Get-NetFirewallRule |
Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
ForEach-Object { Enable-NetFirewallRule -DisplayName $_.DisplayName }
# Enables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles
Get-NetFirewallRule |
Where-Object { $_.RuleGroup -eq '@%SystemRoot%\system32\firewallapi.dll,-37302' -and $_.Direction -eq 'inbound' } |
ForEach-Object { Enable-NetFirewallRule -DisplayName $_.DisplayName }

# Remove any custom views added by this script for Event Viewer
if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
# Remove any custom views added by this script for Event Viewer
if (Test-Path -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script') {
Remove-Item -Path 'C:\ProgramData\Microsoft\Event Viewer\Views\Hardening Script' -Recurse -Force
}

}

Write-Progress -Activity 'Complete' -Status 'Complete' -PercentComplete 100
Expand Down Expand Up @@ -222,5 +241,11 @@ PowerShell
.FUNCTIONALITY
Removes the hardening measures applied by Protect-WindowsSecurity cmdlet
.PARAMETER OnlyProcessMitigations
Only removes the Process Mitigations / Exploit Protection settings and doesn't change anything else
#>
}

# Set PSReadline tab completion to complete menu for easier access to available parameters - Only for the current session
Set-PSReadLineKeyHandler -Key Tab -Function MenuComplete
2 changes: 1 addition & 1 deletion Harden-Windows-Security Module/version.txt
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
0.1.8
0.1.9
Loading

0 comments on commit 70628ea

Please sign in to comment.