Skip to content

Commit

Permalink
Merge pull request #359 from HotCakeX/Harden-Windows-Security-v0.6.6
Browse files Browse the repository at this point in the history
Harden Windows Security v0.6.6
  • Loading branch information
HotCakeX authored Oct 9, 2024
2 parents 2fdc8f3 + d9c5e66 commit 9d76e56
Show file tree
Hide file tree
Showing 26 changed files with 361 additions and 199 deletions.
6 changes: 2 additions & 4 deletions Harden-Windows-Security Module/Harden Windows Security.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,10 @@

<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
<CheckForOverflowUnderflow>True</CheckForOverflowUnderflow>
<TreatWarningsAsErrors>True</TreatWarningsAsErrors>
</PropertyGroup>

<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
<CheckForOverflowUnderflow>True</CheckForOverflowUnderflow>
<TreatWarningsAsErrors>True</TreatWarningsAsErrors>
</PropertyGroup>

<PropertyGroup>
Expand All @@ -64,8 +62,8 @@
<ItemGroup>
<PackageReference Include="Microsoft.PowerShell.SDK" Version="7.5.0-preview.5" />
<PackageReference Include="Microsoft.Toolkit.Uwp.Notifications" Version="7.1.3" />
<PackageReference Include="System.DirectoryServices.AccountManagement" Version="9.0.0-rc.1.24431.7" />
<PackageReference Include="System.Management" Version="9.0.0-rc.1.24431.7" />
<PackageReference Include="System.DirectoryServices.AccountManagement" Version="9.0.0-rc.2.24473.5" />
<PackageReference Include="System.Management" Version="9.0.0-rc.2.24473.5" />
<PackageReference Include="System.Management.Automation" Version="7.5.0-preview.5" />
</ItemGroup>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -661,11 +661,23 @@ await Task.Run(() =>
case "WindowsNetworking":
{
HardenWindowsSecurity.WindowsNetworking.Invoke();

if (HardenWindowsSecurity.GUIProtectWinSecurity.SelectedSubCategories.Contains("WindowsNetworking_BlockNTLM"))
{
HardenWindowsSecurity.WindowsNetworking.WindowsNetworking_BlockNTLM();
}

break;
}
case "MiscellaneousConfigurations":
{
HardenWindowsSecurity.MiscellaneousConfigurations.Invoke();

if (HardenWindowsSecurity.GUIProtectWinSecurity.SelectedSubCategories.Contains("Miscellaneous_WindowsProtectedPrint"))
{
HardenWindowsSecurity.MiscellaneousConfigurations.MiscellaneousConfigurations_WindowsProtectedPrint();
}

break;
}
case "WindowsUpdateConfigurations":
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ public partial class GUIProtectWinSecurity
{ "MicrosoftDefender", new string[] { "MSFTDefender_SAC", "MSFTDefender_NoDiagData", "MSFTDefender_NoScheduledTask", "MSFTDefender_BetaChannels" } },
{ "LockScreen", new string[] { "LockScreen_CtrlAltDel", "LockScreen_NoLastSignedIn" } },
{ "UserAccountControl", new string[] { "UAC_NoFastSwitching", "UAC_OnlyElevateSigned" } },
{ "WindowsNetworking", new string[] { "WindowsNetworking_BlockNTLM" } },
{ "MiscellaneousConfigurations", new string[] { "Miscellaneous_WindowsProtectedPrint" } },
{ "CountryIPBlocking", new string[] { "CountryIPBlocking_OFAC" } },
{ "DownloadsDefenseMeasures", new string[] { "DangerousScriptHostsBlocking" } }
};
Expand Down Expand Up @@ -94,14 +96,14 @@ public partial class GUIProtectWinSecurity
"preset: recommended", new System.Collections.Generic.Dictionary<string, List<string>>
{
{ "Categories", new List<string> { "MicrosoftSecurityBaselines", "Microsoft365AppsSecurityBaselines", "MicrosoftDefender", "AttackSurfaceReductionRules", "BitLockerSettings", "DeviceGuard", "TLSSecurity", "LockScreen", "UserAccountControl", "WindowsFirewall", "OptionalWindowsFeatures", "WindowsNetworking", "MiscellaneousConfigurations", "WindowsUpdateConfigurations", "EdgeBrowserConfigurations", "DownloadsDefenseMeasures", "NonAdminCommands" } },
{ "SubCategories", new List<string> { "DangerousScriptHostsBlocking" } }
{ "SubCategories", new List<string> { "WindowsNetworking_BlockNTLM", "DangerousScriptHostsBlocking" } }
}
},
{
"preset: complete", new System.Collections.Generic.Dictionary<string, List<string>>
{
{ "Categories", new List<string> { "MicrosoftSecurityBaselines", "Microsoft365AppsSecurityBaselines", "MicrosoftDefender", "AttackSurfaceReductionRules", "BitLockerSettings", "DeviceGuard", "TLSSecurity", "LockScreen", "UserAccountControl", "WindowsFirewall", "OptionalWindowsFeatures", "WindowsNetworking", "MiscellaneousConfigurations", "WindowsUpdateConfigurations", "EdgeBrowserConfigurations", "CountryIPBlocking", "DownloadsDefenseMeasures", "NonAdminCommands" } },
{ "SubCategories", new List<string> { "MSFTDefender_SAC", "UAC_OnlyElevateSigned", "CountryIPBlocking_OFAC", "DangerousScriptHostsBlocking" } }
{ "SubCategories", new List<string> { "MSFTDefender_SAC", "UAC_OnlyElevateSigned", "WindowsNetworking_BlockNTLM", "Miscellaneous_WindowsProtectedPrint", "CountryIPBlocking_OFAC", "DangerousScriptHostsBlocking" } }
}
}
};
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ namespace HardenWindowsSecurity
{
public class ComplianceCategoriex : IValidateSetValuesGenerator
{
// Categories for Confirmation / Compliance Checks
public string[] GetValidValues()
{
string[] categoriex =
Expand All @@ -23,8 +24,8 @@ public string[] GetValidValues()
"DeviceGuard", // 9
"WindowsFirewall", // 19
"OptionalWindowsFeatures", // 14
"WindowsNetworking", // 14
"MiscellaneousConfigurations", // 16
"WindowsNetworking", // 18
"MiscellaneousConfigurations", // 17
"WindowsUpdateConfigurations", // 15
"EdgeBrowserConfigurations", // 14
"NonAdminCommands" // 9
Expand Down Expand Up @@ -90,7 +91,7 @@ private static bool IsTpmPresentAndEnabled()


/// <summary>
/// Main method of the class to return the final authorized categories
/// Main method of the class to return the final authorized categories for Protection
/// For PowerShell cmdlets and GUI elements that will light up based on different criteria
/// </summary>
/// <returns></returns>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,11 @@ public static List<IndividualResult> ProcessCategory(string catName, string meth
// Handle the case where the DWORD value is returned as a uint
regValueStr = regValue.ToString();
}
else if (regValue is string[])
{
// Convert MULTI_STRING (string[]) to a comma-separated string for display
regValueStr = string.Join(",", (string[])regValue);
}
else
{
// Convert the registry value to a string otherwise
Expand Down Expand Up @@ -262,6 +267,11 @@ public static List<IndividualResult> ProcessCategory(string catName, string meth
// Handle the case where the DWORD value is returned as a uint
regValueStr = regValue.ToString();
}
else if (regValue is string[])
{
// Convert MULTI_STRING (string[]) to a comma-separated string for display
regValueStr = string.Join(",", (string[])regValue);
}
else
{
regValueStr = regValue?.ToString();
Expand Down Expand Up @@ -319,6 +329,9 @@ public static List<IndividualResult> ProcessCategory(string catName, string meth
return output;
}

private static readonly char[] separator = [','];



// method to parse the registry value based on its type that is defined in the CSV file
private static object ParseRegistryValue(string type, string value)
Expand All @@ -340,15 +353,20 @@ private static object ParseRegistryValue(string type, string value)
// String values are kept as strings
return value;
}
// Will add more types later if needed, e.g., BINARY, MULTI_STRING etc.
case "MULTI_STRING":
{
// MULTI_STRING values are represented as an array of strings, separated by commas in the CSV file
// Split the CSV value by comma and return as a string array
return value.Split(separator, StringSplitOptions.None);
}
// Will add more types later if needed, e.g., BINARY
default:
{
throw new ArgumentException($"ParseRegistryValue: Unknown registry value type: {type}");
}
}
}


// method to compare the registry value based on its type that is defined in the CSV file
private static bool CompareRegistryValues(string type, object regValue, object expectedValue)
{
Expand Down Expand Up @@ -379,7 +397,21 @@ private static bool CompareRegistryValues(string type, object regValue, object e
// String values are compared as strings using ordinal ignore case
return string.Equals(regValue.ToString(), expectedValue.ToString(), StringComparison.OrdinalIgnoreCase);
}
// Will add more types later if needed, e.g., BINARY, MULTI_STRING etc.
case "MULTI_STRING":
{
// MULTI_STRING values are arrays of strings
// Return false if either is not a string array
if (regValue is not string[] regValueArray || expectedValue is not string[] expectedValueArray)
{
return false;
}

// Compare the arrays by length first, then compare each element using ordinal ignore case
// The order of the MULTI_STRING registry keys will be taken into account when comparing the reg key value against the values defined in the CSV file
return regValueArray.Length == expectedValueArray.Length &&
regValueArray.SequenceEqual(expectedValueArray, StringComparer.OrdinalIgnoreCase);
}
// Will add more types later if needed, e.g., BINARY
default:
{
throw new ArgumentException($"CompareRegistryValues: Unknown registry value type: {type}");
Expand All @@ -393,5 +425,6 @@ private static bool CompareRegistryValues(string type, object regValue, object e
}
return false;
}

}
}
Original file line number Diff line number Diff line change
Expand Up @@ -435,9 +435,9 @@ public static Task VerifyDeviceGuard()
nestedObjectArray.Add(new HardenWindowsSecurity.IndividualResult
{
FriendlyName = "Require Platform Security Features",
Compliant = (RequirePlatformSecurityFeatures != null &&
Compliant = RequirePlatformSecurityFeatures != null &&
(RequirePlatformSecurityFeatures.Equals("1", StringComparison.OrdinalIgnoreCase) ||
RequirePlatformSecurityFeatures.Equals("3", StringComparison.OrdinalIgnoreCase))) ? true : false,
RequirePlatformSecurityFeatures.Equals("3", StringComparison.OrdinalIgnoreCase)),
Value = (RequirePlatformSecurityFeatures != null && RequirePlatformSecurityFeatures.Equals("1", StringComparison.OrdinalIgnoreCase)) ?
"VBS with Secure Boot" :
(RequirePlatformSecurityFeatures != null && RequirePlatformSecurityFeatures.Equals("3", StringComparison.OrdinalIgnoreCase)) ?
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ namespace HardenWindowsSecurity
public static class GlobalVars
{
// Minimum required OS build number
internal const decimal Requiredbuild = 22621.3880M;
internal const decimal Requiredbuild = 22621.4169M;

// Current OS build version
internal static readonly decimal OSBuildNumber = Environment.OSVersion.Version.Build;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@ public static void Initialize(string VerbosePreference = "SilentlyContinue", boo
HardenWindowsSecurity.GlobalVars.MDAVConfigCurrent = HardenWindowsSecurity.ConfigDefenderHelper.GetMpComputerStatus();

// Total number of Compliant values
HardenWindowsSecurity.GlobalVars.TotalNumberOfTrueCompliantValues = 247;
HardenWindowsSecurity.GlobalVars.TotalNumberOfTrueCompliantValues = 252;

// Getting the $VerbosePreference from the calling cmdlet and saving it in the global variable
HardenWindowsSecurity.GlobalVars.VerbosePreference = VerbosePreference;
Expand Down
Loading

0 comments on commit 9d76e56

Please sign in to comment.