Harden windows security module v.0.2.5 #154
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit includes changes to the BitLocker category, specifically, the removal of the policy "Full disk encryption for fixed data drives". This policy would prevent OneDrive personal vault from working properly. More info available in the PR and Release change logs.
Since a policy was removed in the previous commit, now adjusting the total number of policies to be verified as well
The latest Microsoft Security Baselines 23H2 mentions to have added support for WinVerifyTrust Signature Validation policy (aka certificate padding) but they haven't implemented it properly. More info in the comments section of this Microsoft Tech Community article: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618 This is why this commit uses registry keys to apply the Certificate padding check until that problem is officially solved.
For restoration of security group policies, the cmdlet now only restores settings that were changed by Protect-WindowsSecurity excluding the ones applied by the Microsoft Security Baselines. This allows for a more surgical and careful restoration of the settings and will prevent any accidental changes to the settings that would otherwise need to be constantly kept in check to make sure they are correct.
The BitLocker category saves the recovery password in the same format as Windows does when using the GUI to encrypt a drive. Added a function to automate the console text outputs' colors based on PowerShell edition
Improved code readability and host output messages
Added multifactor authentication to the BitLocker category, allowing users to easily and quickly setup encryption for the OS drive using TPM + Startup PIN + Startup Key
This reverts commit 5b51810.
Was missing a closing curly bracket
The Scheduled task for updating Microsoft recommended driver block rules now only runs if there is a network connection, which makes sense because it needs to download the latest block list from the official MSFT servers. It also restarts itself if it fails, every 6 hours, up to 4 tries.
Improved variable types to be more explicit and safe. Using full variable type names instead of their aliases. Using 'Unrestricted' instead of 'Bypass' when setting the execution policy for the current process. Unrestricted is more secure than Bypass because if a script is code signed then tampered, you will see an error, but in bypass mode, no code sign tamper detection happens Fixed visual issues and also added new ones
Restoring execution policy for the current process after the script is finished
Adding changes from the main script to the module directory. The changes related to execution policy restoration at the end.
The required PowerShell module is now the latest version which is 7.4.0. It has many new features, one of which is the having -ProgressAction common parameter. Using this new common parameter and setting it to SilentlyContinue for Invoke-WebRequest and Invoke-restMethod cmdlets allows for the removal of Invoke-WithoutProgress function since it renders it unnecessary.
It was related to Confirm-SystemCompliance cmdlet. If OS Drive wasn't encrypted, it wouldn't show up in the results. It is now Fixed.
Added logic for detecting write-protected drives to be used with Enhanced security level of BitLocker which uses Startup Key as an additional key protector. Prior to adding the Startup key, we must ensure the drive where the partial key is going to be saved in is writable. This commit adds logic for it.
Using SIDs instead of account names. This makes it more robust and the comparison logic has also been improved. This change makes everything more inclusive by working in situations where the usernames contain non-English alphabets, lots of spaces and such. Or when the username is the same as the computer name
Optimized various parts of the code to be shorter and better
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's Changed
Added Multifactor Authentication to the BitLocker category. When you run the BitLocker category, you will be presented with the option to choose between Normal and Enhanced security levels. The Normal security level is the previous method where the OS drive (your device) needed TPM + Startup PIN to be unlocked. The Enhanced security level adds one more factor to the authentication, requiring an external flash drive containing a special encryption key to be inserted into your device prior to the authentication.
Fixed a problem with OneDrive's Personal Vault, it wouldn't be initialized if a certain policy related to BitLocker was active. The policy was "Full disk encryption for fixed data drives" and it's now removed in this update. The policy is used to enforce encryption of the full space of the disk rather than only the used space. The Microsoft Security Baselines don't enable this policy. After careful consideration, came to the conclusion that it should be removed to fix the OneDrive Personal Vault initialization problem, and also it's not necessary to be enabled because the Harden Windows Security Module and script already encrypt the drives with full disk space (Used space + free space) to ensure maximum protection and confidentiality of the data at rest.
Enable-BitLockerPowerShell cmdlet encrypts the entire disk by default unless the[-UsedSpaceOnly]optional parameter is used, which is not the case in the module/script.More info
The latest Microsoft Security Baselines 23H2 mentions to have added support for WinVerifyTrust Signature Validation policy (aka certificate padding) but they haven't implemented it properly. More info in the comments section of this Microsoft Tech Community article. This is why this update uses registry keys to apply the Certificate padding check until that problem is officially resolved.
When using
Unprotect-WindowsSecuritycmdlet, during the restoration of security group policies, the cmdlet now only restores settings that were changed by theProtect-WindowsSecuritycmdlet, excluding the ones applied by the Microsoft Security Baselines. This allows for a more surgical and careful restoration of the settings and will prevent any accidental changes to the settings.The BitLocker category now saves the recovery password in the same format as Windows does when using the GUI to encrypt a drive.
The BitLocker category now has a much better UX and logic.
Fixed hibernate file size detection logic.
The Scheduled task for updating Microsoft recommended driver block rules now only runs if there is a network connection, which makes sense because it needs to download the latest block list from the official MSFT servers and apply them on the system. It also restarts itself if it fails, every 6 hours, up to 4 tries.
Improved variable types to be more explicit and safe. Using full variable type names instead of their aliases.
Using 'Unrestricted' instead of 'Bypass' when setting the execution policy for the current process. Unrestricted is more secure than Bypass because if a script is code signed then tampered, you will see an error, but in bypass mode, no code sign tamper detection happens. The execution policy is also saved prior to running the script and is restored at the end.
Improved Hyper-V group member detection by using SIDs instead of account names. This makes it more robust and the comparison logic has also been improved. This change makes everything more inclusive by working in situations where the usernames contain non-English alphabets, lots of spaces and such. Or when the username is the same as the computer name.
The required PowerShell Core version is now the latest version which is 7.4.0. It has many new features, one of which is having
-ProgressActioncommon parameter. Using this new common parameter and setting it toSilentlyContinueforInvoke-WebRequestandInvoke-restMethodcmdlets allows for the removal of the customInvoke-WithoutProgressfunction since it renders it unnecessary.Added Steps recorder removal to the Optional Windows Features category. It's deprecated.