Skip to content

Commit

Permalink
Merge pull request #344 from HotCakeX/Harden-Windows-Security-v0.6.3
Browse files Browse the repository at this point in the history 
Harden Windows Security v0.6.3
  • Loading branch information
@HotCakeX
HotCakeX authored Sep 18, 2024
2 parents 1c09ef4 + 355d478 commit d2ffddd
Show file tree
Hide file tree
Showing 24 changed files with 78 additions and 76 deletions.
15 changes: 15 additions & 0 deletions Harden-Windows-Security Module/.editorconfig
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,3 +254,18 @@ dotnet_diagnostic.IDE0058.severity = error

# CA2201: Do not raise reserved exception types
dotnet_diagnostic.CA2201.severity = error

# IDE0240: Remove redundant nullable directive
dotnet_diagnostic.IDE0240.severity = silent

# IDE0040: Add accessibility modifiers
dotnet_diagnostic.IDE0040.severity = error

# IDE0010: Add missing cases
dotnet_diagnostic.IDE0010.severity = error

# IDE0120: Simplify LINQ expression
dotnet_diagnostic.IDE0120.severity = error

# IDE0110: Remove unnecessary discard
dotnet_diagnostic.IDE0110.severity = error
2 changes: 1 addition & 1 deletion Harden-Windows-Security Module/Main files/C#/CimInstances/BitLocker-AddKeyProtectors.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ public partial class BitLocker
private static ManagementObject GetVolumeFromLetter(string DriveLetter)
{
// Use `using` to properly dispose of the `ManagementObjectSearcher` and `ManagementObjectCollection`
using var searcher = new ManagementObjectSearcher(
using ManagementObjectSearcher searcher = new(
@"root\cimv2\Security\MicrosoftVolumeEncryption",
"SELECT * FROM Win32_EncryptableVolume");

Expand Down
19 changes: 10 additions & 9 deletions Harden-Windows-Security Module/Main files/C#/CimInstances/BitLocker-Enable.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

namespace HardenWindowsSecurity
{
partial class BitLocker
public partial class BitLocker
{

// A variable that keeps track of errors if they occur during BitLocker workflows
Expand Down Expand Up @@ -39,7 +39,8 @@ public enum OSEncryptionType
/// <param name="OSEncryptionType"></param>
/// <param name="PIN"></param>
/// <param name="StartupKeyPath"></param>
internal static void Enable(string DriveLetter, OSEncryptionType OSEncryptionType, string? PIN, string? StartupKeyPath)
/// <param name="FreePlusUsedSpace">if true, both used and free space will be encrypted</param>
internal static void Enable(string DriveLetter, OSEncryptionType OSEncryptionType, string? PIN, string? StartupKeyPath, bool FreePlusUsedSpace)
{
#region TPM Status Check
TpmResult TPMResult = TpmStatus.GetV2();
Expand Down Expand Up @@ -283,7 +284,7 @@ internal static void Enable(string DriveLetter, OSEncryptionType OSEncryptionTyp
// Prepare the method with arguments
ManagementBaseObject EncryptArgs = VolumeInfo.GetMethodParameters("Encrypt");
EncryptArgs["EncryptionMethod"] = 7; // XTS-AEX-256
EncryptArgs["EncryptionFlags"] = 0; // Used + Free Space Encryption - 1 would be Used-Space Only
EncryptArgs["EncryptionFlags"] = FreePlusUsedSpace ? 0 : (uint)1; // 0 = Used + Free space | 1 = Used Space only

// Invoke the method to Encrypt the volume
ManagementBaseObject EncryptMethodInvocationResult = VolumeInfo.InvokeMethod("Encrypt", EncryptArgs, null);
Expand Down Expand Up @@ -331,7 +332,8 @@ internal static void Enable(string DriveLetter, OSEncryptionType OSEncryptionTyp
/// 4) Encryption Method = XTS-AES-256
/// </summary>
/// <param name="DriveLetter"></param>
internal static void Enable(string DriveLetter)
/// <param name="FreePlusUsedSpace">if true, both used and free space will be encrypted</param>
internal static void Enable(string DriveLetter, bool FreePlusUsedSpace)
{

// Get the volume info based on the drive letter
Expand Down Expand Up @@ -508,7 +510,7 @@ internal static void Enable(string DriveLetter)
// Prepare the method with arguments
ManagementBaseObject EncryptArgs = VolumeInfo.GetMethodParameters("Encrypt");
EncryptArgs["EncryptionMethod"] = 7; // XTS-AEX-256
EncryptArgs["EncryptionFlags"] = 0; // Used + Free Space Encryption - 1 would be Used-Space Only
EncryptArgs["EncryptionFlags"] = FreePlusUsedSpace ? 0 : (uint)1; // 0 = Used + Free space | 1 = Used Space only

// Invoke the method to Encrypt the volume
ManagementBaseObject EncryptMethodInvocationResult = VolumeInfo.InvokeMethod("Encrypt", EncryptArgs, null);
Expand Down Expand Up @@ -544,7 +546,6 @@ internal static void Enable(string DriveLetter)
}



/// <summary>
/// Enables BitLocker encryption for Removable drives
/// 1) Full Space (instead of Used-space only)
Expand All @@ -554,7 +555,8 @@ internal static void Enable(string DriveLetter)
/// </summary>
/// <param name="DriveLetter"></param>
/// <param name="Password"></param>
internal static void Enable(string DriveLetter, string? Password)
/// <param name="FreePlusUsedSpace">if true, both used and free space will be encrypted</param>
internal static void Enable(string DriveLetter, string? Password, bool FreePlusUsedSpace)
{

// Get the volume info based on the drive letter
Expand Down Expand Up @@ -646,7 +648,7 @@ internal static void Enable(string DriveLetter, string? Password)
// Prepare the method with arguments
ManagementBaseObject EncryptArgs = VolumeInfo.GetMethodParameters("Encrypt");
EncryptArgs["EncryptionMethod"] = 7; // XTS-AEX-256
EncryptArgs["EncryptionFlags"] = 0; // Used + Free Space Encryption - 1 would be Used-Space Only
EncryptArgs["EncryptionFlags"] = FreePlusUsedSpace ? 0 : (uint)1; // 0 = Used + Free space | 1 = Used Space only

// Invoke the method to Encrypt the volume
ManagementBaseObject EncryptMethodInvocationResult = VolumeInfo.InvokeMethod("Encrypt", EncryptArgs, null);
Expand Down Expand Up @@ -675,5 +677,4 @@ internal static void Enable(string DriveLetter, string? Password)

}


}
2 changes: 1 addition & 1 deletion ...Windows-Security Module/Main files/C#/CimInstances/BitLocker-EnableBitLockerAutoUnlock.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

namespace HardenWindowsSecurity
{
partial class BitLocker
public partial class BitLocker
{
/// <summary>
/// Enables Auto unlock | Suitable for Non-OS Drives
Expand Down
2 changes: 1 addition & 1 deletion Harden-Windows-Security Module/Main files/C#/CimInstances/BitLocker-EnableKeyProtectors.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@

namespace HardenWindowsSecurity
{
partial class BitLocker
public partial class BitLocker
{
/// <summary>
/// Enables the key protectors of an encrypted volume, doesn't decrypt or encrypt the drive.
Expand Down
2 changes: 1 addition & 1 deletion Harden-Windows-Security Module/Main files/C#/CimInstances/BitLocker-RemoveKeyProtectors.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@

namespace HardenWindowsSecurity
{
partial class BitLocker
public partial class BitLocker
{

// https://learn.microsoft.com/en-us/windows/win32/secprov/deletekeyprotector-win32-encryptablevolume#return-value
Expand Down
26 changes: 13 additions & 13 deletions Harden-Windows-Security Module/Main files/C#/CimInstances/FirewallHelper.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@

namespace HardenWindowsSecurity
{
public static class FirewallHelper
internal static class FirewallHelper
{
// Method to get firewall rules based on RuleGroup and Direction
public static List<ManagementObject> GetFirewallRules(string ruleGroup, ushort direction)
Expand Down Expand Up @@ -80,13 +80,13 @@ public static List<ManagementObject> GetFirewallRules(string ruleGroup, ushort d
}


public enum NetSecurityEnabled : ushort
internal enum NetSecurityEnabled : ushort
{
True = 1,
False = 2
}

public enum NetSecurityProfile : ushort
internal enum NetSecurityProfile : ushort
{
Any = 0,
Public = 4,
Expand All @@ -95,36 +95,36 @@ public enum NetSecurityProfile : ushort
NotApplicable = 65535
}

public enum NetSecurityDirection : ushort
internal enum NetSecurityDirection : ushort
{
Inbound = 1,
Outbound = 2
}

public enum NetSecurityAction : ushort
internal enum NetSecurityAction : ushort
{
NotConfigured = 0,
Allow = 2,
Block = 4
}

public enum NetSecurityEdgeTraversal : ushort
internal enum NetSecurityEdgeTraversal : ushort
{
Block = 0,
Allow = 1,
DeferToUser = 2,
DeferToApp = 3
}

public enum NetSecurityPrimaryStatus : ushort
internal enum NetSecurityPrimaryStatus : ushort
{
Unknown = 0,
OK = 1,
Inactive = 2,
Error = 3
}

public enum NetSecurityPolicyStoreType : ushort
internal enum NetSecurityPolicyStoreType : ushort
{
None = 0,
Local = 1,
Expand All @@ -140,7 +140,7 @@ public enum NetSecurityPolicyStoreType : ushort
}

[Flags]
public enum NetSecurityDynamicTransport : uint
internal enum NetSecurityDynamicTransport : uint
{
Any = 0,
ProximityApps = 1,
Expand All @@ -151,30 +151,30 @@ public enum NetSecurityDynamicTransport : uint
}

[Flags]
public enum NetSecurityInterfaceType : uint
internal enum NetSecurityInterfaceType : uint
{
Any = 0,
Wired = 1,
Wireless = 2,
RemoteAccess = 4
}

public enum NetSecurityAuthentication : ushort
internal enum NetSecurityAuthentication : ushort
{
NotRequired = 0,
Required = 1,
NoEncap = 2
}

public enum NetSecurityEncryption : ushort
internal enum NetSecurityEncryption : ushort
{
NotRequired = 0,
Required = 1,
Dynamic = 2
}


public enum FirewallRuleAction
internal enum FirewallRuleAction
{
Enable,
Disable
Expand Down
4 changes: 4 additions & 0 deletions Harden-Windows-Security Module/Main files/C#/GUI/ASRRules/View.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,8 @@ string GetASRRuleConfig(string ASRRuleName, byte ComboBoxIndex)
FilePath = System.IO.Path.Combine(HardenWindowsSecurity.GlobalVars.path, "Resources", "Individual ASR Rule Configs", ASRRulesCorrelation.GetValueOrDefault(ASRRuleName)!, "Warn.pol");
break;
}
default:
break;
}

return FilePath;
Expand Down Expand Up @@ -358,6 +360,8 @@ await System.Threading.Tasks.Task.Run(() =>
HardenWindowsSecurity.LGPORunner.RunLGPOCommand(ASRRuleActionBasedPath, LGPORunner.FileType.POL);
break;
}
default:
break;
}
}
Expand Down
11 changes: 7 additions & 4 deletions Harden-Windows-Security Module/Main files/C#/GUI/BitLocker/View.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -410,11 +410,11 @@ await System.Threading.Tasks.Task.Run(() =>
// Determine the security level of the OS encryption
if (string.Equals(SecurityLevel, "Normal", StringComparison.OrdinalIgnoreCase))
{
HardenWindowsSecurity.BitLocker.Enable(TrimmedSystemDrive, HardenWindowsSecurity.BitLocker.OSEncryptionType.Normal, PIN1, null);
HardenWindowsSecurity.BitLocker.Enable(TrimmedSystemDrive, HardenWindowsSecurity.BitLocker.OSEncryptionType.Normal, PIN1, null, true);
}
else
{
HardenWindowsSecurity.BitLocker.Enable(TrimmedSystemDrive, HardenWindowsSecurity.BitLocker.OSEncryptionType.Enhanced, PIN1, RemovableDriveLetter);
HardenWindowsSecurity.BitLocker.Enable(TrimmedSystemDrive, HardenWindowsSecurity.BitLocker.OSEncryptionType.Enhanced, PIN1, RemovableDriveLetter, true);
}
Expand All @@ -437,7 +437,7 @@ await System.Threading.Tasks.Task.Run(() =>
Logger.LogMessage($"Executing BitLocker Ops for the Non-OS Drives on drive {NonOSDrivesLetter} .", LogTypeIntel.Information);
HardenWindowsSecurity.BitLocker.Enable(NonOSDrivesLetter);
HardenWindowsSecurity.BitLocker.Enable(NonOSDrivesLetter, true);
if (!HardenWindowsSecurity.BitLocker.HasErrorsOccurred)
Expand Down Expand Up @@ -476,7 +476,7 @@ await System.Threading.Tasks.Task.Run(() =>
break;
}
HardenWindowsSecurity.BitLocker.Enable(RemovableDrivesTabDriveSelection, Password1);
HardenWindowsSecurity.BitLocker.Enable(RemovableDrivesTabDriveSelection, Password1, true);
if (!HardenWindowsSecurity.BitLocker.HasErrorsOccurred)
Expand All @@ -487,6 +487,9 @@ await System.Threading.Tasks.Task.Run(() =>
break;
}
default:
break;
}
}); // End of Async Thread
Expand Down
8 changes: 2 additions & 6 deletions Harden-Windows-Security Module/Main files/C#/GUI/Confirm/View.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -361,16 +361,12 @@ private void UpdateTotalCount(bool ShowNotification)
// Get the count of the compliant items
string CompliantItemsCount = _SecOpsCollectionView.SourceCollection
.Cast<SecOp>()
.Where(item => item.Compliant)
.Count()
.ToString(CultureInfo.InvariantCulture);
.Count(item => item.Compliant).ToString(CultureInfo.InvariantCulture);

// Get the count of the Non-compliant items
string NonCompliantItemsCount = _SecOpsCollectionView.SourceCollection
.Cast<SecOp>()
.Where(item => !item.Compliant)
.Count()
.ToString(CultureInfo.InvariantCulture);
.Count(item => !item.Compliant).ToString(CultureInfo.InvariantCulture);

// Find the text blocks that display counts of true/false items
var CompliantItemsTextBlock = (System.Windows.Controls.TextBlock)GUIConfirmSystemCompliance.View.FindName("CompliantItemsTextBlock");
Expand Down
3 changes: 3 additions & 0 deletions Harden-Windows-Security Module/Main files/C#/GUI/Protection/EventHandlers.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -706,6 +706,9 @@ await Task.Run(() =>
}
break;
}
default:
break;
}
}
Expand Down
3 changes: 3 additions & 0 deletions Harden-Windows-Security Module/Main files/C#/GUI/Unprotect/View.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,9 @@ await System.Threading.Tasks.Task.Run(() =>
break;
}
default:
break;
}
});
Expand Down
2 changes: 2 additions & 0 deletions Harden-Windows-Security Module/Main files/C#/Others/Logger.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,8 @@ Harden Windows Security operation log start
WriteEventLog(CurrentText, EventLogEntryType.Error);
break;
}
default:
break;
}
}
#endregion
Expand Down
3 changes: 3 additions & 0 deletions Harden-Windows-Security Module/Main files/C#/Others/NewToastNotification.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,9 @@ public static void Show(ToastNotificationType Type, string? TotalCompliantValues

break;
}

default:
break;
}
}
}
Expand Down
4 changes: 0 additions & 4 deletions Harden-Windows-Security Module/Main files/Core/Confirm-SystemCompliance.psm1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@ function Confirm-SystemCompliance {
).Value

foreach ($Item in [HardenWindowsSecurity.ComplianceCategoriex]::new().GetValidValues()) {
# Check if the item is already selected
if ($Item -notin $Existing) {
# Return the item
$Item
}
}
Expand All @@ -43,7 +41,6 @@ function Confirm-SystemCompliance {
)
begin {
$script:ErrorActionPreference = 'Stop'
# Makes sure this cmdlet is invoked with Admin privileges
if (-NOT ([HardenWindowsSecurity.UserPrivCheck]::IsAdmin())) {
Throw [System.Security.AccessControl.PrivilegeNotHeldException] 'Administrator'
}
Expand Down Expand Up @@ -149,7 +146,6 @@ function Confirm-SystemCompliance {
}
#Endregion Colors
}

process {
try {
Write-Progress -Activity 'Performing Compliance Check...' -Status 'Running' -PercentComplete 50
Expand Down
Loading

0 comments on commit d2ffddd

Please sign in to comment.