WDACConfig module update v0.3.8

What's New

• Introduced functionality to create a Supplemental policy based on certificate files. This enhancement enables administrators to select .cer certificate files and authorize them within a policy. Consequently, any files signed with these certificates will be permitted to execute. The primary motivation behind this feature is to streamline the deployment and utilization of Script Enforcement scenarios.

  • This capability has been added to the New-SupplementalWDACConfig cmdlet.

• Developed comprehensive and user-friendly documentation aimed at system administrators seeking to leverage the Script Enforcement feature within Application Control policies (WDAC). This documentation provides clear guidelines for establishing stringent boundaries around script engines, including PowerShell and similar tools.

• Improved the resiliency of log parsing functions.

• Added new parameter called EnableScriptEnforcement to the New-WDACConfig cmdlet which will enable script enforcement for the base policies it creates.

• Enhanced the robustness of certificate details retrieval functions for WDAC Simulation.

PR: #245

Harden Windows Security Module v.0.3.9

What's New

• Added support for Windows Home edition, this means the module and script can run on Windows home editions but the categories are applied in best effort fashion and not all of them are available since many features such as group policy or attack surface reduction rules are simply not available in the home edition. More features might be specialized and implemented for home editions only, in the future.
• You can now choose which categories to check compliance for using the Confirm-SystemCompliance cmdlet. Previously it would check all categories. If no category is selected, all categories are checked.
• Overall code improvements and refactoring.

PR: #244

WDACConfig module update v0.3.7

What's New

• Added support for EVTX logs file parsing. Now, you can quickly create Application Control (WDAC) policies using EVTX logs from any computer. Just export the Code Integrity and/or AppLocker logs and use the WDACConfig module to turn them into WDAC policies. This feature provides a consistent and user-friendly experience similar to what’s available for MDE Advanced Hunting logs and Local logs, utilizing the ConvertTo-WDACPolicy cmdlet for streamlined policy creation.
• Overall code improvements

PR: #241

WDACConfig module update v0.3.6

What's New

Microsoft Defender for Endpoint - Advanced Hunting

You can now use the WDACConfig module to convert the Microsoft Defender for Endpoint (MDE) Advanced Hunting query results directly to Application Control policy (WDAC) policy in a matter of seconds with high precision and performance.

Demo Video

The systematic approach to converting the query results to WDAC policy is as follows:

• If a file is unsigned then a hash rule will be created for it.
• If a file is signed then there are multiple possibilities:
  • If the file is signed and the MDE AH results contain the file's version as well as at least one of the following file attributes (Original Name, Internal Name, Description, Product Name), then a File Publisher rule will be created for it.
  • If the file is signed but the file attributes are not present in the results, Publisher level rule will be created for it.

These levels are selected based on their security. You can read more about the levels security comparison in this article.

Simple Yet Comprehensive

What WDACConfig requires for MDE Advanced Hunting

DeviceEvents
| where ActionType startswith "AppControlCodeIntegrity"
    or ActionType startswith "AppControlCIScriptBlocked"
    or ActionType startswith "AppControlCIScriptAudited"

As you can see, the WDACConfig module encapsulates all requisite logic, enabling the employment of heightened security levels for files, notably the FilePublisher. It assimilates comprehensive data, utilizing the maximum extent of available information to formulate the most precise and tailored rule for each individual file.

Comparison

Supported Features	WDACConfig	WDAC Wizard
Log types	Code Integrity + AppLocker	Code Integrity
Generated Rules	File Publisher, Publisher, Leaf Certificate, Hash	Publisher, Hash
Requires Custom CSV Formatting	No - Accepts RAW data	Yes
Required Query Size	Small	Large

Important

WDAC Wizard is a great tool, it offers a GUI and can be downloaded from here

Other Changes

• Significantly Improved the performance when parsing the Code Integrity related event logs.
• In addition to the Code Integrity logs, now AppLocker logs are also processed by the WDACConfig module. This allows it to capture and create rules for blocked/audited MSI files as well.
• Bumped the required PowerShell version from 7.4.1 to 7.4.2 because it has WDAC related improvements.
• Fixed this issue: #225

PR: #218

Harden Windows Security Module v.0.3.8

What's New

• Toast Notification is now displayed upon completion of operation when using the GUI to operate the Harden Windows Security module and script.
• Improved the logging style when using the GUI, both in the log file and the displayed logs on the GUI.
• Added a new parameter -OnlyCountryIPBlockingFirewallRules to the Unprotect-WindowsSecurity cmdlet. It allows you to only remove the country IP blocking firewall rules without removing anything else.
• Overall code improvements

PR: #235

Harden Windows Security Module v.0.3.7

What's Changed

This update is in response to the changes made today to the Windows Boot Manager revocations for Secure Boot in this blog post.

You can find all of the necessary information in that post.

To Summarize:

1. The procedures required to apply the Windows Boot Manager revocations for Secure Boot changes have changed significantly and the current category that applies them has been removed.
2. The new procedures are very extensive and require lots of work that might have adverse effect if automated at this point in time. According to the post, it requires new updated bootable media which haven't been released yet by Microsoft. It would also trigger BitLocker's recovery screen so user would need to keep the 48-digit recovery code accessible during the procedure.
3. Microsoft is planning to apply these changes automatically in the future through Windows Update.
4. Once updated bootable media (ISO files) have been released by Microsoft on July 9, 2024, I'll re-evaluate the procedures as to whether add automation for them in the Harden Windows Security Module or not.

As always, make sure you're using the latest version of the OS to stay safe and secure with the latest patches.

Today's patch Tuesday update:
https://support.microsoft.com/en-gb/topic/april-9-2024-kb5036893-os-builds-22621-3447-and-22631-3447-a674a67b-85f5-4a40-8d74-5f8af8ead5bb

Related discussion announcement: #230

FAQ

• Q: What about the old procedure?

• A: If you applied the old procedure either manually by following the official article or using the Harden Windows Security module, then you're good to go and don't need to make any more changes. If you never applied the mitigations, you can read the article and see if you want to follow it and apply the new mitigations manually, or just wait until they are automatically applied to your device in the near future through Windows Update.

PR: #229

Harden Windows Security Module v.0.3.6

What's New

GUI (Graphical User Interface)

• The Harden Windows Security Module (and script) now feature a user-friendly Graphical User Interface (GUI). This allows users the flexibility to apply security hardening measures through either the traditional Command Line Interface (CLI) or the intuitive new GUI, catering to both advanced users and those who prefer a more visual approach.

• This version aims to be more informative and engaging, emphasizing the added convenience and user choice.

• The GUI was created with accessibility in mind. It is responsive and does not need any dependency or additional files. You can even run it fileless by using the GitHub link from this repository and pasting it on your PowerShell console.

• If you have any feedbacks, feel free to open new issues, I already have some improvements in mind that will be introduced in later versions of the module.

• The GUI works for both offline and online modes

YouTube Video & Demo

Link: https://youtu.be/a8YbihowTVg

How To Launch The GUI

Protect-WindowsSecurity -GUI

Other Changes

• Added a file picker GUI for the LogPath parameter of the Protect-WindowsSecurity cmdlet.

PR: #221

Harden Windows Security Module v.0.3.5

What's Changed

• Set Block use of copied or impersonated system tools Attack Surface Reduction rule to Warn and block instead of block. In this mode, it will block the action but display a notification toast allowing you to unblock the action if you want. It's in preview state so this change should allow you to have more control over its operation in case it inadvertently blocks a process. If you want to apply this new change just run the ASR category again.

  • The compliance checking marks this ASR rule as compliant if it's either in warn & block or block mode.

Thanks to @agpt8 for the post about this.

PR: #220

WDACConfig module update v0.3.5

What's Changed

• Improved SignTool.exe path acquisition logic.
• Fixed a bug where multiple deployed policies triggered the same event log to be generated multiple times and one of the internal functions couldn't properly find the correct one.
• Removed the temporary measure introduced in the previous release where the user configurations file would automatically be moved to the new location. More info in the previous release note.

PR: #211

Harden Windows Security Module v.0.3.4

What's Changed

New ASR Rules - Attack Surface Reduction

• Block use of copied or impersonated system tools
• Block rebooting machine in Safe Mode

Other Changes

• Removed enablement of VirtualMachinePlatform from the Optional Windows Features category since WSA is deprecated.

PR: #212