Replies: 1 comment 9 replies
-
|
Hi, thanks for the research and suggestions, they're great! They also align with the upcoming Windows Server 2025 support that's on the roadmap, since these new features require modern domain controller, so i'll definitely include them in the next update. Next update is gonna take a bit more time (few days), I want to add a couple more options to the GUI. I want to add a section that allows for adding/removing each individual optional feature, just like the ASR section. The unprotect tab should also offer an option to decrypt (an already unlocked) BitLocker encrypted disk, so that if the user wishes to do so, they will be able to completely undo all the changes they apply during protection. I'm also gonna add the policy for secure printing that was added in 24H2 but i think it should be an optional sub-category of the Miscellaneous category because it might stop old printers that don't support the new secure drivers from working. |
Beta Was this translation helpful? Give feedback.
-
|
That's a weird error, it happens randomly when the existing country IP blocking rules are being deleted in order to add new rules. Sometimes this deletion throws an error about access denied, sometimes it doesn't, i can't consistently repro it, making it very hard to solve. Out of over 30 times i tried it, i only got the error about 3 times. Access denied errors usually mean there are not enough privileges, but we are running as Admin already and that should be enough for that task. I don't think it's too far fetched to attribute this problem to 24H2, I haven't changed this part of the code in a while and it always used to work. |
Beta Was this translation helpful? Give feedback.
-
|
This is the exact line that intermittently throws that access denied error, in case anyone wants to take a look |
Beta Was this translation helpful? Give feedback.
-
|
Could this be related to the new enhanced admin protection setting that was added in windows? I have that enabled. That is the only setting that changes how the privileges are granted. |
Beta Was this translation helpful? Give feedback.
-
|
Could be (easy to test the theory) but then again why is it so random! 🤷♀️ |
Beta Was this translation helpful? Give feedback.
-
|
Tracking the issue here now: #350 |
Beta Was this translation helpful? Give feedback.
-
Hey there,
The very recent hardening measures in Device guard and networking are welcoming. Though I believe SMB can be hardened even further. Please let me know your thoughts on changing/enabling the following behavior.
Chaning cipher suite order (found in GPO > Admin templates > Network > Lanman Server > Cipher Suite order), also applicable to lanman workstation (found in GPO > Admin templates > Network > Lanman Workstation > Cipher Suite order):
Default is listed as:
SMB 3.11 cipher suites:
AES_128_GCM
AES_128_CCM
AES_256_GCM
AES_256_CCM
I am proposing:
AES_256_GCM
AES_256_CCM
AES_128_GCM
AES_128_CCM
The default is by no means insecure; however, utilizing AES-256 encryption significantly enhances security. Learn more
Enable SMB over QUIC (found in the same list as above), also applicable to lanman workstation (found at the path listed above): QUIC requires TLS 1.3 for all data making it inherently secure. There are also latency benefits.
The first two posts are old at this point but they still apply.
While there are caveats, I believe the trade-offs are justified. The configuration provided by this module, once enabled, exceeds Microsoft's recommendations for properly secured workstations. In my opinion, it aligns perfectly with the philosophy of this module.
Beta Was this translation helpful? Give feedback.
All reactions