Harden AD 2.9.8 - Stable

Important: please use HardenAD-2.9.8_2024-05-06_QuickFixRelease.zip file and not the Source provided by gitHub.

Welcome to Harden AD 2.9.8!

Yes! A new release arrived... While the last version focused on stabilizing the code and everything around it, the need to improve certain features and strategies remained. This is what we have done: let's discover together all of this changes!

Managing the local administrators group delegation
We have decided to wipe it away and rethink the whole thing. The script is now spliced in three files:

1. Set-localAdminGroups.ps1: will be in charge of creating and moving the group in the according OU, depending on OS type and object distinguishedName. The script will be run each time a computer object is created, modified or deleted.
2. Clear-localAdminGroups.ps1: will run once a day (11PM) and hunts for groups that are still present in AD whereas the associated computer object is inexistant.
3. Fix-localAdminGroups.ps1: The script runs twice in a day (6AM and 8PM) and cover the case where a group was not created or updated dynamically (schedule has failed, event ID were no more reported to the DC, ...).

All of the scripts and its dependancies are located in %winDir%\HardenAD\SheduledTasks\Set-LocalAdminGroups, so is also the debug files (those ones are explicitly intended for the script maintenance). You will also found two XML files (only one could be used at a time) :

1. configuration.xml: this is a dynamic file used by the script to manage the group, based from the tasksSequence_hardenAD.xml content. This file is generated when you run harden.ps1 during a new sequence called Prepare GPO files before GPO import.
2. configuration-custom.xml: more complex, this script is reserved for those who do not want to use the default rules but, instead, use their own ones. Please, refers to the comments within this file to know how to use it.

The script is also self documented, so do not hesitate to read it for further details!

At last, the scripts now generates events in the application event log: you can access it on each DCs through a filtered view in a folder called 'HardenAD'.

HardenAD.ps1: parameters accepted!
Well, to be honest, this point is my favorite one ;) We have implemented three parameters to the main script:

1. -EnableTask: this will let you enable one or more task sequence WITHOUT touching the XML file!
2. -DisableTask: same as the previous one, but proceed to disabling. If combined with enabling, disable wins.
3. -NoConfirmationForRootDomain: avoid validating the domain name in the root domain. Just for lazy guys as I am ;)

So, the best news here is that you no more need to edit the TasksSequence_hardenAD.xml to activate the sequence. Yes, no more! However, don't be too happy: the file is still to be updated with relevant information (OU design, translation, object path, ...). More on this later.

TasksSequence_HardenAD.xml: mastering the beast
As you may already know, this file is the core of the engine: everything the script needs will be referred in. We have started a process to rationalize it and simplify the way things need to be personalized by minoring the number of specific value to adapt (as a target OU path, a group name, ...). Obviously, this is impacting on the modules functions, so expect this to change in the future release too.

As of today, we have improve the FR-FR and EN-US input in the script. By default, the file is setup for EN-US: to enable the FR-FR version, juste remove parts commented for English and uncomment the French one:

The following sections are concerned by this change:

• DelegationACEs
• Translation
• Groups

GPOs
Some changes are done upon the group policies:

• HAD-UNC-Hardened-Path: a new GPO, linked to 'domain controllers' OU, that will active UNC hardened Path for SYSVOL and NETLOGON.
• HAD-LoginRestrictions-{tier}: the parameter 'Deny Network Logon' has been replaced ; it no mores deny other Tier Admin accounts but only the Guest account. This was not relevant from a security perspective (let say a bit too secure) and was the source of unwanted restriction that daily impact technical gesture, such as adding a printer to a computer or enforcing a group policies refresh from the Group Policy Machine Console.

Final words...
This is a big step towards futur changes. We sincerely hope this will ease your journey toward AD hardening! Do not hesitate to reach us through our website or here.

The Harden AD team.

Harden AD 2.9.7 - Stable

Welcome to Harden AD 2.9.7!

Please join us to welcome our latest stable release of HardenAD! We have spent a huge amount of time to fix all bugs reported to us and also add some extra features and we are really enjoying to share our final result with us! You wan't to know more about this? Let's dive into details!

HardenAD.ps1
The main script still works the same way but have been adapted to fix new display issues as the checklist has been improved.

Configuration file remastered
The configuration has been updated to reflect this new release.

Tasks Sequence configuration file remastered
We all agree: the previous one was pretty ugly and hard to maintain or adapt, at least for a human being... So the file has been rewritten to use tab, comments were cleared-out and for a better readability data were organized through thematic (get a read, it's worth the case!). Plus, we have added new input to ease the switch between french and english.

Oh.. We were forgetting to tell tou a so little thing... The configuration now allow Operator accounts to join a computer to the domain! Well, at least if you have pre-staged the computer object in the right Organizational Unit :) Thanks to the new SDDL attribute that allow to handle ExtendedRights through a Custom Role (section Delegation).

Group Policies
New group policies have been added and some have been fixed as they do have issue. The most interesting ones will concern the scheduling upon domain controllers:

1. HAD-TS-Local-Admins-Groups: this one will create a schedule that will dynamically create a group object to allow users being a local administrator of a system. The schedule monitor computer object change and set the group in the proper organizational unit. Some improvement are being done, so stay tuned as a new release will come soon...
2. HAD-TS-Reset-Computer-SDDL: this one will monitor for computer object creation, then reset the owner to domain admins and enforce the security access control list to there default value. This way, you can now delegate the domain join to operators without security risk upon the computer object.

KeePass
The repository now include an empty kdbx file which was missing in the previous release.

Tools
We are very happy to share with you some our useful tools we daily use through our journey in deploying HardenAD. The tools include a script to massively reset the computer SDDL and Owner in a domain (use it with caution!), a script to reformat an XML by using tab as separator, a tool to ease the generation of the admin accounts to add to the xml file and a last script to reset the SDDL and Owner of a single computer objects. Those tools are self documented.

Well, that's all for the moment - we really hope you will enjoy this new release ; please use the discussion and/or the issues section to get back to us, or join us through https://hardenad.net !

Securly your,
The Harden AD Team

HardenAD-2.9.6-Beta-6

Full Changelog: Beta-5...HardenAD-2.9.5-Beta-6

Harden AD 2.9.5 - Beta 5

What's Changed

• New version of BitLocker GPOs and scripts by @k1dvh
• Adding 2012 and 2012R2 in WMIFilters
• Fix some misspelling errors
• Fixing nomenclature in Local Admins GPOs and in Scheduled Task for flush
• ...

Full Changelog: HardenAD-2.9.5-Beta-4...dev

HardenAD-2.9.5-Beta-4-NO BITLOCKER

What's Changed

• following the detection of a major bug, BitLocker GPO, scripts, and configuration has been deleted by @k1dvh in #57

Full Changelog: HardenAD-2.9.5-Beta-4...BL-issue

HardenAD 2.9.5 Beta 5

• Ajout d'une tâche planifiée pour changer le mdp du compte krbtgt tous les 30 jours (sur le PDC via un nouveau filtre WMI 💪, force la réplication à la fin d'exécution)

• Refonte totale de la GPO Powershell-Logs (relocalisation des logs, ajout d'une tâche planifiée pour supprimer les logs de plus de 7 jours, ajout d'une restriction de confidentialité vis à vis des mdp tappés en clair dans powershell)

• Ajout de 80 clés de registre à la GPO Security-Logs pour modifier la taille d'audit des journaux windows-microsoft

• Ajout des GPO pour annuler les modifications engendrées par les GPOs qui modifient les clés de registre (LDAP-Audit, SSL1-Disabled,...)

• Ajout des GPOs pour désactiver TLS 1.0/1.1/1.2 (faire très attention pour le 1.2 qui est le protocole majoritairement utilisé, même si le 1.3 existe)

• Ajout des GPOs pour réactiver ces protocoles si besoinCorrection de la GPO HAD-TS-LocalAdmin-Groups pour relocaliser les Logs dans le dossier HardenAD\Logs + la GPO se base désormais sur l'OU puis l'OS pour décider où sera créé le groupe localadmin (et non l'inverse en terme de priorité)

• Correction des GPO HAD-LocalAdmin-PAW... qui avaient une erreur de nommage de groupe

• Les GPOs de LoginRestriction ont été retiré de L'OU provisionning car cela engendrait trop de problème (notamment à l'ajout d'un serveur qui sera promu DC après le déploiement d'Harden)

• Les GPOs smartcard et celles à risques (TLS 1.2) ou encore les GPO qui annulent les modifications faites par d'autres (via lesz clés de registre) ne sont pas liées. --> Possible de déployer HardenAD en mettant en mode DENY sans erreur)

• Ajout des ADMX de windows 11/win 2023 v3.0 en EN-us et FR-fr