Hardening Categories
Important
Click/Tap on Each of the Items Below to Access Them on This GitHub Repository
Note
Windows by default is secure and safe, this repository does not imply nor claim otherwise. Just like anything, you have to use it wisely and don't compromise yourself with reckless behavior and bad user configuration; Nothing is foolproof. This repository only uses the tools and features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, using well-documented, supported, recommended and official methods. Continue reading for comprehensive info.
Start The Harden Windows Security Using GUI (Graphical User Interface)
(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'P'|iex
Install the Harden Windows Security Module from PowerShell Gallery
Check the documentation and How to use
Click/Tap here for commands
Install-Module -Name 'Harden-Windows-Security-Module' -Force
Install-Module -Name 'Harden-Windows-Security-Module' -Force
Protect-WindowsSecurity -GUI
Confirm-SystemCompliance
Unprotect-WindowsSecurity
Use the following PowerShell command as Admin
(irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1')+'AppControl'|iex
Winget install Microsoft.PowerShell
Tip
Restart your device after applying the hardening measures.
With the following exceptions
Link Count | Link | Reason |
---|---|---|
1 | Intel website | i7 13700k product page |
1 | state.gov | List of State Sponsors of Terrorism |
1 | orpa.princeton.edu | OFAC Sanctioned Countries |
2 | Wikipedia | TLS - providing additional information |
1 | UK Cyber Security Centre | TLS - providing additional information |
1 | Security.Stackexchange Q&A | TLS - providing additional information |
1 | browserleaks.com/tls | TLS - Browser test |
1 | clienttest.ssllabs.com | TLS - Browser test |
1 | scanigma.com/knowledge-base | TLS - providing additional information |
1 | cloudflare.com/ssl/reference/ | TLS - providing additional information |
1 | github.com/ssllabs/research/ | TLS - providing additional information |
1 | Wayback Machine | Providing additional information about Edge Browser |
Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.
Warning
For your own security, exercise caution when considering any other 3rd-party tools, programs, or scripts claiming to harden or modify Windows OS in any way. Verify their legitimacy thoroughly before use and after each release. Avoid blind trust in 3rd party Internet sources. Additionally, if they don't adhere to the rules mentioned above, they can cause system damage, unknown issues, and bugs.
- Read the Trust section to see how you can 100% Trust this repository.
- How are Group Policies for this module created and maintained?
-
Commands that require Administrator Privileges (click/tap on each of these to see in-depth info)
- Microsoft Security Baselines
- Microsoft 365 Apps Security Baselines
- Microsoft Defender
- Attack surface reduction rules
- Bitlocker Settings
- Device Guard
- TLS Security
- Lock Screen
- UAC (User Account Control)
- Windows Firewall
- Optional Windows Features
- Windows Networking
- Miscellaneous Configurations
- Windows Update configurations
- Edge Browser configurations
- Certificate Checking Commands
- Country IP Blocking
- Downloads Defense Measures
-
Commands that don't require Administrator Privileges
Indicator | Description |
---|---|
Security measure is applied using PowerShell cmdlets or Registry | |
Security measure is applied using Group Policies | |
CSP for the security measure | |
Sub-category - prompts for additional confirmation |
Continue reading in the official documentation
Optional Overrides for Microsoft Security Baselines
Microsoft Security Baselines Version Matrix
-
- Here is an example of the notification you will see in Windows 11 if that happens.
-
-
Configure and validate Microsoft Defender Antivirus network connections
-
Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware
-
Paste the following PowerShell code to retrieve the latest available online versions of the Platform, Signatures, and Engine for Microsoft Defender
-
$X = irm "https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info" @{Engine = $X.versions.engine; Signatures = $X.versions.signatures.'#text'; Platform = $X.versions.platform} | ft -AutoSize
-
-
Smart App Control is User-Mode (and enforces Kernel-Mode) App Control for Business, more info in the Wiki. You can see its status in System Information and enable it manually from Microsoft Defender app's GUI. It is very important for Windows and Windows Defender intelligence updates to be always up-to-date in order for Smart App Control to work properly as it relies on live intelligence and definition data from the cloud and other sources to make a Smart decision about programs and files it encounters.
-
Smart App Control uses ISG (Intelligent Security Graph). The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources and processed every 24 hours. As a result, the decision from the cloud can change.
-
Smart App Control can block a program entirely from running or only some parts of it in which case your app or program will continue working just fine most of the time. It's improved a lot since it was introduced, and it continues doing so. Consider turning it on after clean installing a new OS and fully updating it.
-
Smart App Control enforces the Microsoft Recommended Driver Block rules and the Microsoft Recommended Block Rules
-
Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
-
-
-
If it blocks a program from accessing one of your folders it protects, and you absolutely trust that program, then you can add it to exclusion list using Microsoft Defender GUI or PowerShell. you can also query the list of allowed apps using PowerShell (commands below). with these commands, you can backup your personalized list of allowed apps, that are relevant to your system, and restore them in case you clean install your Windows.
-
-
# Add multiple programs to the exclusion list of Controlled Folder Access Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\Program Files\App\app.exe','C:\Program Files\App2\app2.exe'
-
# Get the list of all allowed apps (Get-MpPreference).ControlledFolderAccessAllowedApplications
-
-
-
Automatically detects and excludes the Git executables of GitHub Desktop and Git (Standalone version) from mandatory ASLR if they are installed on the system. More info here
-
You can add Mandatory ASLR override for a trusted program using the PowerShell command below or in the Program Settings section of Exploit Protection in Microsoft Defender app.
Set-ProcessMitigation -Name "C:\TrustedApp.exe" -Disable ForceRelocateImages
-
-
-
All channels of Microsoft Edge browser
-
Quick Assist app
-
Some System processes
-
Microsoft 365 apps
-
More apps and processes will be added to the list over time once they are properly validated to be fully compatible.
-
Exploit Protection configurations are also accessible in XML format within this repository. When implementing exploit protections using an XML file, the existing exploit mitigations will seamlessly integrate rather than being overwritten. Should there be pre-existing exploit protections applied to an executable on the system, and the XML file specifies different mitigations for the same executable, these protections will be merged and applied collectively.
-
BCDEdit /enum "{current}"
(in PowerShell) for the NX bit isOptIn
but this module sets it toAlwaysOn
4,294,967,295
10,000,000 KB
or10 GB
. the default is20480 KB
or~20MB
- Launching executable files and scripts that attempt to download or run files
- Running obfuscated or otherwise suspicious scripts
- Performing behaviors that apps don't usually initiate during normal day-to-day work
Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.
Reducing your attack surface means protecting your devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Windows can help!
Tip
all 19 available Attack Surface Reduction rules shown in the official chart will be enabled. The Harden Windows Security application also allows you to individually configure each Attack Surface Reduction rule.
-
-
It offers 2 security levels for OS drive encryption: Enhanced and Normal.
-
In Normal security level, the OS drive is encrypted with TPM and Startup PIN. This provides very high security for your data, specially with a PIN that's long, complicated (uppercase and lowercase letters, symbols, numbers, spaces) and isn't the same as your Windows Hello PIN.
-
In Enhanced security level, the OS drive is encrypted with TPM and Startup PIN and Startup key. This provides the highest level of protection by offering Multifactor Authentication. You will need to enter your PIN and also plug in a flash drive, containing a special BitLocker key, into your device in order to unlock it. Continue reading more about it here.
-
Once the OS drive is encrypted, for every other non-OS drive, there will be prompts for confirmation before encrypting it. The encryption will use the same algorithm as the OS drive and uses Auto-unlock key protector. Removable flash drives are skipped.
-
The recovery information of all of the drives are saved in a single well-formatted text file in the root of the OS drive
C:\BitLocker-Recovery-Info-All-Drives.txt
. It's very important to keep it in a safe and reachable place as soon as possible, e.g., in OneDrive's Personal Vault which requires additional authentication to access. See here and here for more info. You can use it to unlock your drives if you ever forget your PIN, lose your Startup key (USB Flash Drive) or TPM no longer has the correct authorization (E.g., after a firmware change). -
TPM has special anti-hammering logic which prevents malicious user from guessing the authorization data indefinitely. Microsoft defines that maximum number of failed attempts in Windows is 32 and every single failed attempt is forgotten after 2 hours. This means that every continuous two hours of powered on (and successfully booted) operation without an event which increases the counter will cause the counter to decrease by 1. You can view all the details using this PowerShell command:
Get-TPM
. -
Check out Lock Screen category for more info about the recovery password and the 2nd anti-hammering mechanism.
-
BitLocker will bring you a real security against the theft of your device if you strictly abide by the following basic rules:
-
As soon as you have finished working, either Hibernate or shut Windows down and allow for every shadow of information to disappear from RAM within 2 minutes. This practice is recommended in High-Risk Environments.
-
Do not mix 3rd party encryption software and tools with Bitlocker. Bitlocker creates a secure end-to-end encrypted ecosystem for your device and its peripherals, this secure ecosystem is backed by things such as software, Virtualization Technology, TPM 2.0 and UEFI firmware, Bitlocker protects your data and entire device against real-life attacks and threats. You can encrypt your external SSDs and flash drives with Bitlocker too.
-
-
Important
AMD Zen 2 and 3 CPUs have a vulnerability in them, if you use one of them, make sure your Bitlocker Startup PIN is at least 16 characters long (max is 20).
-
- Kernel DMA Protection (Memory Access Protection) for OEMs page shows the requirements for Kernel DMA Protection. for Intel CPUs, support for requirements such as VT-X and VT-D can be found in each CPU's respective product page. e.g. Intel i7 13700K
-
- Devices that support Modern Standby have the most security because (S1-S3) power states which belong to the legacy sleep modes are not available. In Modern Standby, security components remain vigilant and the OS stays protected. Applying Microsoft Security Baselines also automatically disables the legacy (S1-S3) sleep states.
Refer to this official documentation about the countermeasures of Bitlocker
-
-
This is in accordance with Microsoft's recommendation. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
-
Secure boot has 2 parts, part 1 is enforced using the Group Policy by this module, but for part 2, you need to enable Secure Boot in your UEFI firmware settings if it's not enabled by default (which is the case on older hardware).
-
-
- Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
Tip
Most of the Device Guard and Virtualization-Based Security features are Automatically enabled by default on capable and modern hardware. The rest of them will be enabled and configured to the most secure state after you apply the Microsoft Security Baselines and the Harden Windows Security policies.
Important
About UEFI Lock
UEFI locked security measures are rooted in Proof of Physical Presence and they can't be disabled by modifying Group Policy, registry keys or other Administrative tasks. The only way to disable UEFI locked security measures is to have physical access to the computer, reboot and access the UEFI settings, supply the credentials to access the UEFI, turn off Secure Boot, reboot the system and then you will be able to disable those security measures with Administrator privileges.
Note
Device Protection in Windows Security Gives You One of These 4 Hardware Scores
- Standard hardware security not supported
- This means that your device does not meet at least one of the requirements of Standard Hardware Security.
- Your device meets the requirements for Standard Hardware Security.
- Your device meets the requirements for Enhanced Hardware Security
- Your device has all Secured-core PC features enabled
Changes made by this category only affect things that use Schannel SSP: that includes IIS web server, built-in inbox Windows apps and some other programs supplied by Microsoft, including Windows network communications, but not 3rd party software that use portable stacks like Java, nodejs, python or php.
If you want to read more: Demystifying Schannel
Note
This category checks whether Battle.net client is installed on the system and if it is then includes TLS_RSA_WITH_AES_256_CBC_SHA
as an additional cipher suite in the policy due to a known issue. The way Battle.net client is detected is by checking the presence of Battle.net.exe
or Battle.net Launcher.exe
in C:\Program Files (x86)\Battle.net\
folder.
TLS 1.2
andTLS 1.3
.
"DES 56-bit"
,"RC2 40-bit"
,"RC2 56-bit"
,"RC2 128-bit"
,"RC4 40-bit"
,"RC4 56-bit"
,"RC4 64-bit"
,"RC4 128-bit"
,"3DES 168-bit (Triple DES 168)"
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
nistP521
curve25519
NistP384
NistP256
- By default, in Windows, the order is this:
curve25519
NistP256
NistP384
-
- A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system and capture a user's password. The attacker can then sign into the compromised account with whatever level of user rights that user has.
-
- This module (in the Bitlocker category) automatically saves the 48-digit recovery password of each drive in itself, the location of it will also be visible on the PowerShell console when you run it. It is very important to keep it in a safe and reachable place, e.g. in OneDrive's Personal Vault which requires authentication to access. See Here and Here for more info about OneDrive's Personal Vault
-
- Useful If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user's full names or domain account names
-
-
This feature can be useful to enable if you live in High-Risk Environments and you don't want anyone to get any information about your accounts when you aren't logged-in.
-
This policy will prevent you from using "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.
-
If you use Windows Hello Face or Fingerprint, you can easily login using those credential providers without the need to supply username first.
-
-
-
Expires every 180 days (default behavior is to never expire)
- Setting an expiration date ensures that, in the event of theft, a threat actor cannot indefinitely attempt to guess the PIN. After 180 days, the PIN expires, rendering it unusable even if guessed correctly. To reset the PIN, authentication via a Microsoft account or EntraID—likely inaccessible to the attacker—will be required. Combined with anti-hammering and BitLocker policies, this expiration guarantees that a threat actor cannot endlessly persist in guessing the PIN.
-
History of the 1 most recent selected PIN is preserved to prevent the user from reusing it
-
-
Default Behavior: Prompt for consent for non-Windows binaries: When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-
Harden Windows Security Behavior: When an operation requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
-
-
- This policy will prevent you from using "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.
32.767 MB
. Defines separate log files for each of the firewall profiles. Logs only dropped packets for Private and Public profiles, Logs both dropped and successful packets for Domain profile.
- The domain name
.local
which is used in mDNS (Multicast DNS) is a special-use domain name reserved by the Internet Engineering Task Force (IETF) so that it may not be installed as a top-level domain in the Domain Name System (DNS) of the Internet.
- The domain name
-
-
PowerShell v2: because it's old and doesn't support AMSI.
-
Work Folders client: not used when your computer is not part of a domain or enterprise network.
-
Internet Printing Client: used in combination with IIS web server, old feature, can be disabled without causing problems further down the road.
-
Windows Media Player (legacy): isn't needed anymore, Windows 11 has a modern media player app.
-
Microsoft Defender Application Guard, it's deprecated. Learn more about Microsoft Edge Security Features here.
-
-
-
Notepad (system): legacy Notepad program. Windows 11 has multi-tabbed modern Notepad app.
-
VBSCRIPT: a legacy deprecated scripting engine component, Microsoft does not recommend using this component unless and until it is really required.
-
Internet Explorer mode for Edge browser: It's only used by a few possible organizations that have very old internal websites.
-
WMIC: Old and deprecated, not secure and is in Microsoft recommended block rules.
-
WordPad: Old and deprecated. None of the new features of Word documents are supported in it. Recommended to use Word Online, Notepad or M365 Word.
-
PowerShell ISE: Old PowerShell environment that doesn't support versions above 5.1. Highly recommended to use Visual Studio Code for PowerShell usage and learning. You can even replicate the ISE experience in Visual Studio Code. You can access Visual Studio Code online in your browser without the need to install anything.
-
Steps Recorder: it's deprecated.
-
-
-
Windows Sandbox: install, test and use programs in a disposable virtual operation system, completely separate from your main OS
-
Hyper-V: a great hybrid hypervisor (Type 1 and Type 2) to run virtual machines on. check out this Hyper-V Wiki page
-
3.1.1
which is the latest available version at the moment and was introduced years ago with Windows 10.
3.1.1
which is the latest available version at the moment and was introduced years ago with Windows 10.
(get-SmbServerConfiguration).EncryptData
. If the returned value is$True
then SMB Encryption is turned on.
AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM
toAES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM
for the SMB Client.
AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM
toAES_256_GCM,AES_256_CCM,AES_128_GCM,AES_128_CCM
for the SMB Server.
-
8
which is Good only. The default value is3
, which allows good, unknown and 'bad but critical'. that is the default value, because setting it to8
can prevent your computer from booting if the driver it relies on is critical but at the same time unknown or bad.- By being launched first by the kernel, ELAM is ensured to be launched before any third-party software and is therefore able to detect malware in the boot process and prevent it from initializing. ELAM drivers must be specially signed by Microsoft to ensure they are started by the Windows kernel early in the boot process.
-
svchost.exe
mitigations. built-in system services hosted insvchost.exe
processes will have stricter security policies enabled on them. These stricter security policies include a policy requiring all binaries loaded in these processes to be signed by Microsoft, and a policy disallowing dynamically generated code.- Requires Business Windows licenses. e.g., Windows 11 pro for Workstations, Enterprise or Education.
- This causes some UI elements in the search settings in Windows settings to become unavailable for Standard user accounts to view, because it will be a managed feature by an Administrator.
-
-
Sudden Shut down events (due to power outage)
-
Checks to make sure Other Logon/Logoff Events Audit is active
-
Failed Login attempts via PIN at lock screen
- Error/Status code
0xC0000064
indicates wrong PIN entered at lock screen
- Error/Status code
-
USB storage Connects & Disconnects (Flash drives, phones etc.)
MACs [email protected],[email protected],[email protected]
.
Windows updates are extremely important. They always should be installed as fast as possible to stay secure and if a reboot is required, it should be done immediately. Threat actors can weaponize publicly disclosed vulnerabilities the same day their POC (Proof-Of-Concept) is released..
In Windows by default, devices will scan daily, automatically download and install any applicable updates at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away.
The following policies the module configures make sure the default behavior explained above is tightly enforced.
TLS_RSA_WITH_AES_256_CBC_SHA Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_CBC_SHA Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_GCM_SHA256 Reason: NO Perfect Forward Secrecy
TLS_RSA_WITH_AES_256_GCM_SHA384 Reason: NO Perfect Forward Secrecy
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Reason: CBC, SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Reason: CBC, SHA1
Due to security reasons, many policies cannot be used when you are signed into Edge browser using personal Microsoft account. This module does not use any of those policies. When those policies are applied, they are ignored by the browser and edge://policy/
shows an error for them.
- You can view all of the policies being applied to your Edge browser by visiting this page:
edge://policy/
- You can find all of the available internal Edge pages in here:
edge://about/
- Useful links:
IPv4
and IPv6
addresses of State Sponsors of Terrorism and OFAC Sanctioned Countries, directly from official IANA sources repository, then creates 2 rules (inbound and outbound) for each list in Windows firewall, completely blocking connections to and from those countries.
Once you have those Firewall rules added, you can use this method to see if any of the blocked connections were from/to those countries.
Note
Threat actors can use VPN, VPS etc. to mask their originating IP address and location. So don't take this category as the perfect solution for network protection.
This policy defends the system from malware that can launch itself automatically after being downloaded from the Internet. The user must ensure the file's safety and explicitly transfer it to a different folder before running it.
The App Control policy employs a wildcard pattern to prevent any file from running in the Downloads folder. Additionally, it verifies that the system downloads folder in the user directory matches the downloads folder in the Edge browser's settings. If there is a discrepancy, a warning message is displayed on the console.
- wscript.exe
- mshta.exe
- cscript.exe
They are insecure, unsandboxed script hosts that pose a security risk.
All of the policies can be easily removed using the Unprotect-WindowsSecurity or AppControl Manager.
You don't need Admin privileges to run this category, because no system-wide changes is made. Changes in this category only apply to the current user account that is running the PowerShell session.
Azure DevOps Repository (mirror)
Harden Windows Security website
Official global IANA IP block for each country
Privacy, Anonymity and Compartmentalization
This repository uses effective methods that make it easy to verify:
-
Change log history is present on GitHub. (Despite some of my awkward documentation typos)
-
Artifact attestations are used to establish provenance for builds. It guarantees that the package(s) you download from this repository are 100% created from the source code that exist in this repository.
-
SBOMs (Software Bill of Materials) are generated for the entire repository to comply with data protection standards and providing transparency. Together with attestation they provide SLSA L2 security level for the build process. In the future, the workflows will be upgraded to comply with SLSA L3 level.
-
You can open the files in Visual Studio Code / Visual Studio Code Web / GitHub CodeSpace, and view them in a nice and easy to read environment, they are well formatted, commented and indented.
-
Commits are verified either with my GPG key or SSH key and Vigilant mode is turned on in my GitHub account.
-
You can fork this repository, verify it until that point in time, then verify any subsequent changes/updates I push to this repository, at your own pace (using
Sync fork
andCompare
options on your fork), and if you are happy with the changes, allow it to be merged with your own copy/fork on your GitHub account. -
Explanations for some of the files used by the Harden Windows Security module, ask about any other file(s) if you have questions, they are all in clear text.
-
Registry.csv includes some of the security measures' registry data.
-
ProcessMitigations.csv includes the process mitigations data.
-
Default Security Policy.inf contains security policy data used during unprotect actions to restore defaults.
-
Registry resources.csv Includes the data used for compliance checking.
-
Harden-Windows-Security.ps1 is the boot-strapper for the Harden Windows Security module.
-
-
How Are Group Policies Used by the Harden Windows Security Module?
-
How are Group Policies for this module created and maintained?
-
How to verify Security-Baselines-X directory and 100% trust it?
Tip
All files in this repository are zipped and automatically submitted to VirusTotal for scanning. Any available packages in the last release is also directly uploaded for scanning. It is done through a GitHub Action that is triggered every time a release is made or a PR is merged. Find the history of the uploaded files in my Virus Total profile.
If you have any questions, requests, suggestions etc. about this GitHub repository and its content, please open a new discussion or Issue.
Reporting a vulnerability on this GitHub repository.
-
- Refer to Wiki to see how to create Bootable USB flash drive with no 3rd party tools
-
-
Microsoft store UWP apps are secure in nature, digitally signed, in MSIX format. That means, installing and uninstalling them is guaranteed and there won't be any leftovers after uninstalling.
-
Microsoft store has Win32 apps too, they are traditional
.exe
installers that we are all familiar with. The store has a library feature that makes it easy to find the apps you previously installed. -
Both Microsoft and Winget check the hash of the files by default, if a program or file is tampered, they will warn you and block the installation, whereas when you manually download a program from a website, you will have to manually verify the file hash with the hash shown on the website, if any.
-
-
- Use my WinSecureDNSMgr module to easily configure DNS over HTTPS in Windows
-
- There are situations where using VPN can provide security and privacy. For example, when using a public WiFi hotspot or basically any network that you don't have control over. In such cases, use Cloudflare WARP which uses WireGuard protocol, or as mentioned, use Secure Network in Edge browser that utilizes the same secure Cloudflare network. It's free, it's from an American company that has global radar and lots of insight about countries in the world in real-time, at least 19.7% of all websites use it (2022). Safe to say it's one of the backbones of the Internet.
Mark Of The Web
(MOTW) orzone.identifier
. When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. You can read all the information about it in here. If your USB flash drive is formatted asFAT32
, change it toNTFS
, becauseFAT32
does not keep theMOTW
of the files. If the file you are downloading is compressed in.zip
format, make sure you open/extract it using Windows built-in support for.zip
files because it keeps the MOTW of the files. If the compressed file you downloaded is in other formats such as.7zip
or.rar
, make sure you use an archive program that supports keeping the mark of the Web of files after extraction. One of those programs is NanaZip which is a fork of 7zip, available in Microsoft Store and GitHub, compared to 7zip, it has better and modern GUI, and the application is digitally signed. After installation, open it, navigate toTools
at the top then selectOptions
, setPropagate zone.id stream
toYes
. You can use this PowerShell command to find all the info about the Zone Identifier of the files you downloaded from the Internet.
Get-Content <Path-To-File> -stream zone.identifier
Ask for my PIN
orLock it down
. The latter is the most secure one since it will require authentication using Microsoft Authenticator app.Ask for my PIN
is recommended for the most people because it will only require a PIN to be entered using controller.
-
-
Unless you are a skilled programmer who can understand and verify every line of code in the source, and spends time to personally build the software from the source, and repeats all the aforementioned tasks for each subsequent version, then seeing the source code won't have any effect on you because you aren't able to understand nor verify it.
-
Do not assume that the entire Open Source community audits and verifies every line of code just because the source code is available, as we've seen in the XZ utility's backdoor by state sponsored actors, they can have backdoors implanted in them in broad daylight and nobody might notice it for a long time.
-
The majority of open source programs are unsigned, meaning they don't have a digital signature, their developers haven't bought and used a code signing certificate to sign their program. Among other problems, this might pose a danger to the end-users by making it harder to create trust for those programs in security solutions such as Application Control or App Whitelisting, and makes it hard to authenticate them. Read Microsoft's Introduction to Code Signing. Use Azure Trusted Signing which is affordable.
-
- Microsoft.com
- Microsoft Learn - Technical Documentation
- Germany Intelligence Agency - BND - Federal Office for Information Security
- Microsoft Tech Community - Official blogs and documentations
- Microsoft Security baselines - Security baselines from Microsoft
- Microsoft Security Response Center (MSRC) YouTube channel
- BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story
- Security Update Guide: The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services, and provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected.
- Microsoft Security Response Center Blog
- Microsoft Security Blog
- Microsoft Podcasts
- Bug Bounty Program - With bounties worth up to
250,000
$ - Microsoft Active Protections Program
- Security Update Guide FAQs
- Microsoft On the Issues - Assessments, Investigations and Reports of APTs (Advanced Persistent Threats¹) and nation-sponsored cyberattack operations globally
- A high level overview paper by Microsoft (in
PDF
), framework for cybersecurity information sharing and risk reduction. - Microsoft Threat Modeling Tool - for software architects and developers
- Important events to monitor
- Windows Security portal
- Security auditing
- Microsoft SysInternals Sysmon for Windows Event Collection or SIEM
- Privileged Access Workstations
- Enhanced Security Administrative Environment (ESAE)
- New Zealand 2016 Demystifying the Windows Firewall – Learn how to irritate attackers without crippli
- Download Windows virtual machines ready for development
- UK National Cyber Security Centre Advice & guidance
- Global threat activity
- Microsoft Zero Trust
- Understanding malware & other threats, phrases
- Malware naming
- Microsoft Digital Defense Report
- Microsoft Defender for Individuals
- Submit a file for malware analysis
- Submit a driver for analysis
- Service health status
- Microsoft Defender Threat Intelligence
- Microsoft Virus Initiative
- Digital Detectives @Microsoft
- Australia's Essential Eight
- NIST 800-53
- DoD's CMMC (Cybersecurity Maturity Model Certification)
- ISO 27001
- DoD Cyber Stigs (Security Technical Implementation Guides)
- NIST SP 800-171 Rev. 2 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- Clean source principle
- Windows Message Center
- Deprecated features for Windows client
- Microsoft Cybersecurity Reference Architectures
- BlueHat IL 2023 - David Weston - Default Security
- Windows Security best practices for integrating and managing security tools
- Microsoft Exploitability Index
- The Microsoft Incident Response Ninja Hub
Using MIT License. Free information without any paywall or things of that nature. The only mission of this GitHub repository is to give all Windows users accurate, up to date and correct facts and information about how to stay secure and safe in dangerous environments, and to stay not one, but Many steps, ahead of threat actors.
- Some of the icons are from icons8
- Windows, Azure etc. are trademarks of Microsoft Corporation
If you would like to support my work financially, your generosity is greatly appreciated. This section is specifically for those who want to make a monetary contribution. There are other ways to support such as sharing the repository on social media, starring and so on.
You can donate using the following methods:
- Donate to a Charity That Matters: Instead of donating directly to me, you could donate to a charity that is important to me, one that works to keep us safe and alive: FIDF
- Donate to me personally: My Public Address to Receive BNB (Smart Chain - Coin) - Click/Tap here to view QR code
0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D