Skip to content

Commit

Permalink
Merge pull request #146 from HotCakeX/Harden-Windows-Security-Module-…
Browse files Browse the repository at this point in the history 
…v.2023/31/10

Harden Windows Security Module v.0.2.1
  • Loading branch information
@HotCakeX
HotCakeX committed Nov 3, 2023
2 parents 8743084 + e699177 commit 50dfffb
Show file tree
Hide file tree
Showing 12 changed files with 406 additions and 397 deletions.
68 changes: 45 additions & 23 deletions Harden-Windows-Security Module/Main files/Confirm-SystemCompliance.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -278,7 +278,7 @@ function Confirm-SystemCompliance {
# For PowerShell Cmdlet
try {
$IndividualItemResult = $((Get-ScheduledTask -TaskPath '\MSFT Driver Block list update\' -TaskName 'MSFT Driver Block list update' -ErrorAction SilentlyContinue) ? $True : $false)
}
}
catch {
# suppress any possible terminating errors
}
Expand Down Expand Up @@ -384,41 +384,63 @@ function Confirm-SystemCompliance {
$NestedObjectArray += [PSCustomObject](Invoke-CategoryProcessing -catname $CatName -Method 'Group Policy')


# Individual ASR rules verification
$DefenderEffectiveStates = Get-MpPreference
# Individual ASR rules verification
$DefenderEffectiveStates = Get-MpPreference
[string[]]$Ids = $DefenderEffectiveStates.AttackSurfaceReductionRules_Ids
[string[]]$Actions = $DefenderEffectiveStates.AttackSurfaceReductionRules_Actions

# If $Ids variable is not empty, convert them to lower case because some IDs can be in upper case and result in inaccurate comparison
if ($Ids) { $Ids = $Ids.tolower() }

# Hashtable to store the descriptions for each ID
[hashtable]$Descriptions = @{
'56a863a9-875e-4185-98a7-b882c64b5ce5' = 'Block abuse of exploited vulnerable signed drivers'
[hashtable]$ASRsTable = @{
'26190899-1602-49e8-8b27-eb1d0a1ce869' = 'Block Office communication application from creating child processes'
'd1e49aac-8f56-4280-b9ba-993a6d77406c' = 'Block process creations originating from PSExec and WMI commands'
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' = 'Block untrusted and unsigned processes that run from USB'
'92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b' = 'Block Win32 API calls from Office macros'
'7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' = 'Block Adobe Reader from creating child processes'
'3b576869-a4ec-4529-8536-b80a7769e899' = 'Block Office applications from creating executable content'
'd4f940ab-401b-4efc-aadc-ad5f3c50688a' = 'Block all Office applications from creating child processes'
'9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' = 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)'
'be9ba2d9-53ea-4cdc-84e5-9b1eeee46550' = 'Block executable content from email client and webmail'
'01443614-cd74-433a-b99e-2ecdc07bfc25' = 'Block executable files from running unless they meet a prevalence; age or trusted list criterion'
'5beb7efe-fd9a-4556-801d-275e5ffc04cc' = 'Block execution of potentially obfuscated scripts'
'd3e037e1-3eb8-44c8-a917-57927947596d' = 'Block JavaScript or VBScript from launching downloaded executable content'
'3b576869-a4ec-4529-8536-b80a7769e899' = 'Block Office applications from creating executable content'
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84' = 'Block Office applications from injecting code into other processes'
'26190899-1602-49e8-8b27-eb1d0a1ce869' = 'Block Office communication application from creating child processes'
'e6db77e5-3df2-4cf1-b95a-636979351e5b' = 'Block persistence through WMI event subscription'
'd1e49aac-8f56-4280-b9ba-993a6d77406c' = 'Block process creations originating from PSExec and WMI commands'
'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' = 'Block untrusted and unsigned processes that run from USB'
'92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b' = 'Block Win32 API calls from Office macros'
'75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84' = 'Block Office applications from injecting code into other processes'
'56a863a9-875e-4185-98a7-b882c64b5ce5' = 'Block abuse of exploited vulnerable signed drivers'
'c1db55ab-c21a-4637-bb3f-a12568109d35' = 'Use advanced protection against ransomware'
'd3e037e1-3eb8-44c8-a917-57927947596d' = 'Block JavaScript or VBScript from launching downloaded executable content'
}

# Loop through the ids and actions arrays and create a custom object for each pair
for ($i = 0; $i -lt $Ids.Length; $i++) {
# Loop over each ID in the hashtable
foreach ($Name in $ASRsTable.Keys) {

# Check if the $Ids array is not empty and current ID is present in the $Ids array
if ($Ids -and $Ids -icontains $Name) {
# If yes, check if the $Actions array is not empty
if ($Actions) {
# If yes, use the index of the ID in the array to access the action value
$Action = $Actions[$Ids.IndexOf($Name)]
}
else {
# If no, assign a default action value of 0
$Action = 0
}
}
else {
# If no, assign a default action value of 0
$Action = 0
}

# Create a custom object with properties
$NestedObjectArray += [PSCustomObject]@{
FriendlyName = $Descriptions[$Ids[$i]]
Compliant = [bool]($Actions[$i] -eq '1')
Value = $Actions[$i]
Name = $Ids[$i]
FriendlyName = $ASRsTable[$name]
Compliant = [bool]($Action -eq 1) # Compare action value with 1 and cast to boolean
Value = $Action
Name = $Name
Category = $CatName
Method = 'Cmdlet'
}
}
}

# Add the array of custom objects as a property to the $FinalMegaObject object outside the loop
Expand Down Expand Up @@ -485,7 +507,7 @@ function Confirm-SystemCompliance {
# Get the status of Bitlocker DMA protection
try {
[int]$BitlockerDMAProtectionStatus = Get-ItemPropertyValue -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\FVE' -Name 'DisableExternalDMAUnderLock' -ErrorAction SilentlyContinue
}
}
catch {
# -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
}
Expand All @@ -512,7 +534,7 @@ function Confirm-SystemCompliance {
if (-NOT ((Get-MpComputerStatus).IsVirtualMachine)) {
try {
$IndividualItemResult = $($((Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Power -Name HibernateEnabled -ErrorAction SilentlyContinue).hibernateEnabled) -eq 1 ? $True : $False)
}
}
catch {
# suppress the errors if any
}
Expand Down Expand Up @@ -969,7 +991,7 @@ function Confirm-SystemCompliance {
# Verify a Security setting using registry
try {
$IndividualItemResult = [bool]((Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters' -Name 'EnableLMHOSTS' -ErrorAction SilentlyContinue) -eq '0')
}
}
catch {
# -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
}
Expand Down Expand Up @@ -1072,7 +1094,7 @@ function Confirm-SystemCompliance {
# Verify a Security setting using registry
try {
$IndividualItemResult = [bool]((Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings' -Name 'RestartNotificationsAllowed2' -ErrorAction SilentlyContinue) -eq '1')
}
}
catch {
# -ErrorAction SilentlyContinue wouldn't suppress the error if the path exists but property doesn't, so using try-catch
}
Expand Down
3 changes: 1 addition & 2 deletions Harden-Windows-Security Module/Main files/Harden-Windows-Security-Module.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
# RootModule = ''

# Version number of this module.
ModuleVersion = '0.2.0'
ModuleVersion = '0.2.1'

# Supported PSEditions
CompatiblePSEditions = @('Core')
Expand Down Expand Up @@ -60,7 +60,6 @@ Harden Windows Safely, Securely, only with Official Microsoft methods
✅ TLS Security
✅ Lock Screen
✅ UAC (User Account Control)
✅ Device Guard
✅ Windows Firewall
✅ Optional Windows Features
✅ Windows Networking
Expand Down

0 comments on commit 50dfffb

Please sign in to comment.