Harden Windows Security v0.7.1 (#494)

During the compliance checking, MDM results that are not used by the module are no longer collected, improving the performance and speed, especially on lower end hardware. Adjusted the TLS Category's Intune Json config to match the new schema. Added a new sub-category for the TLS category, called "TLS for BattleNet". When selected, the TLS category will deploy the group policy that has the extra cipher suite TLS_RSA_WITH_AES_256_CBC_SHA which is less secure but required for BattleNet client to connect to its servers. Fixes -> [BUG?]: TLS Security fix for Battle.net not working #489 This means BattleNet client is no longer automatically detected on the system because there are times when it's installed in non-default location. Now the user is in control to decide whether to use the extra cipher suite or not. WDACConfig module is no longer used/installed for Downloads Defense Measures category. All the necessary logic for policy creation is now implemented natively. This substantially improves the performance and allows for full offline usage of this category and its sub-categories. This also facilitates the deprecation of the WDACConfig module which is replaced with the new modern AppControl Manager.
HotCakeX · Jan 2, 2025 · 3ea3b8d · 3ea3b8d
1 parent 42b6323
commit 3ea3b8d
Show file tree

Hide file tree

Showing 22 changed files with 984 additions and 651 deletions.
diff --git a/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs b/Harden-Windows-Security Module/Main files/C#/CimInstances/MDM.cs
@@ -46,12 +46,9 @@ private static async Task<Dictionary<string, List<Dictionary<string, object>>>>
 			foreach (MdmRecord record in records)
 			{
 				// Process only authorized records
-				if (record.Authorized?.Equals("TRUE", StringComparison.OrdinalIgnoreCase) == true)
+				if (record.Authorized.Equals("TRUE", StringComparison.OrdinalIgnoreCase))
 				{
 
-					// Debugging output
-					// Logger.LogMessage($"Namespace: {record.Namespace}, Class: {record.Class}");
-
 					// Add a new task for each class query
 					tasks.Add(Task.Run(() =>
 					{
@@ -72,7 +69,7 @@ private static async Task<Dictionary<string, List<Dictionary<string, object>>>>
 						}
 
 						// Create object query for the current class
-						string classQuery = record.Class?.Trim() ?? throw new InvalidOperationException("Record.Class is null");
+						string classQuery = record.Class.Trim();
 						ObjectQuery query = new("SELECT * FROM " + classQuery);
 
 						// Create management object searcher for the query
@@ -125,14 +122,24 @@ private static async Task<Dictionary<string, List<Dictionary<string, object>>>>
 		return results;
 	}
 
-	// Helper method to get property value as original type
+
+	/// <summary>
+	/// Helper method to get property value as original type
+	/// </summary>
+	/// <param name="prop"></param>
+	/// <returns></returns>
 	private static object GetPropertyOriginalValue(PropertyData prop)
 	{
 		// Return the value of the property
 		return prop.Value;
 	}
 
-	// Helper method to read CSV file asynchronously
+
+	/// <summary>
+	/// Helper method to read CSV file asynchronously
+	/// </summary>
+	/// <param name="filePath"></param>
+	/// <returns></returns>
 	private static async Task<List<MdmRecord>> ReadCsvFileAsync(string filePath)
 	{
 		List<MdmRecord> records = [];
@@ -149,9 +156,10 @@ private static async Task<List<MdmRecord>> ReadCsvFileAsync(string filePath)
 					continue; // Skip the header line
 				}
 
-				// This check is redundant but shows explicit handling
 				if (line is null)
+				{
 					continue;
+				}
 
 				string[] values = line.Split(',');
 
@@ -175,8 +183,8 @@ private static async Task<List<MdmRecord>> ReadCsvFileAsync(string filePath)
 	// Class to represent a record in the CSV file
 	private sealed class MdmRecord
 	{
-		internal string? Namespace { get; set; }
-		internal string? Class { get; set; }
-		internal string? Authorized { get; set; }
+		internal required string Namespace { get; set; }
+		internal required string Class { get; set; }
+		internal required string Authorized { get; set; }
 	}
 }
diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs
@@ -606,6 +606,10 @@ await Task.Run(() =>
 								   case "TLSSecurity":
 									   {
 										   TLSSecurity.Invoke();
+										   if (SelectedSubCategories.Contains("TLSSecurity_BattleNetClient"))
+										   {
+											   TLSSecurity.TLSSecurity_BattleNetClient();
+										   }
 										   break;
 									   }
 								   case "LockScreen":

diff --git a/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs b/Harden-Windows-Security Module/Main files/C#/GUI/Protection/Variables.cs
@@ -43,6 +43,7 @@ public static partial class GUIProtectWinSecurity
 				{ "LockScreen", new string[] { "LockScreen_CtrlAltDel", "LockScreen_NoLastSignedIn" } },
 				{ "UserAccountControl", new string[] { "UAC_NoFastSwitching", "UAC_OnlyElevateSigned" } },
 				{ "WindowsNetworking", new string[] { "WindowsNetworking_BlockNTLM" } },
+				{ "TLSSecurity", new string[] { "TLSSecurity_BattleNetClient" } },
 				{ "MiscellaneousConfigurations", new string[] { "Miscellaneous_WindowsProtectedPrint", "MiscellaneousConfigurations_LongPathSupport", "MiscellaneousConfigurations_StrongKeyProtection" } },
 				{ "DeviceGuard", new string[] { "DeviceGuard_MandatoryVBS" } },
 				{ "CountryIPBlocking", new string[] { "CountryIPBlocking_OFAC" } },