Skip to content

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md

License

Notifications You must be signed in to change notification settings

friadev/Harden-Windows-Security

 
 

Repository files navigation

Big Yummy DonutBig Yummy DonutBig Yummy Donut


Harden Windows Security | A New Threat to Malware

Harden Windows Safely, Securely, Only With Official Microsoft Methods

PowerShell Gallery Version (including pre-releases) PowerShell Gallery Version (including pre-releases)

Twitter Share button

Hardening Categories rotating colorful thing How To Use rotating colorful thing Features rotating colorful thing Related rotating colorful thing Trust rotating colorful thing Support rotating colorful thing Security Recommendations rotating colorful thing Resources rotating colorful thing License rotating colorful thing Wiki rotating colorful thing Basic FAQs

horizontal super thin rainbow RGB line

horizontal super thin rainbow RGB line


Note

Windows by default is secure and safe, this repository does not imply nor claim otherwise. Just like anything, you have to use it wisely and don't compromise yourself with reckless behavior and bad user configuration; Nothing is foolproof. This repository only uses the tools and features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, using well-documented, supported, recommended and official methods. Continue reading for comprehensive info.


How To UseHowToUseIcon

GitHub logo SVG Apply the Latest Hardening Measures directly From This Github Repository

irm 'https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/Harden-Windows-Security.ps1' | iex

PowerShell icon Pink Install the Harden Windows Security Module from PowerShell Gallery

Check the documentation and How to use

Click/Tap here for commands

Install-Module -Name 'Harden-Windows-Security-Module' -Force
Protect-WindowsSecurity
Confirm-SystemCompliance
Unprotect-WindowsSecurity

Animated APNG demonstrating how the Harden Windows Security PowerShell module works


horizontal super thin rainbow RGB line


YouTube Video showcase

horizontal super thin rainbow RGB line


Requirements RequirementsIcon

Requirements item PowerShell (latest version), Install it from 🛍️ Microsoft Store or using Winget: Winget install Microsoft.PowerShell

Requirements item Any device that meets the Windows 11 hardware and Virtualization Based Security requirements.

Requirements item TPM 2.0, Virtualization technology and Secure Boot enabled in your UEFI settings. Official guide - How to enable Secure Boot on: HP - Lenovo - Dell.

Requirements item Windows editions higher than Home edition.

Requirements item No 3rd party AV installed.

Requirements item Latest available version of Windows installed.

Important

Restart your device after applying the hardening measures.


Harden-Windows-Security is a PowerShell module


Features FeaturesIcon

Features Item Everything always stays up-to-date with the newest proactive security measures that are industry standards and scalable.

Features Item Everything is in plain text, nothing hidden, no 3rd party executable or pre-compiled binary is involved.

Warning

For your own security, do not use any other 3rd party tools, programs or scripts that claim to harden Windows or modify it in any way, unless you can 100% verify it. Never trust 3rd party people on the Internet, always verify their resources and do that after each release. Keep on reading the features to see why this Harden-Windows-Security module is different and read the Trust section to see how you can 100% Trust it.

Features Item No Windows functionality is removed/disabled against Microsoft's recommendations.

Features Item All of the links and sources are from official Microsoft websites, straight from the source. No bias, No FUD, No misinformation and definitely No old obsolete methods. That's why there are no links to 3rd party news websites, forums, made up blogs/articles, and such.

With the following exceptions
Link Count Link Reason
1 Intel website i7 13700k product page
1 state.gov List of State Sponsors of Terrorism
1 orpa.princeton.edu OFAC Sanctioned Countries
2 Wikipedia TLS - providing additional information
1 UK Cyber Security Centre TLS - providing additional information
1 Security.Stackexchange Q&A TLS - providing additional information
1 browserleaks.com/tls TLS - Browser test
1 clienttest.ssllabs.com TLS - Browser test
1 scanigma.com/knowledge-base TLS - providing additional information
1 cloudflare.com/ssl/reference/ TLS - providing additional information
1 github.com/ssllabs/research/ TLS - providing additional information
1 Wayback Machine Providing additional information about Edge Browser

Features Item The module primarily uses Group policies, the Microsoft recommended way of configuring Windows. It also uses PowerShell cmdlets where Group Policies aren't available, and finally uses a few registry keys to configure security measures that can neither be configured using Group Policies nor PowerShell cmdlets. This is why the module doesn't break anything or cause unwanted behavior.

Warning

Any other 3rd party tool/program/script that claims to modify Windows or harden it, if they don't strictly adhere to the official rules above, they can damage your system, cause unknown problems and bugs. How are Group Policies for this module created and maintained?

Features Item This Readme page lists all of the security measures applied by the module.

Features Item When a hardening measure is no longer necessary because it's applied by default by Microsoft on new builds of Windows, it will also be removed from the module in order to prevent any problems and because it won't be necessary anymore.

Features Item The module can be run infinite number of times, it's made in a way that it won't make any duplicate changes.

Features Item Applying these hardening measures makes your PC compliant with Microsoft Security Baselines and Secured-core PC specifications (provided that you use modern hardware that supports the latest Windows security features) - See what makes a Secured-core PC - Check Device Guard article for more info

Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.

Features Item Since I originally created this repository for myself and people I care about, I always maintain it to the highest possible standard.

Features Item If you have multiple accounts on your device, you only need to apply the hardening measures 1 time with Admin privileges, that will make system-wide changes. Then you can optionally run the module, without Admin privileges, for each standard user to apply the Non-Admin category.


💡 (back to top)

Harden-Windows-Security is a PowerShell module

Hardening CategoriesHardeningCategoriesIcon

From Top to bottom in order:



Indicator Description
Rotating pink checkmark denoting registry or cmdlet Security measure is applied using PowerShell cmdlets or Registry
Blue Check mark denoting Group Policy Security measure is applied using Group Policies
Rotating green checkmark denoting CSP CSP for the security measure
Rotating green checkmark denoting Subcategory Sub-category - prompts for additional confirmation

💡 (back to top)


horizontal super thin rainbow RGB line


May 9 2023 Windows Boot Manager CVE-2023-24932Rotating pink checkmark denoting registry or cmdlet

An AI generated picture of a cat girl working in a server farm


May 9 2023 Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Rotating pink checkmark denoting registry or cmdlet Automatically applies the security measures described in the KB5025885 document page.

KB5026372 must be installed, so make sure your OS is fully up to date first.

You will need to restart your device once. After restart, wait at least for 5-10 minutes and then restart again, as suggested in the official page.

Microsoft Security Response Center post

💡 (back to categories)


horizontal super thin rainbow RGB line


Microsoft Security BaselinesMicrosoftSecurityBaseline

An AI generated picture of a cat girl working in a server farm

Blue Check mark denoting Group Policy A security baseline is a group of Microsoft-recommended configuration settings that explains their security implications. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Continue reading in the official documentation

Optional Overrides for Microsoft Security Baselines

Blue Check mark denoting Group Policy Highly recommended to apply these overrides, the script and module will ask you whether you want to apply them or not. Use Optional Overrides when applying the hardening measures on Azure VMs.

💡 (back to categories)


horizontal super thin rainbow RGB line


Microsoft 365 Apps Security BaselinesMicrosoft365AppsSecurityBaselines

AI generated picture

Blue Check mark denoting Group Policy The security baseline for Microsoft 365 Apps for enterprise is published twice a year, usually in June and December.

More info in Microsoft Learn

Microsoft Security Baselines Version Matrix

💡 (back to categories)


horizontal super thin rainbow RGB line


Microsoft DefenderWindowsDefenderIcon

Microsoft Defender Cloud Protection features and abilities

  • Blue Check mark denoting Group Policy Enables additional security features of Microsoft Defender, You can refer to this official document for full details. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy The module makes sure Cloud Security Scan and Block At First Sight are enabled to the highest possible security states available, Zero Tolerance Cloud Block level. You need to be aware that this means actions like downloading and opening an unknown file will make Microsoft Defender send samples of it to the Cloud for more advanced analysis and it can take a maximum of 60 seconds (this module sets it to max) from the time you try to open that unknown file to the time when it will be opened (if deemed safe), so you will have to wait. All of these security measures are in place by default in Windows to some extent and happen automatically, but this module maxes them out and sets them to the highest possible levels. Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

    • Here is an example of the notification you will see in Windows 11 if that happens.

    Windows Security Cloud Scan Notification

  • Blue Check mark denoting Group Policy Enables file hash computation; designed to allow admins to force the anti-malware solution to "compute file hashes for every executable file that is scanned if it wasn't previously computed" to "improve blocking for custom indicators in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Clears Quarantined items after 1 day instead of the default behavior of keeping them indefinitely. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Allows Microsoft Defender to download security updates even on a metered connection. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Enables Microsoft Defender to scan mapped network drives, network files, reparse points, Emails and removable drives during a full scan. Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Sets the Signature Update Interval to every 3 hours instead of automatically. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Forces Microsoft Defender to check for new virus and spyware definitions before it runs a scan. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Makes Microsoft Defender run catch-up scans for scheduled quick scans. A computer can miss a scheduled scan, usually because the computer is off at the scheduled time, but now after the computer misses two scheduled quick scans, Microsoft Defender runs a catch-up scan the next time someone logs onto the computer. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Enables Network Protection of Microsoft Defender Rotating green checkmark denoting CSP CSP

  • Rotating pink checkmark denoting registry or cmdlet Enables scanning of restore points Rotating green checkmark denoting CSP CSP

  • Rotating pink checkmark denoting registry or cmdlet Makes sure Async Inspection for Network protection of Microsoft Defender is turned on - Network protection now has a performance optimization that allows Block mode to start asynchronously inspecting long connections after they're validated and allowed by SmartScreen, which might provide a potential reduction in the cost that inspection has on bandwidth and can also help with app compatibility problems. Rotating green checkmark denoting CSP CSP

  • Rotating pink checkmark denoting registry or cmdlet Rotating green checkmark denoting Subcategory Enables Smart App Control (if it's in Evaluation mode): adds significant protection from new and emerging threats by blocking apps that are malicious or untrusted. Smart App Control also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.

    • Smart App Control is User-Mode (and enforces Kernel-Mode) Windows Defender Application Control policy (WDAC), more info in the Wiki. You can see its status in System Information and enable it manually from Microsoft Defender app's GUI. It is very important for Windows and Windows Defender intelligence updates to be always up-to-date in order for Smart App Control to work properly as it relies on live intelligence and definition data from the cloud and other sources to make a Smart decision about programs and files it encounters.

    • Smart App Control uses ISG (Intelligent Security Graph). The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources and processed every 24 hours. As a result, the decision from the cloud can change.

    • Smart App Control can block a program entirely from running or only some parts of it in which case your app or program will continue working just fine most of the time. It's improved a lot since it was introduced, and it continues doing so. Consider turning it on after clean installing a new OS and fully updating it.

    • Smart App Control enforces the Microsoft Recommended Driver Block rules and the Microsoft Recommended Block Rules

    • Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.

  • Blue Check mark denoting Group Policy Rotating green checkmark denoting Subcategory Enables "Send optional diagnostic data" because it is required for Smart App Control to operate when it's in evaluation mode or turned on, and for communication with Intelligent Security Graph (ISG). You won't see this prompt if Smart App Control is already turned on (this setting will be applied), turned off (this setting will be skipped) or you choose to enable it in the previous step (this setting will be applied). Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Enables Controlled Folder Access. It helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Due to the recent wave of global ransomware attacks, it is important to use this feature to protect your valuables files, specially OneDrive folders. Rotating green checkmark denoting CSP CSP

    • If it blocks a program from accessing one of your folders it protects, and you absolutely trust that program, then you can add it to exclusion list using Microsoft Defender GUI or PowerShell. you can also query the list of allowed apps using PowerShell (commands below). with these commands, you can backup your personalized list of allowed apps, that are relevant to your system, and restore them in case you clean install your Windows.
    • Rotating pink checkmark denoting registry or cmdlet The module adds the root of the OneDrive folders of all user accounts present, to the protected folders list of Controlled Folder Access, to provide Ransomware protection for the entire OneDrive folder. Rotating green checkmark denoting CSP CSP
# Add multiple programs to the exclusion list of Controlled Folder Access
Add-MpPreference -ControlledFolderAccessAllowedApplications 'C:\Program Files\App\app.exe','C:\Program Files\App2\app2.exe'
# Get the list of all allowed apps
(Get-MpPreference).ControlledFolderAccessAllowedApplications

💡 (back to categories)


horizontal super thin rainbow RGB line


Attack surface reduction rulesASRrulesIcon

AI generated image

Blue Check mark denoting Group Policy Reducing your attack surface means protecting your devices and network, which leaves attackers with fewer ways to perform attacks. Configuring attack surface reduction rules in Windows can help!

Blue Check mark denoting Group Policy Attack surface reduction rules target certain software behaviors, such as: Rotating green checkmark denoting CSP CSP

  • Launching executable files and scripts that attempt to download or run files
  • Running obfuscated or otherwise suspicious scripts
  • Performing behaviors that apps don't usually initiate during normal day-to-day work

Such software behaviors are sometimes seen in legitimate applications. However, these behaviors are often considered risky because they are commonly abused by attackers through malware. Attack surface reduction rules can constrain software-based risky behaviors and help keep your organization safe.

Blue Check mark denoting Group Policy This module enables all 16 available Attack Surface Reduction rules shown in the official chart.

💡 (back to categories)


horizontal super thin rainbow RGB line


Bitlocker SettingsBitlockerIcon

AI generated image


  • Rotating pink checkmark denoting registry or cmdletBlue Check mark denoting Group Policy The module sets up and configures Bitlocker using official documentation, with the most secure configuration and military grade encryption algorithm, XTS-AES-256, to protect the confidentiality and integrity of all information at rest and in use. Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

    • It offers 2 security levels for OS drive encryption: Enhanced and Normal.

    • In Normal security level, the OS drive is encrypted with TPM and Startup PIN. This provides very high security for your data, specially with a PIN that's long, complicated (uppercase and lowercase letters, symbols, numbers, spaces) and isn't the same as your Windows Hello PIN.

    • In Enhanced security level, the OS drive is encrypted with TPM and Startup PIN and Startup key. This provides the highest level of protection by offering Multifactor Authentication. You will need to enter your PIN and also plug in a flash drive, containing a special BitLocker key, into your device in order to unlock it. Continue reading more about it here.

    • Once the OS drive is encrypted, for every other non-OS drive, there will be prompts for confirmation before encrypting it. The encryption will use the same algorithm as the OS drive and uses Auto-unlock key protector. Removable flash drives are skipped.

    • All of the encrypted drives will have recovery password too. It's a 48-digit password that is saved in each drive's root after the encryption begins. It's very important to keep it in a safe and reachable place as soon as possible, e.g., in OneDrive's Personal Vault which requires additional authentication to access. See here and here for more info. You can use it to unlock your drive if you ever lose access to one of your key protectors, such as TPM, Startup PIN or Startup Key.

    • TPM has special anti-hammering logic which prevents malicious user from guessing the authorization data indefinitely. Microsoft defines that maximum number of failed attempts in Windows is 32 and every single failed attempt is forgotten after 2 hours. This means that every continuous two hours of powered on (and successfully booted) operation without an event which increases the counter will cause the counter to decrease by 1. You can view all the details using this PowerShell command: Get-TPM.

    • Check out Lock Screen category for more info about the recovery password and the 2nd anti-hammering mechanism.

    • BitLocker will bring you a real security against the theft of your device if you strictly abide by the following basic rules:

      • As soon as you have finished working, either Hibernate or shut Windows down and allow for every shadow of information to disappear from RAM within 2 minutes. This practice is recommended in High-Risk Environments.

      • Do not mix 3rd party encryption software and tools with Bitlocker. Bitlocker creates a secure end-to-end encrypted ecosystem for your device and its peripherals, this secure ecosystem is backed by things such as software, Virtualization Technology, TPM 2.0 and UEFI firmware, Bitlocker protects your data and entire device against real-life attacks and threats. You can encrypt your external SSDs and flash drives with Bitlocker too.


Important

AMD Zen 2 and 3 CPUs have a vulnerability in them, if you use one of them, make sure your Bitlocker Startup PIN is at least 16 characters long (max is 20).


Refer to this official documentation about the countermeasures of Bitlocker

💡 (back to categories)


horizontal super thin rainbow RGB line


TLS SecurityTLSIcon

AI Generated image


Changes made by this category only affect things that use Schannel SSP: that includes IIS web server, built-in inbox Windows apps and some other programs supplied by Microsoft, including Windows network communications, but not 3rd party software that use portable stacks like Java, nodejs, python or php.

If you want to read more: Demystifying Schannel

Note

The only known program incompatible with this category is Battle.net game client.


  • Rotating pink checkmark denoting registry or cmdlet Disables TLS 1 and TLS 1.1 security protocols that only exist for backward compatibility. All modern software should and do use TLS 1.2 and TLS 1.3. Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

  • Rotating pink checkmark denoting registry or cmdlet Disables MD5 Hashing Algorithm that is only available for backward compatibility

  • Rotating pink checkmark denoting registry or cmdlet Disables the following weak ciphers that are only available for backward compatibility: "DES 56-bit","RC2 40-bit","RC2 56-bit","RC2 128-bit","RC4 40-bit","RC4 56-bit","RC4 64-bit","RC4 128-bit","3DES 168-bit (Triple DES 168)"

  • Blue Check mark denoting Group Policy Configures the TLS to only use the following secure cipher suites and in this exact order: Rotating green checkmark denoting CSP CSP

TLS_CHACHA20_POLY1305_SHA256
TLS_AES_256_GCM_SHA384
TLS_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
nistP521
curve25519
NistP384
NistP256
curve25519
NistP256
NistP384

Read more in this Wiki post

💡 (back to categories)


horizontal super thin rainbow RGB line


Lock ScreenLockScreenIcon

An AI generated picture of a girl working in a server farm


  • Blue Check mark denoting Group Policy Automatically locks device after X seconds of inactivity (just like mobile phones), which is set to 120 seconds (2 minutes) in this module, you can change that to any value you like. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Rotating green checkmark denoting Subcategory Requires CTRL+ALT+DEL on the lock screen, kernel protected set of key strokes. The reason and logic behind it is: Rotating green checkmark denoting CSP CSP

    • A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system and capture a user's password. The attacker can then sign into the compromised account with whatever level of user rights that user has.
  • Blue Check mark denoting Group Policy Enables a security anti-hammering feature that sets a threshold of 5 for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. Sign-in attempts include Windows password or Windows Hello authentication methods. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access.

    • This module (in the Bitlocker category) automatically saves the 48-digit recovery password of each drive in itself, the location of it will also be visible on the PowerShell console when you run it. It is very important to keep it in a safe and reachable place, e.g. in OneDrive's Personal Vault which requires authentication to access. See Here and Here for more info about OneDrive's Personal Vault
  • Blue Check mark denoting Group Policy Configures account lockout policy: Account lockout threshold, Sets the number of allowed failed sign-in attempts to 5. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. This policy greatly prevents brute force attempts. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Configures account lockout policy: Sets Account lockout duration to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Configures account lockout policy: Sets Reset account lockout counter to 1440 minutes or 1 day. In combination with other policies in this category, this means every 5 failed sign-in attempts will need a full day to pass before 5 more attempts can be made, otherwise Bitlocker will engage, system will be restarted and 48-digit Bitlocker code will be asked. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Hides email address of the Microsoft account on lock screen, if your device is in a trusted place like at home then this isn't necessary.

  • Blue Check mark denoting Group Policy Don't display username at sign-in; If a user signs in as Other user, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press Enter, the displayed text "Other user" remains unchanged, and is no longer replaced by the user's first and last name, as in previous versions of Windows 10. Additionally, if users enter their domain user name and password and click Submit, their full name isn't shown until the Start screen displays. Rotating green checkmark denoting CSP CSP

    • Useful If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user's full names or domain account names
  • Blue Check mark denoting Group Policy Rotating green checkmark denoting Subcategory Don't display last signed-in; This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop. If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user's sign-in tile displayed. Additionally, if the Switch user feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests both Username + Windows Hello credentials. Rotating green checkmark denoting CSP CSP

    • This feature can be useful to enable if you live in High-Risk Environments and you don't want anyone to get any information about your accounts when you aren't logged-in.

    • This policy will prevent you from using "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.

    • If you use Windows Hello Face or Fingerprint, you can easily login using those credential providers without the need to supply username first.

  • Blue Check mark denoting Group Policy Don't Display Network Selection UI on Lock Screen (like WIFI Icon); This setting allows you to control whether anyone can interact with available networks UI on the logon screen. Once enabled, the device's network connectivity state cannot be changed without signing into Windows. Suitable for High-Risk Environments. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Applies the following PIN Complexity rules to Windows Hello Rotating green checkmark denoting CSP CSP

💡 (back to categories)


horizontal super thin rainbow RGB line


User Account ControlUACIcon

An AI generated picture of a cat girl working in a server farm


  • Blue Check mark denoting Group Policy Prompt for elevation of privilege on secure desktop for all binaries in Administrator accounts, which presents the sign-in UI and restricts functionality and access to the system until the sign-in requirements are satisfied. The secure desktop's primary difference from the user desktop is that only trusted processes running as SYSTEM are allowed to run here (that is, nothing is running at the user's privilege level). The path to get to the secure desktop from the user desktop must also be trusted through the entire chain. Rotating green checkmark denoting CSP CSP

    • This is the default behavior: prompt the administrator in Admin Approval Mode to select either "Permit" or "Deny" for an operation that requires elevation of privilege for any non-Windows binaries. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. This operation will happen on the secure desktop
    • This is the behavior that this module sets: prompts the administrator in Admin Approval Mode to select either "Permit" or "Deny" an operation that requires elevation of privilege. If the Consent Admin selects Permit, the operation will continue with the highest available privilege. "Prompt for consent" removes the inconvenience of requiring that users enter their name and password to perform a privileged task. This operation occurs on the secure desktop.
  • Blue Check mark denoting Group Policy Rotating green checkmark denoting Subcategory Only elevate executables that are signed and validated by enforcing cryptographic signatures on any interactive application that requests elevation of privilege. One of the Potential impacts of it is that it can prevent certain poorly designed programs from prompting for UAC. Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Rotating green checkmark denoting Subcategory Hides the entry points for Fast User Switching. Rotating green checkmark denoting CSP CSP

    • This policy will prevent you from using "Forgot my PIN" feature in lock screen or logon screen. If you forget your PIN, you won't be able to recover it.

💡 (back to categories)


horizontal super thin rainbow RGB line


Windows FirewallFirewallIcon

An AI generated picture of a cat girl working in a server farm


  • Blue Check mark denoting Group Policy Makes sure Windows Firewall is enabled for all profiles (which is the default) Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Sets inbound and outbound default actions for Domain Firewall Profile to Block; because this module is Not intended to be used on devices that are part of a domain or controlled by an Active Directory Domain Controller, since they will have their own policies and policy management systems in place. Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

  • Blue Check mark denoting Group Policy Enables Windows Firewall logging for Domain, Private and Public profiles, sets the log file size for each of them to the max 32.767 MB. Defines separate log files for each of the firewall profiles. Logs only dropped packets for Private and Public profiles, Logs both dropped and successful packets for Domain profile. Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP Rotating green checkmark denoting CSP CSP

  • Rotating pink checkmark denoting registry or cmdlet Disables Multicast DNS (mDNS) UDP-in Firewall Rules for all 3 Firewall profiles, This might interfere with Miracast screen sharing, which relies on the Public profile, and homes where the Private profile is not selected, but it does add an extra measure of security in public places, like a coffee shop.

💡 (back to categories)


horizontal super thin rainbow RGB line


Optional Windows FeaturesOptionalFeaturesIcon

An AI generated picture of a cat girl working in a server farm


💡 (back to categories)


horizontal super thin rainbow RGB line


Windows NetworkingNetworkingIcon

An AI generated picture of a cat girl working in a server farm


💡 (back to categories)


horizontal super thin rainbow RGB line


Miscellaneous ConfigurationsMiscellaneousIcon

An AI generated picture of a cat girl working in a server farm


💡 (back to categories)


horizontal super thin rainbow RGB line


Windows Update ConfigurationsWindowsUpdate

Windows Update


Windows updates are extremely important. They always should be installed as fast as possible to stay secure and if a reboot is required, it should be done immediately. Threat actors can weaponize publicly disclosed vulnerabilities the same day their POC (Proof-Of-Concept) is released..

In Windows by default, devices will scan daily, automatically download and install any applicable updates at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away.

The following policies the module configures make sure the default behavior explained above is tightly enforced.

💡 (back to categories)


horizontal super thin rainbow RGB line


Edge Browser configurationsEdgeBrowser

An AI generated picture of a cat girl working in a server farm


TLS_RSA_WITH_AES_256_CBC_SHA  Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_CBC_SHA  Reason: NO Perfect Forward Secrecy, CBC, SHA1
TLS_RSA_WITH_AES_128_GCM_SHA256  Reason: NO Perfect Forward Secrecy
TLS_RSA_WITH_AES_256_GCM_SHA384  Reason: NO Perfect Forward Secrecy
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA  Reason: CBC, SHA1
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  Reason: CBC, SHA1

Due to security reasons, many policies cannot be used when you are signed into Edge browser using personal Microsoft account. This module does not use any of those policies. When those policies are applied, they are ignored by the browser and edge://policy/ shows an error for them.


  • You can view all of the policies being applied to your Edge browser by visiting this page: edge://policy/
  • You can find all of the available internal Edge pages in here: edge://about/

Edge policies reviewed until version 120.0.2210.121

💡 (back to categories)


horizontal super thin rainbow RGB line


Certificate Checking CommandsCertificateIcon

An AI generated picture of a cat girl working in a server farm


Rotating pink checkmark denoting registry or cmdlet In this category, the module downloads and runs sigcheck64.exe from Sysinternals, then lists valid certificates not rooted to the Microsoft Certificate Trust List in the User and Machine certificate stores. Except for some possible Microsoft certificates, Windows insider builds certificates or certificates that have your own computer's name, which are perfectly safe and should not be deleted, All other certificates that will be listed should be treated as dangerous and removed from your system immediately.

💡 (back to categories)


horizontal super thin rainbow RGB line


Country IP BlockingCountryIPBlockingIcon

An AI generated picture of a cat girl working in a server farm


Rotating pink checkmark denoting registry or cmdlet The module uses the newest range of IPv4 and IPv6 addresses of State Sponsors of Terrorism and OFAC Sanctioned Countries, directly from official IANA sources repository, then creates 2 rules (inbound and outbound) for each list in Windows firewall, completely blocking connections to and from those countries.

Once you have those Firewall rules added, you can use this method to see if any of the blocked connections were from/to those countries.

Note

Threat actors can use VPN, VPS etc. to mask their originating IP address and location. So don't take this category as the perfect solution for network protection.

💡 (back to categories)


horizontal super thin rainbow RGB line


Downloads Defense Measures Downloads Defense Measures icon

An AI generated picture of a cat girl on the roof


Rotating pink checkmark denoting registry or cmdlet To combat the threat of more sophisticated malware, a preemptive measure is taken by creating and deploying a WDAC policy on the system. This policy blocks the execution of executables and other potentially harmful file types in the Downloads folder, using the WDACConfig module.

This policy defends the system from malware that can launch itself automatically after being downloaded from the Internet. The user must ensure the file's safety and explicitly transfer it to a different folder before running it.

The WDAC policy employs a wildcard pattern to prevent any file from running in the Downloads folder. Additionally, it verifies that the system downloads folder in the user directory matches the downloads folder in the Edge browser's settings. If there is a discrepancy, a warning message is displayed on the console.

The policy can be removed by the Unprotect-WindowsSecurity or Remove-WDACConfig cmdlets.

💡 (back to categories)


horizontal super thin rainbow RGB line


Non-Admin CommandsNonAdminIcon

An AI generated picture of a cat girl working in a server farm


You don't need Admin privileges to run this category, because no system-wide changes is made. Changes in this category only apply to the current user account that is running the PowerShell session.

  • Rotating pink checkmark denoting registry or cmdlet Shows known file extensions in File explorer
  • Rotating pink checkmark denoting registry or cmdlet Shows hidden files, folders and drives (toggles the control panel folder options item)
  • Rotating pink checkmark denoting registry or cmdlet Disables websites accessing local language list - good for privacy
  • Rotating pink checkmark denoting registry or cmdlet Turns off safe search in Windows search, will enable +18 content to appear in searches; essentially toggles the button in: Windows settings > privacy and security > search permissions > safe search
  • Rotating pink checkmark denoting registry or cmdlet Enables Clipboard History and sync with Microsoft Account
  • Rotating pink checkmark denoting registry or cmdlet Turns on text suggestions when typing on the physical keyboard
  • Rotating pink checkmark denoting registry or cmdlet Turns on "Multilingual text suggestions" for the current user, toggles the option in Windows settings
  • Rotating pink checkmark denoting registry or cmdlet Turns off sticky key shortcut of pressing shift key 5 times fast
  • Rotating pink checkmark denoting registry or cmdlet Disables Show reminders and incoming VoIP calls on the lock screen

💡 (back to categories)


horizontal super thin rainbow RGB line


RelatedRelatedIcon

An AI generated picture of a cat girl working in a server farm


Azure DevOps Repository (mirror) bullet list item Azure DevOps Repository (mirror)

Harden Windows Security website bullet list item Harden Windows Security website

Official global IANA IP block for each country bullet list item Official global IANA IP block for each country

Windows Security Blog bullet list item Windows Security Blog

WinSecureDNSMgr bullet list item WinSecureDNSMgr

Privacy, Anonymity and Compartmentalization bullet list item Privacy, Anonymity and Compartmentalization


horizontal super thin rainbow RGB line


TrustTrustIcon

An AI generated picture of a cat girl working in a server farm

How can you 100% trust this repository and know that nothing shady is going on?

This repository uses the simplest possible, yet effective, methods that make it very easy to verify:


Virus Total scan results of Security-Baselines-X.zip
Virus Total scan results of EventViewerCustomViews.zip

Links above are automatically updated using GitHub workflow that detects changes to the files and uploads them to Virus Total website for scanning.

Virus Total PSScriptAnalyzer

💡 (back to top)


horizontal super thin rainbow RGB line


SupportSupportIcon

A beautiful pink laptop Windows 11, located on the table with coffee on the side

If you have any questions, requests, suggestions etc If you have any questions, requests, suggestions etc. about this GitHub repository and its content, please open a new discussion or Issue.

Reporting a vulnerability on this GitHub repository Reporting a vulnerability on this GitHub repository.

SpyNetGirl aka HotCakeX Outlook Email Address I can also be reached privately at: [email protected]


💡 (back to top)


horizontal super thin rainbow RGB line


Security RecommendationsSecurityRecommendationIcon

A beautiful pink laptop Windows 11, located on the table with coffee on the side

  • Red Star denoting Security Recommendation Always download your operation system from official Microsoft websites. Right now, Windows 11 is the latest version of Windows, its ISO file can be downloaded from this official Microsoft server. One of the worst things you can do to your own security and privacy is downloading your OS, which is the root of all the active and passive security measures, from a 3rd party website claiming they have the official unmodified files. There are countless bad things that can happen as the result of it such as threat actors embedding malware or backdoors inside the customized OS, or pre-installing customized root CA certificates in your OS so that they can perform TLS termination and view all of your HTTPS and encrypted Internet data in plain clear text, even if you use VPN. Having a poisoned and compromised certificate store is the endgame for you, and that's just the tip of the iceberg.


  • Red Star denoting Security Recommendation Whenever you want to install a program or app, first use the Microsoft Store or Winget, if the program or app you are looking for isn't available in there, then download it from its official website. Somebody created a nice web interface for interacting with Winget CLI here. Using Winget or Microsoft store provides many benefits:

    • Microsoft store UWP apps are secure in nature, digitally signed, in MSIX format. That means, installing and uninstalling them is guaranteed and there won't be any leftovers after uninstalling.

    • Microsoft store has Win32 apps too, they are traditional .exe installers that we are all familiar with. The store has a library feature that makes it easy to find the apps you previously installed.

    • Both Microsoft and Winget check the hash of the files by default, if a program or file is tampered, they will warn you and block the installation, whereas when you manually download a program from a website, you will have to manually verify the file hash with the hash shown on the website, if any.





  • Red Star denoting Security Recommendation Make sure OneDrive backup for important folders (Desktop/Documents/Pictures) is enabled. It is fast, secure and works in any network condition and since it's x64 (64-bit), it can handle a Lot of small and large files simultaneously.

  • Red Star denoting Security Recommendation If you live in a western country, NATO country, European country or Australia, do not use VPNs. your local ISP (Internet service provider) is a lot more trustworthy than the remote VPN server's ISP. Using VPN only takes the trust from your own local ISP and puts it in the hands of the remote ISP that the VPN server uses for its Internet, Nothing else. period. Do not fall for the fake advertisements of VPN companies, you never know who is behind the VPN provider, what their political views are, their background, where their allegiance lies. The permissive civilized western world could allow a state sponsor of terrorism or some other hostile country to create a VPN company in here and gather intelligence and collect bulk data for mining, tracking etc. this has happened before and one of the most recent revelations is about a VPN provider called Betternet, based in Canada, ran by IRGC terrorists and their families abroad. Stay vigilant and smart.


  • Red Star denoting Security Recommendation Go passwordless with your Microsoft account and use Windows Hello authentication. In your Microsoft account which has Outlook service, you can create up to 10 Email aliases in addition to the 1 Email address you get when you made your Microsoft account, that means without creating a new account, you can have 11 Email addresses all of which will use the same inbox and account. You can specify which one of those Email aliases can be used to sign into your account, in the sign in preferences of your Microsoft account settings. So for example, when going passwordless, if you need you can give one of your Email aliases to others for communication or add it to a public profile of yours, then block sign in using that Email alias so nobody can send you authenticator notifications by entering that Email alias in the sign in page, and use the other 10 aliases that are private to sign into your Microsoft account with peace of mind. You can create a rule in your Outlook so that all of the Emails sent to your public Email alias will be stored in a different folder, apart from your other inbox emails. All of this can be done using free Microsoft account and Outlook webapp.

  • Red Star denoting Security Recommendation Set a strong password for the UEFI firmware of your device so that it will ask for password before allowing any changes to be made to firmware. You can also configure the password to be required on startup.

  • Red Star denoting Security Recommendation Use NTFS (which is the default Filesystem in Windows) or ReFS (Resilient File System, newer). In addition to all their benefits, they support Mark Of The Web (MOTW) or zone.identifier. When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. You can read all the information about it in here. If your USB flash drive is formatted as FAT32, change it to NTFS, because FAT32 does not keep the MOTW of the files. If the file you are downloading is compressed in .zip format, make sure you open/extract it using Windows built-in support for .zip files because it keeps the MOTW of the files. If the compressed file you downloaded is in other formats such as .7zip or .rar, make sure you use an archive program that supports keeping the mark of the Web of files after extraction. One of those programs is NanaZip which is a fork of 7zip, available in Microsoft Store and GitHub, compared to 7zip, it has better and modern GUI, and the application is digitally signed. After installation, open it, navigate to Tools at the top then select Options, set Propagate zone.id stream to Yes. You can use this PowerShell command to find all the info about the Zone Identifier of the files you downloaded from the Internet.
Get-Content <Path-To-File> -stream zone.identifier

  • Red Star denoting Security Recommendation When using Xbox, make sure you configure sign-in preference and set it to either Ask for my PIN or Lock it down. The latter is the most secure one since it will require authentication using Microsoft Authenticator app. Ask for my PIN is recommended for the most people because it will only require a PIN to be entered using controller.

  • Red Star denoting Security Recommendation A few reminders about open source programs:

    • Unless you are a skilled programmer who can understand and verify every line of code in the source, and spends time to personally build the software from the source, and repeats all the aforementioned tasks for each subsequent version, then seeing the source code won't have any effect on you because you aren't able to understand nor verify it.

    • The majority of "open source" programs are unsigned, meaning they don't have a digital signature, their developers haven't bought and used a code signing certificate to sign their program. Among other problems, this poses a danger to the end-users, makes it harder to create trust for those programs in security solutions and makes it hard to authenticate them. Read Microsoft's Introduction to Code Signing or Digicert's 5 reasons why Code Signing is necessary.

    • When using "open source" program, there is not the kind of liability that you've got when you consume software from a commercial entity that is obligated and knows their reputation is at risk/stake, that they have potential legal liability if there are vulnerabilities in their software. In the open-source world, there is a volunteer, consume it as is, and if there is a problem with the software, that's your responsibility.


  • Red Star denoting Security Recommendation Use Microsoft account (MSA) or Microsoft Entra ID to sign into Windows. Never use local administrators. Real security is achieved when there is no local administrator and identities are managed using Entra ID. You will be able to enforce Multi-factor unlock, for example use PIN + Fingerprint or PIN + Facial recognition, to unlock your device.

  • Red Star denoting Security Recommendation More Security Recommendations coming soon...

💡 (back to top)


horizontal super thin rainbow RGB line


ResourcesResourcesIcon

A beautiful pink laptop Windows 11, located on the table with coffee on the side

💡 (back to top)


LicenseLicenseFreeIcon

Using MIT License. Free information without any paywall or things of that nature. The only mission of this GitHub repository is to give all Windows users accurate, up to date and correct facts and information about how to stay secure and safe in dangerous environments, and to stay not one, but Many steps, ahead of threat actors.

Credits:

  • All of the AI generated images are either created by Microsoft Bing image creator, Microsoft Designer or generated by me using Stable Diffusion
  • Some of the GIFs are from emoji.gg
  • Some of the icons are from icons8
  • Windows, Azure etc. are trademarks of Microsoft Corporation

Harden-Windows-Security is a PowerShell module


GitHub profile and icon Lastfm profile and icon OneDrive album profile and icon Spotify profile and icon StackExchange profile and icon Steam profile and icon Twitch profile and icon Website and icon Twitter profile and icon Xbox profile and icon YouTube profile and icon Reddit profile and icon Rockstar Social Club profile and icon Uplay profile and icon Microsoft Tech Community profile and icon OutLook Email address and icon Orcid profile and icon Medium profile and icon BlueSky profile and icon Mastadon profile and icon Facebook profile and icon

Harden-Windows-Security is a PowerShell module

💡 (back to top)


About

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 99.7%
  • C# 0.3%