Merge pull request #207 from HotCakeX/Harden-Windows-Security-Module-…

…v0.3.2

Harden Windows Security Module v0.3.2

Harden-Windows-Security Module/Main files/Core/Protect-WindowsSecurity.psm1

@@ -1,7 +1,10 @@
 #Requires -Version 7.4
 #Requires -PSEdition Core
+# Applies the style to the Protect-WindowsSecurity when running as script straight from the GitHub, as well as all of the cmdlets of the Harden Windows Security module
+$PSStyle.Progress.UseOSCIndicator = $true
 Function Protect-WindowsSecurity {
     [CmdletBinding(DefaultParameterSetName = 'Online Mode')]
+    [OutputType([System.String])]
     param (
         [parameter(Mandatory = $false, ParameterSetName = 'Online Mode')]
         [parameter(Mandatory = $false, ParameterSetName = 'Offline Mode')]

Harden-Windows-Security Module/Main files/Core/Unprotect-WindowsSecurity.psm1

@@ -3,6 +3,7 @@ Function Unprotect-WindowsSecurity {
         SupportsShouldProcess = $true,
         ConfirmImpact = 'High'
     )]
+    [OutputType([System.String])]
     param (
         [Parameter(Mandatory = $false)]
         [System.Management.Automation.SwitchParameter]$OnlyProcessMitigations,

Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1

@@ -4,7 +4,7 @@
   RootModule           = 'Harden-Windows-Security-Module.psm1'
 
   # Version number of this module.
-  ModuleVersion        = '0.3.1'
+  ModuleVersion        = '0.3.2'
 
   # Supported PSEditions
   CompatiblePSEditions = @('Core')
@@ -67,7 +67,7 @@ Harden Windows Safely, Securely, only with Official Microsoft methods
 
 💎 This module has hybrid mode of operation. It can run Interactively and non-interactively (Silent/unattended mode). More info in the document: https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden%E2%80%90Windows%E2%80%90Security%E2%80%90Module
 
-🏴 If you have any questions, requests, suggestions etc. about this script, please open a new Discussion or Issue on GitHub
+🏴 If you have any questions, requests, suggestions etc. about this module, please open a new Discussion or Issue on GitHub
 
 🟡 The module generates a nice output on the screen as well as giving users an option to export the results in a CSV file.
 

Harden-Windows-Security Module/Main files/Shared/Test-IsAdmin.psm1

@@ -10,6 +10,7 @@ Function Test-IsAdmin {
         System.Boolean
     #>
     [CmdletBinding()]
+    [OutputType([System.Boolean])]
     param()
     [System.Security.Principal.WindowsIdentity]$Identity = [Security.Principal.WindowsIdentity]::GetCurrent()
     [System.Security.Principal.WindowsPrincipal]$Principal = New-Object -TypeName 'Security.Principal.WindowsPrincipal' -ArgumentList $Identity

Harden-Windows-Security Module/Main files/Shared/Update-self.psm1

@@ -12,6 +12,7 @@ function Update-self {
         System.String
     #>
     [CmdletBinding()]
+    [OutputType([System.String])]
     param(
         [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, Position = 0)]
         [ValidatePattern('^(Protect-WindowsSecurity|Unprotect-WindowsSecurity|Confirm-SystemCompliance)(?!.*[;`]).*$', ErrorMessage = 'Either Update-self function was called with an unauthorized command or it contains semicolon and/or backtick')]

Harden-Windows-Security Module/Utilities/Invoke-Harden-Windows-Security.ps1

@@ -7,4 +7,4 @@
 Import-Module -FullyQualifiedName "$ScriptFilePath\..\Main files\Harden-Windows-Security-Module.psd1" -Force
 
 # Uncomment and replace with any cmdlet of the Harden-Windows-Security module that is going to be debugged
-Protect-WindowsSecurity -Verbose
+Confirm-SystemCompliance -Verbose

Harden-Windows-Security Module/version.txt

@@ -1 +1 @@
-0.3.1
+0.3.2

Wiki posts/Harden‐Windows‐Security‐Module/Harden‐Windows‐Security‐Module.md

@@ -26,7 +26,7 @@ It possesses the ability to operate entirely in isolation, useful for systems or
 
 ## How the Compliance Checking Works
 
-This module verifies and validates all of the security measures applied by the `Protect-windowsSecurity` cmdlet. It checks registry keys if the script uses Group Policy or registry, PowerShell cmdlets if the script invokes them and Security Group Policy if the script applies them.
+This module verifies and validates all of the security measures applied by the `Protect-windowsSecurity` cmdlet. It checks registry keys if the module uses Group Policy or registry, PowerShell cmdlets if the module invokes them and Security Group Policy if the module applies them.
 
 Compliance checking strictly follows the guidelines and security measures of this GitHub repository. Any minor deviation from them will result in a `false` value for the corresponding check.
 

Wiki posts/Miscellaneous/Comparison of security benchmarks.md

@@ -75,7 +75,7 @@ STIG commits the same error, as it only provides a generic Windows 11 guideline/
 
 You can [read this Microsoft document](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password) to find out why a PIN is better than an online password
 
-There are proper policies regarding anti-hammering features that can enhance the security of PINs over passwords. I utilize them in my script and [you can find them here](https://github.com/HotCakeX/Harden-Windows-Security#lock-screen).
+There are proper policies regarding anti-hammering features that can enhance the security of PINs over passwords. I utilize them in my module and [you can find them here](https://github.com/HotCakeX/Harden-Windows-Security#lock-screen).
 
 The benchmarks/guidelines seem to be uninformed of the fact that Windows allows [multi-factor unlock](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock), which can enforce a combination of PIN and biometric factors (plus more), to enforce **PIN + Facial recognition** OR **PIN + Fingerprint** etc.
 
@@ -88,7 +88,7 @@ CIS in 18.9.13.1
 > The recommended state for this setting is: Enabled: Good, unknown and bad but
 critical
 
-That's not even a recommendation, that's the default value! If you use [Harden Windows Security script](https://github.com/HotCakeX/Harden-Windows-Security#miscellaneous-configurations) it sets it to **Good Only**, which is the correct recommendation for a secure environment.
+That's not even a recommendation, that's the default value! If you use [Harden Windows Security module](https://github.com/HotCakeX/Harden-Windows-Security#miscellaneous-configurations) it sets it to **Good Only**, which is the correct recommendation for a secure environment.
 
 <br>
 
@@ -130,9 +130,9 @@ These benchmarks or guidelines have numerous flaws and I have only examined two
 
 ## [Aspects that are lacking](#aspects-that-are-lacking-) <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/gothwink.gif" width="50" alt="Aspects that are lacking">
 
-The benchmarks omit many new security features that the [Harden Windows Security script](https://github.com/HotCakeX/Harden-Windows-Security) implements.
+The benchmarks omit many new security features that the [Harden Windows Security module](https://github.com/HotCakeX/Harden-Windows-Security) implements.
 
-Everything in the repository is carefully researched, evaluated and tested. The script ensures that nothing is redundant or incompatible with the latest version of Windows. Older versions of the OS are obsolete and insecure, and should be avoided in any environment that requires protection. Threat actors can exploit vulnerabilities and use PoCs even on the same day that an update is released, this applies to any OS.
+Everything in the repository is carefully researched, evaluated and tested. The module ensures that nothing is redundant or incompatible with the latest version of Windows. Older versions of the OS are obsolete and insecure, and should be avoided in any environment that requires protection. Threat actors can exploit vulnerabilities and use PoCs even on the same day that an update is released, this applies to any OS.
 
 The security measures in the Harden Windows Security repository are also perfectly suitable for regular home users.
 

Wiki posts/Miscellaneous/Overrides for Microsoft Security Baseline.md

@@ -1,8 +1,9 @@
 # Optional overrides for Microsoft Security Baseline
 
-Since Microsoft Security Baselines are geared towards Enterprise level security, some functionalities that home users might require are disabled. Use the following overrides in the Harden Windows Security script and/or module to bring back those functionalities. **Some of these are necessary when using the module and/or script in Azure VMs.**
+Since Microsoft Security Baselines are geared towards Enterprise level security, some functionalities that home users might require are disabled. Use the following overrides in the Harden Windows Security module to bring back those functionalities. **Some of these are necessary when using the module in Azure VMs.**
 
-All of the features and functionalities listed below are enabled by default in Windows.
+> [!IMPORTANT]\
+> All of the features and functionalities listed below are enabled by default in Windows.
 
 <br>
 
@@ -153,3 +154,47 @@ Computer Configuration\Administrative Templates\Windows Components\Microsoft Def
 ```
 
 <br>
+
+<img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line">
+
+<br>
+
+## 9. Disabled "Turn off Microsoft Consumer Experiences"
+
+It disables some important features in Windows Settings -> Bluetooth & Devices -> Mobile Devices
+
+More info in this [PR](https://github.com/HotCakeX/Harden-Windows-Security/pull/207)
+
+```
+Computer Configuration\Administrative Templates\Windows Components\Cloud Content
+```
+
+<br>
+
+<img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line">
+
+<br>
+
+## 10. Disabled "Configure password backup directory"
+
+Microsoft Security Baselines set its value to "Active Directory", but since the Harden Windows Security module does not apply to computers managed by domain controllers or Entra ID, there is no need for this policy to be active.
+
+```
+Computer Configuration\Administrative Templates\System\LAPS
+```
+
+<br>
+
+<img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line">
+
+<br>
+
+## 11. Enabled "Apply UAC restrictions to local accounts on network logons"
+
+A [Security feature](https://learn.microsoft.com/en-US/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction) that is enabled by default and should stay enabled.
+
+```
+Computer Configuration\Administrative Templates\MS Security Guide
+```
+
+<br>