A browser-based hardened device configuration generator for Windows and macOS. Pick your security framework, toggle the controls you need, and instantly get a ready-to-run script or deployable profile — no installs, no accounts, no backend.
Built for IT administrators and security engineers who need to harden endpoints quickly and consistently against industry benchmarks.
You open the tool in a browser, select your platform and compliance framework, then toggle individual security controls on or off. The right panel instantly generates one of three outputs:
- Script — a PowerShell (
.ps1) or Bash (.sh) script you run directly on the machine as administrator - Profile — a Windows JSON registry profile (importable via GPO/SCCM/Intune) or a macOS
.mobileconfigfile (deployable via Jamf, Kandji, or Apple Configurator 2) - Summary — a machine-readable JSON audit record of which controls were applied, under which framework, and when
Everything runs locally in your browser. Nothing is sent to a server.
| Framework | Description |
|---|---|
| CIS Level 1 | Conservative baseline — minimal operational impact |
| CIS Level 2 | Stronger hardening — recommended for sensitive environments |
| NIST 800-53 Moderate | Federal and regulated industry baseline |
| DISA STIG | DoD hardening standard — strictest preset |
| Custom | Start from scratch, toggle controls manually |
- Authentication — password complexity, length, expiry, history, lockout, screen lock
- Encryption — BitLocker (XTS-AES-256), pre-boot PIN, Secure Boot validation
- Firewall & Network — Domain/Private/Public firewall profiles, drop logging, disable SMBv1
- Audit & Logging — logon events, account management, privilege use, policy changes, process creation, event log sizes
- Updates — automatic Windows Updates, Defender signature updates
- Application Control — SmartScreen, PowerShell AllSigned policy, UAC always-notify, disable AutoRun, AppLocker
- Remote Access — disable RDP, disable WinRM, disable Guest account
- Privacy — telemetry, advertising ID, location services
- Authentication — password policy, screen lock, login window hardening
- Encryption — FileVault 2 full-disk encryption, Secure Boot (Apple Silicon/T2)
- Firewall — Application Firewall, stealth mode
- Audit & Logging — unified logging, audit flags
- Updates — automatic security updates
- Application Control — Gatekeeper, SIP status check
- Remote Access — disable SSH, Remote Login, Remote Management, AirDrop
- Privacy — diagnostic reporting, Siri telemetry, crash data
No build step, no package manager, no server required.
Option 1 — Open directly in a browser
1. Download or clone this repository
2. Open index.html in any modern browser (Chrome, Edge, Firefox, Safari)
3. Start generating configs
Option 2 — Serve locally (recommended for team use)
If you want to host it for your team on an internal network:
# Python 3
python -m http.server 8080
# Node.js (npx)
npx serve .Then open http://localhost:8080 in a browser.
Option 3 — Host statically
Drop the four files (index.html, app.js, generators.js, controls-data.js) onto any static host — S3, GitHub Pages, Netlify, an internal web server — and share the URL with your team.
# Run in an elevated PowerShell session (right-click → Run as Administrator)
Set-ExecutionPolicy Bypass -Scope Process -Force
.\securebuild-windows-cis2.ps1Import via Group Policy, SCCM, or Microsoft Intune as a registry policy package.
chmod +x securebuild-macos-cis2.sh
sudo ./securebuild-macos-cis2.sh# Install manually
sudo profiles install -path=securebuild-macos-cis2.mobileconfig
# Or push via MDM (Jamf, Kandji, Mosyle, etc.)Secure-build-gen/
├── index.html # UI layout and styles
├── app.js # State management, rendering, copy/download logic
├── generators.js # Script and profile generators for all output formats
├── controls-data.js # Control definitions, CIS/NIST references, framework presets
└── test-edge-cases.js # Edge case tests
The entire application is vanilla JavaScript — no frameworks, no dependencies, no build toolchain.
Contributions are welcome and encouraged. This project is open source.
Good first contributions:
- Add a missing CIS or STIG control
- Add Linux support (Ubuntu, RHEL/CentOS CIS benchmarks)
- Add cloud hardening baselines (AWS, Azure, GCP)
- Improve or extend macOS controls for newer OS versions
- Add a dark/light theme toggle
- Improve accessibility (keyboard navigation, screen reader support)
How to contribute:
- Fork the repository
- Create a branch:
git checkout -b feature/your-feature-name - Make your changes
- Test by opening
index.htmllocally and verifying your controls generate correct output - Submit a pull request with a clear description of what you changed and why
Adding a new control:
All controls live in controls-data.js. Each control follows this shape:
{
id: 'win_example', // unique snake_case ID
name: 'Human-readable name',
desc: 'One-line description of what it does',
refs: { cis: 'CIS 1.2.3', nist: 'AC-7' }, // framework references
df: { cis1: false, cis2: true, nist: true, stig: true } // default state per framework
}The corresponding remediation code goes in generators.js inside the appropriate platform generator function.
MIT — free to use, modify, and distribute. See LICENSE for details.