Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden windows security module v.0.2.6 #158

Merged
merged 15 commits into from
Nov 23, 2023
Merged

Harden windows security module v.0.2.6 #158

merged 15 commits into from
Nov 23, 2023

Conversation

HotCakeX
Copy link
Owner

@HotCakeX HotCakeX commented Nov 20, 2023
edited
Loading

What's Changed

  1. Improved colored texts
  2. Fixed an error related to flash drive selection in BitLocker category - Fixed an error related to flash drive #155
  3. Improved visual spacing of Optional Windows Features category - Improved visual spacing of Optional Windows Features category #156
  4. Improved BCD NX bit setting and detection: Instead of using the Bcdedit, using the new PowerShell cmdlets. This allows the NX bit value detection to work with any locale and system language. Previously this detection only worked with EN-US locales.
  5. Added workaround for Controlled Folder Access: The controlled folder access is now properly navigated when using Confirm-SystemCompliance cmdlet. The new method of BCD NX value verification and detection causes Controlled Folder Access to show notification about pwsh.exe getting blocked so the new change prevents this from happening by dynamically adding pwsh.exe exe to the exclusion list before running the function and then restoring the exclusion list back to exactly how it was at the end of the operation. This is safely done to ensure that even if user pressed ctrl + c to prematurely exit the operation or if there is an error, the exclusion list restoration will still happen.
  6. Added Svchost.exe security mitigation removal to the Unprotect-WindowsSecurity cmdlet. It's a tattooed policy so simply setting it to not configured won't revert it.
  7. Improved execution speed by at least 8 seconds
  8. Added warning for insecure encryption method: When running BitLocker category, the encryption method of each drive will be checked and if it's not XTSAES256 which is currently the most secure type, a warning will be displayed. The module/script doesn't do anything else, but if you like to fix that, you will need to manually decrypt each drive, wait for it to be fully decrypted, and then run the BitLocker category again to encrypt them with the most secure algorithm. Your OS or non-OS drive that is BitLocker encrypted might be using a less secure encryption method if you didn't encrypt it properly. Another potential cause is if your SSD is SED (Self Encrypting Drive) and uses Opal 2, in this case it might automatically pick a different algorithm such as XTSAES128. The Harden Windows Security module always uses XTSAES256 until a more secure encryption method becomes available.

Important Notes

I'm going to explain 2 known issues in Windows that are not related to the Harden Windows Security module or script, nevertheless, I want to make you aware of them because they can cause complications. You might not be affected by them at all. I've found these issues through long debugging sessions.


Svchost.exe security mitigations policy

In the Miscellaneous category, there is a policy called svchost.exe mitigations., it applies process mitigations for Svchost.exe process, you can read more about what it does in the linked page but the most important thing is that it requires all binaries loaded in Svchost.exe process to be signed by Microsoft.

So far so good, right? so where is the problem?

There is a file located at:

C:\Windows\System32\gameplatformservices.dll

It's part of the Windows OS but it hasn't been digitally signed for about 2 months now. It was signed before but since about 2 months ago it was released as an unsigned dll.

When you use the Miscellaneous category and you have at least Windows 11 pro for workstation edition, that security policy prevents gameplatformservices.dll from loading and as a result of that, Code Integrity Operational logs begin to generate in an unprecedented rate, sometimes up to 500 logs every 10 seconds. They essentially pollute that important event category and also cause high CPU usage. Microsoft Store is one of the triggers of this problem. When it checks for app updates or if you manually check for app updates, the problem starts happening, CPU usage goes up and Microsoft Store gets stuck at checking for updates forever. Using Xbox apps and services can potentially help this problem manifest itself better or faster.

Smart App Control also detects this file as unsigned and blocks it. I've reported this in Feedback hub multiple times (1 - 2 - 3) but so far no changes have been made.

As a workaround, you can manually turn off this policy if you are affected by this issue. It's a tattooed policy, meaning it's not enough to simply set it to "Not Configured" state, you need to change or delete the registry key related to that policy too.


Screenshots 📸

image

image


BitLocker encryption, OneDrive Personal Vault and ReFS volumes, an interesting trio

Based on my findings, there is a potential issue when you try to use BitLocker, OneDrive Personal Vault and ReFS volume at the same time.

  • If your OS volume is BitLocker encrypted and you have at least one ReFS volume that is also BitLocker encrypted then OneDrive's Personal Vault fails when you try to unlock or initialize it.

  • It fails by getting stuck at step 12 and when that happens, some normal operations of the OS get stuck and stop functioning.

  • This only happens if the ReFS volume is unlocked. If the ReFS volume is BitLocker encrypted but locked when you try to unlock OneDrive's personal vault, then this problem won't happen.

  • It doesn't matter how many other BitLocker encrypted ReFS, NTFS or non-BitLocker encrypted volumes are available on the system.

  • The ReFS volume can have recovery password, auto unlock or password key protector, either way this problem is reproducible.


Screenshots 📸
Untitled 5156456

@HotCakeX
Fixed color code
91e4f5b 
Removed -NoNewLine from 2 colors that shouldn't have had that param
@HotCakeX
Module version bump
6f818d5
@HotCakeX HotCakeX added the Enhancement 💯 New feature or request label Nov 20, 2023
@HotCakeX HotCakeX self-assigned this Nov 20, 2023
@HotCakeX HotCakeX added the Documentation 📃 Improvements or additions to documentation label Nov 20, 2023
@HotCakeX
Updated Wiki documentation
6606ce1
@HotCakeX
Update Harden-Windows-Security.ps1
b3d0ea8
@HotCakeX
Improved BCD NX bit setting and detection
7807274 
Instead of using the bcdedit, using the new PowerShell cmdlets.

This allows the NX bit value detection to work with any locale and system language. previously this detection only worked with EN-US locales.
@HotCakeX
Added Svchost.exe security mitigation removal
32f76f4 
Added Svchost.exe security mitigation removal to the Unprotect-WindowsSecurity cmdlet

It's a tattooed policy so simply setting it to not configured won't revert it.
@HotCakeX
Added workaround for Controlled Folder Access
b293de1 
The controlled folder access is now properly navigated when using Confirm-SystemCompliance cmdlet.

The new method of BCD NX value verification and detection causes Controlled Folder Access to show notification about pwsh.exe getting blocked so the new change prevents this from happening by dynamically adding pwsh.exe exe to the exclusion list before running the function and then restoring the exclusion list back to exactly how it was at the end of the operation.

This is safely done to ensure that even if user press ctrl + c to prematurely exit the operation or if there is an error, the exclusion list restoration will still happen.
@HotCakeX
Improved execution speed by at least 8 seconds
bb61346 
Removed the unnecessary artificial wait time that was introduced in the BitLocker category to add powercfg.exe to Controlled folder access exclusion list and then removing it after the command. Now it's added to the exclusion list at the beginning so that by the time the BitLocker category is being processes, enough time will have been passed for it to run without causing any errors or showing notification about it being blocked.

At the end of the execution or when execution is prematurely terminated, it will be removed like the rest of the PowerShell executables and the CFA's exclusion list will be restored.
@HotCakeX
Improved variable type definitions
5aef49a
@HotCakeX
Improved variable type definitions
4ca1dde
@HotCakeX
Further improvements to the variable type definitions
e16a498
@HotCakeX
General code improvements
dce2912 
Variable type definitions
improving code consistency
@HotCakeX
Added warning for insecure encryption method
f1076dd 
When running BitLocker category, the encryption method of each drive will be checked and if it's not XTSAES256 which is currently the most secure type, a warning will be displayed.

The module/script doesn't do anything else. But if you like to fix that, you will need to manually decrypt each drive, wait for it to be fully decrypted, and then run the BitLocker category again to encrypt them with the most secure algorithm.
@HotCakeX
Version bump before release
a48c069
@HotCakeX HotCakeX marked this pull request as ready for review November 23, 2023 19:16
@HotCakeX HotCakeX merged commit 85a29fd into main Nov 23, 2023
2 checks passed
@HotCakeX HotCakeX deleted the Harden-Windows-Security-Module-v.0.2.6 branch November 23, 2023 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@HotCakeX HotCakeX

Labels
Documentation 📃 Improvements or additions to documentation Enhancement 💯 New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@HotCakeX