Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden Windows Security Module v.0.2.1 #146

Merged
merged 20 commits into from
Nov 3, 2023
Merged

Harden Windows Security Module v.0.2.1 #146

merged 20 commits into from
Nov 3, 2023

Conversation

HotCakeX
Copy link
Owner

@HotCakeX HotCakeX commented Oct 31, 2023
edited
Loading

What's New

  • Microsoft Security Baselines updated to version 2023 (23H2) which was released an hour ago, another link. The time is relative to the creation of this PR release note.
  • Improved the Readme with the new changes described in this release notes.

Changes in Microsoft Defender Category

  • Improved Process Mitigations (More about them below). Simply running the Microsoft Defender category will remove old mitigations and will apply the new ones automatically. Some mitigations such as Hardware Enforced Shadow Stack Protection (a.k.a Kernel CFG or KCFG) that are very powerful features against exploits, are only available on new CPUs, starting with Intel 12th gen CPUs. On older CPUs they simply do not have any effects.
  • Reduced the number of days the quarantined items will be kept to 1 day from the previous 3 days.
  • In Microsoft Defender category, Enhanced phishing protection, removed Notify password reuse, Notify malicious, Service enabled and Notify unsafe app, because they are already applied by Microsoft Security baselines. The only option that is applied by Harden Windows Security module for Enhanced Phishing Protection is Automatic data collection (formerly known as Capture Threat Windows), it's for security analysis from a suspicious website or app.
  • Removed PUA blocking (Potentially Unwanted App) from Microsoft Defender because it's already applied by Microsoft Security Baselines.

Changes in Device Guard Category

  • The entire Device Guard category is removed. Microsoft Security Baseline 23H2 implements the entire feature set of Device Guard in the most secure state just like the Harden Windows Security module did, so it's no longer necessary to have it as a separate and/or duplicate category. The documents related to Device Guard and Virtualization Based Security in Windows is available in the wiki.

Changes in BitLocker Category

  • Improved BitLocker related code, specifically the BitLocker category for non-OS drives now has a more elaborate and slightly faster performing code. Also Improved the messages displayed on the console for non-OS drives when they are already encrypted.
  • Removed Enhanced PIN for BitLocker policy because Microsoft Security baselines already apply it.
  • Removed disabling power states S1-S3 policies because Microsoft Security Baselines already apply it.
  • Added new policy for ensuring network connectivity in standby state on modern standby capable devices. This allows Security updates for Microsoft Defender and Windows to be downloaded and installed automatically.

Changes in Windows Networking Category

Note

  • It's more important than ever to apply the Microsoft Security Baselines category now that it applies many of the security measures.
  • Nothing from compliance checking is removed. The policies that are removed because Microsoft Security Baselines already implement them, can be all verified using the Confirm-SystemCompliance cmdlet.


What's New in Process Mitigations / Exploit Protections

Added thorough explanations to each process mitigation in the CSV file, that will explain why they are used.

  • This approach logically considers each use case of the mitigations and only implements them if there is enough information about that process that guarantees it will work 100% with the mitigation and also it makes sense to apply that mitigation in terms of security while also considering usability.

  • You can always find more info about them in here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference

  • Removed ForceRelocateImages and RequireInfo from all 1st party executables in the process mitigations list.

    • The reason is because the former is already enabled by default system-wide and the latter is only applicable to older programs. RequireInfo still exist for 3rd party programs such as Adobe Acrobat but for 1st party programs released by Microsoft it's removed, because 1st party programs do not need it and even if hypothetically some 1st party program was missing RequireInfo, it still would do more harm than good by crashing that 1st party program.

  • Removed EnableExportAddressFilter and EnableExportAddressFilterPlus from some processes that might not be compatible with it.

    • This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.

    • Those processes that used them are likely to fall in the categories mentioned above, so to prevent any possible issues or crashes in the future, removed them from the process mitigations as a pre-emptive measure.

    • Import Address Filtering should ideally be used in conjunction with Export Address filtering in order for it to be effective. If an attacker knows you are using Import Address Filtering without Export Address Filtering, they "could" use the export method to get the address(s) for their shellcode, and vice versa.

  • Removed DisableNonSystemFonts from Edge browser process mitigations because it uses DirectWrite instead of GDI and this mitigation is not required for it.

  • Removed EnableRopSimExec as it only applies to 32-bit applications. Quick Assist and Adobe Acrobat that were using it are 64-bit.

  • Added Hardware Enforced Shadow Stack Protection Strict mode to Edge browser and Quick Assist.

@HotCakeX
Revised Edge process mitigations
fd1e6d4 
Removed process mitigations that were already enforced system wide.

Removed process mitigations that in some rare cases could cause Edge browser to crash
@HotCakeX
Improved BitLocker category
3c02266 
BitLocker category for non-OS drives now has a more elaborate code.

Improved the messages displayed on the console for non-OS drives when they are already encrypted.
@HotCakeX
Update versions
0e21d9c 
Updated the versions of the module and script files,
removed an unnecessary commented code.
@HotCakeX
Improved Process Mitigations
3057a4b 
Added thorough explanations to each process mitigation in the CSV file, that will explain why they are used.

This approach logically considers each use case of the mitigations and only implements them if either there are enough information about that process that guarantees it will work 100% with the mitigation and also it makes sense to apply that mitigation in terms of security while also considering usability.

You can always find more info about them in here:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference

Removed ForceRelocateImages and RequireInfo from all 1st party executables in the process mitigations list.
The reason is because the former is already enabled by default system wide and the latter is only for older programs. They still exist for 3rd party programs such as Adobe Acrobat but for 1st party programs released by Microsoft they are removed because the RequireInfo mitigation is only for old programs and 1st party programs do not need it.

Removed EnableExportAddressFilter and EnableExportAddressFilterPlus from some processes that might not be compatible with it.

This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.

Those processes that used them are likely to fall in those categories so to prevent any possible issues or crashes in the future, removed them from the process mitigations.

Import Address Filtering should ideally be used in conjunction with Export Address filtering in order for it to be effective. If an attacker knows you are using Import Address Filtering without Export Address Filtering, they "clould" use the export method to get the address(s) for their shellcode, and vice versa.

Removed DisableNonSystemFonts from Edge browser process mitigations because it uses DirectWrite instead of GDI and this mitigation is not required for it.

Removed EnableRopSimExec as it only applies to 32-bit applications only. quick Assist and Adobe Acrobat that were using it are 64-bit.

Added Hardware Enforced Shadow Stack Protection Strict mode to Edge browser, also added them for Windows Sandbox processes.
@HotCakeX
Improved Process mitigations for Sandbox
bf3b46d 
UserShadowStack for Windows Sandbox process are removed after testing them in the previous commit.
@HotCakeX HotCakeX changed the title Harden indows security module v.0.2.1 Harden Windows Security Module v.0.2.1 Oct 31, 2023
@HotCakeX HotCakeX self-assigned this Oct 31, 2023
@HotCakeX HotCakeX added the Enhancement 💯 New feature or request label Oct 31, 2023
@HotCakeX
Update Security baseline link to 23H2
4ea026b 
Updated the link for Microsoft Security baseline to point to the newly released 23H2 version
@HotCakeX
Improved Process Mitigations descriptions
cb5f384 
Improved the description of BlockRemoteImageLoads
@HotCakeX
Improved Microsoft Defender Category
f87faab 
Reduced the number of days the quarantined items will be kept to 1 day from the previous 3 days.

Added missing items to the Readme along with link to their CSP that provides additional info.

Group Policy update will be in another commit
@HotCakeX HotCakeX added the Documentation 📃 Improvements or additions to documentation label Nov 1, 2023
HotCakeX added 12 commits November 1, 2023 12:05
@HotCakeX
Improved Security Baselines path handling
212dc01 
With this change, whenever a new version of Microsoft Security Baseline or Security Baselines for Microsoft 365 Apps are released, only their links need to be updated in the code, no other change will be required.

This change simplifies the maintenance of the code.
@HotCakeX
Version update
e0e1432 
Updated the versions of the script and the version file to 2023.11.1, the target day for this release
@HotCakeX
BitLocker category improvements
1c500ff 
Removed Enhanced PIN for BitLocker policy because Microsoft Security baselines already apply it.

Removed disabling power states S1-S3 policies because Microsoft Security Baselines already apply it.

Added new policy for ensuring network connectivity in standby state on modern standby capable devices.
This allows Security updates for Microsoft Defender and Windows to be downloaded and installed automatically.
@HotCakeX
Improved Microsoft Defender Category
c2ca15a 
Removed options that are already applied by Microsoft Security baselines, such as PUA blocking and features of Enhanced phishing protection: Notify password reuse, Notify malicious, Notify unsafe app and Service enabled.

Also set the number of days quarantined items are kept from 3 to 1.

This commit includes group policy update as well as readme document changes to reflect them.
@HotCakeX
Improved Windows Networking category
d99d7f3 
Removed the following 2 policies because they are applied by Microsoft Security Baselines.

1. Turn off downloading of print drivers over HTTP
2. Disable the LLMNR protocol (a.k.a Link Local Multicast Name Resolution)

Improved the Readme to reflect the new changes.

This commit also includes the updated Group policy objects.
@HotCakeX
Improved ASR rules detection
7383fed 
Improved the ASR rules detection for compliance checking
@HotCakeX
Further improved the ASR rules detection
83d77ad
@HotCakeX
Improved System compliance verification
7a6fca7 
Microsoft Security baselines now set HVCIMATRequired to 1 which is enabled. So for verification, the module also verifies that value.

Changed the path for LSA with UEFI lock to the correct up to date path.
@HotCakeX
Removed Device Guard category from hardening measures
6dddeed 
Full Device guard category, just like the Harden Windows Security Module would implement, is now applied by Microsoft Security Baselines. So it's no longer necessary to keep a device guard category, just use the Microsoft Security Baselines to apply it along with many other security measures.

Also version update and improving variables
@HotCakeX
New article about Device Guard and VBS
d9f29e8 
Since Device Guard is removed from the Readme because all of its features are now applied by Microsoft Security Baselines, moved its documentations to a separate wiki page

https://github.com/HotCakeX/Harden-Windows-Security/wiki/Device-Guard-and-Virtualization-Based-Security-in-Windows
@HotCakeX
Removed Device Guard category
100b5e9 
Microsoft Security Baselines 23H2 now implements the full features of the Device Guard in Windows just like the Harden Windows Security Module.

Its documents are moved to a separate Wiki article found in here: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Device-Guard-and-Virtualization-Based-Security-in-Windows

This commit also contains updated Group policy objects with Device Guard removed

Also updated Readme to reflect the changes
@HotCakeX
Module manifest update
e699177 
Removed Device Guard from module manifest description
@HotCakeX HotCakeX merged commit 50dfffb into main Nov 3, 2023
2 checks passed
@HotCakeX HotCakeX deleted the Harden-Windows-Security-Module-v.2023/31/10 branch November 3, 2023 18:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@HotCakeX HotCakeX

Labels
Documentation 📃 Improvements or additions to documentation Enhancement 💯 New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@HotCakeX