Harden‐Windows‐Security‐Module - dcasota/Lenovo83BY GitHub Wiki
I came across a tool called Harden-Windows-Security-Module which does exactly what it says.
Here the Github repository https://github.com/HotCakeX/Harden-Windows-Security.
Simply install it with Install-Module -Name 'Harden-Windows-Security-Module' -force.
The module does not have a plenty of commands but they are quite powerful.
get-command -module 'Harden-Windows-Security-Module'
CommandType Name Version Source
----------- ---- ------- ------
Function Confirm-SystemCompliance 0.7.4 Harden-Windows-Security-Module
Function LoadHardenWindowsSecurityNecessaryDLLsInternal 0.7.4 Harden-Windows-Security-Module
Function Protect-WindowsSecurity 0.7.4 Harden-Windows-Security-Module
Function ReRunTheModuleAgain 0.7.4 Harden-Windows-Security-Module
Function Unprotect-WindowsSecurity 0.7.4 Harden-Windows-Security-Module
Function Update-HardenWindowsSecurity 0.7.4 Harden-Windows-Security-Module
First, I wanted to scan the system compliance only as a summary (objects only) because my assumption was that the laptop is quite safe.
Confirm-SystemCompliance -ShowAsObjectsOnly
Key Value
--- -----
MicrosoftDefender {Boot Configuration Data (BCD) No-eXecute (NX) Value, Mandatory ASLR, Process Mitigations …
AttackSurfaceReductionRules {26190899-1602-49e8-8b27-eb1d0a1ce869, d1e49aac-8f56-4280-b9ba-993a6d77406c, b2b3f03d-6a65…
BitLockerSettings {DMA protection, Hibernate is set to full, Secure OS Drive encryption, DisallowStandardUse…
TLSSecurity {ECC Curves and their positions, Configure the correct TLS Cipher Suites, DisabledByDefaul…
LockScreen {Digits, LowercaseLetters, Expiration, History…}
UserAccountControl {HideFastUserSwitching, UAC: Behavior of the elevation prompt for administrators in Admin …
DeviceGuard {EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, HypervisorEnforcedCod…
WindowsFirewall {Network Location of all connections set to Public, mDNS UDP-In Firewall Rules are disable…
OptionalWindowsFeatures {PowerShell v2 is disabled, PowerShell v2 Engine is disabled, Work Folders client is disab…
WindowsNetworking {EnableNetbios, DisableSmartNameResolution, EnableMulticast, DisableHTTPPrinting…}
MiscellaneousConfigurations {All users are part of the Hyper-V Administrators group, Audit policy for Other Logon/Logo…
WindowsUpdateConfigurations {Allow updates to be downloaded automatically over metered connections, Automatically down…
EdgeBrowserConfigurations {BlockThirdPartyCookies, DnsOverHttpsMode, AutomaticHttpsDefault, EncryptedClientHelloEnab…
NonAdminCommands {HideFileExt, Hidden, HttpAcceptLanguageOptOut, SafeSearchMode…}
Here are the details and I was surprised how well the tool populated the findings.
Confirm-SystemCompliance
Performing Compliance Check... [Running ]
-------------Microsoft Defender Category-------------
FriendlyName Compliant Value
------------ --------- -----
Boot Configuration Data (BCD) No-eXecute (NX) Value False 0
Mandatory ASLR False NOTSET
Process Mitigations for: msedge.exe False N/A
Process Mitigations for: explorer.exe False N/A
Process Mitigations for: vmcompute.exe False N/A
Process Mitigations for: vmwp.exe False N/A
Process Mitigations for: QuickAssist.exe False N/A
Process Mitigations for: Acrobat.exe False ForceRelocateImages
Process Mitigations for: OneDrive.exe False N/A
Process Mitigations for: EXCEL.EXE False ForceRelocateImages
Process Mitigations for: MSACCESS.EXE False ForceRelocateImages
Process Mitigations for: MSPUB.EXE False ForceRelocateImages
Process Mitigations for: ONENOTE.EXE False ForceRelocateImages
Process Mitigations for: OUTLOOK.EXE False ForceRelocateImages
Process Mitigations for: POWERPNT.EXE False ForceRelocateImages
Process Mitigations for: WINWORD.EXE False ForceRelocateImages
Process Mitigations for: lsass.exe False N/A
Process Mitigations for: SmartScreen.exe False N/A
Process Mitigations for: Regsvr32.exe False N/A
Process Mitigations for: WindowsSandbox.exe False N/A
Process Mitigations for: WindowsSandboxClient.exe False N/A
Process Mitigations for: RuntimeBroker.exe False DisableExtensionPoints
Process Mitigations for: msedgewebview2.exe False N/A
Process Mitigations for: csrss.exe False N/A
Process Mitigations for: services.exe False N/A
Process Mitigations for: rundll32.exe False N/A
Process Mitigations for: SMSS.exe False N/A
Process Mitigations for: Wininit.exe False N/A
Process Mitigations for: NisSrv.exe False N/A
Process Mitigations for: AppControlManager.exe False N/A
Fast weekly Microsoft recommended driver block list update False False
Microsoft Defender Platform Updates Channel False NotConfigured
Microsoft Defender Engine Updates Channel False NotConfigured
Allow Switch To Async Inspection True True
OOBE Enable Rtp And Sig Update False False
Intel TDT Enabled False False
Smart App Control State False Off
Controlled Folder Access True 1
Enable Restore Point scanning False False
Performance Mode Status False 1
Enable Convert Warn To Block False False
BruteForce Protection Aggressiveness False N/A
BruteForce Protection Max Block Time True 0
BruteForce Protection Configured State False 0
Remote Encryption Protection Max Block Time True 0
Remote Encryption Protection Aggressiveness False 0
Remote Encryption Protection Configured State False 0
Cloud Block Level False 0
Email Scanning False False
Send file samples when further analysis is required False 1
Join Microsoft MAPS (aka SpyNet) True 2
File Hash Computation False False
Extended cloud check (Seconds) False 0
Detection for potentially unwanted applications True 1
Catchup Quick Scan False False
Check For Signatures Before Running Scan False False
Enable Network Protection False 0
Interval to check for security intelligence updates False 0
Allows Microsoft Defender Antivirus to update over a metered connection False False
Severe Threat level default action = Remove False 0
High Threat level default action = Remove False 0
Moderate Threat level default action = Quarantine False 0
Low Threat level default action = Quarantine False 0
Optional Diagnostic Data Required for Smart App Control etc. False
Configure diagnostic data opt-in settings user interface False
Enhanced Phishing Protection False
Enhanced Phishing Protection: Notify Unsafe App False
Enhanced Phishing Protection: Notify Password Reuse False
Enhanced Phishing Protection: Notify Malicious False
Enhanced Phishing Protection: Capture Threat Window False
Purge Items After Delay False
Maximum size of downloaded files and attachments to be scanned False
Scanning Mapped Network Drives For Full Scan False
Scanning Network Files False
Removable Drive Scanning False
Reparse Point Scanning False
Maximum depth to scan archive files False
Check for the latest virus and spyware security intelligence on startup False
Define the number of days before virus security intelligence is considered out of date False
Define the number of days before spyware security intelligence is considered out of date False
Block At First Sight False
Brute Force Protection Local Network Blocking State False False
ECS is enabled in Microsoft Defender False False
-------------Attack Surface Reduction Rules Category-------------
FriendlyName Compliant Value
------------ --------- -----
Block Office communication application from creating child processes False 0
Block process creations originating from PSExec and WMI commands False 0
Block untrusted and unsigned processes that run from USB False 0
Block Win32 API calls from Office macros False 0
Block Adobe Reader from creating child processes False 0
Block Office applications from creating executable content False 0
Block all Office applications from creating child processes False 0
Block credential stealing from the Windows local security authority subsystem (lsass.exe) False 0
Block executable content from email client and webmail False 0
Block executable files from running unless they meet a prevalence; age or trusted list criterion False 0
Block execution of potentially obfuscated scripts False 0
Block persistence through WMI event subscription False 0
Block Office applications from injecting code into other processes False 0
Block abuse of exploited vulnerable signed drivers False 0
Use advanced protection against ransomware False 0
Block JavaScript or VBScript from launching downloaded executable content False 0
Block rebooting machine in Safe Mode False 0
Block use of copied or impersonated system tools False 0
Block Webshell creation for Servers False 0
-------------Bitlocker Category Category-------------
FriendlyName Compliant Value
------------ --------- -----
DMA protection True True
Hibernate is set to full False False
Secure OS Drive encryption False False
Disallow Standard User PIN Reset False
Require additional authentication at startup False
Don't allow Bitlocker without TPM False
Don't Allow using TPM alone False
Allow using TPM + PIN False
Allow using TPM + key False
Allow using TPM + Startup Key + PIN False
Correct Encryption method for OS drive False
Correct Encryption method for fixed data drives False
Correct Encryption method for removable drives False
Use Enhanced PIN False
Full disk encryption for OS drive False
Full disk encryption for removable drives False
Prevent access to BitLocker-protected removable data drives from earlier versions of Windows False
Do not install BitLocker To Go Reader on FAT formatted removable drives False
Configure minimum PIN length for startup False
Disallow standby states (S1-S3) when sleeping (plugged in) False
Disallow standby states (S1-S3) when sleeping (on battery) False
Show Hibernate Option False
-------------TLS Category-------------
FriendlyName Compliant Value
------------ --------- -----
ECC Curves and their positions False curve25519, NistP256, NistP384
Configure the correct TLS Cipher Suites False False
Disable TLS 1.0 client - Disabled By Default False
Disable TLS 1.0 client - Enabled False
Disable TLS 1.0 server - Disabled By Default False
Disable TLS 1.0 server - Enabled False
Disable TLS 1.1 client - Disabled By Default False
Disable TLS 1.1 client - Enabled False
Disable TLS 1.1 server - Disabled By Default False
Disable TLS 1.1 server - Enabled False
Disable NULL Cipher Suite False
Disable 56/56 Cipher Suite False
Disable 40/128 Cipher Suite False
Disable RC2 56/128 Cipher Suite False
Disable RC2 128/128 Cipher Suite False
Disable RC4 40/128 Cipher Suite False
Disable RC4 56/128 Cipher Suite False
Disable RC4 64/128 Cipher Suite False
Disable RC4 128/128 Cipher Suite False
Disable Triple DES 168 Cipher Suite False
Disable MD5 Hashing Algorithm False
-------------Lock Screen Category-------------
FriendlyName Compliant Value
------------ --------- -----
Require digits in Windows Hello PIN False
Require lower case letters in Windows Hello PIN False
Set Expiration for Windows Hello PIN False
Save history of Windows Hello PIN False
Don't Display Network Selection UI on lock screen False
Machine inactivity limit False
Interactive logon: Do not require CTRL+ALT+DEL False
Interactive logon: Machine account lockout threshold False
Interactive logon: Display user information when the session is locked False
Interactive logon: Don't display username at sign-in False
Account lockout threshold False 10
Account lockout duration False 10
Reset account lockout counter after False 10
Interactive logon: Don't display last signed-in False
-------------User Account Control Category-------------
FriendlyName Compliant Value
------------ --------- -----
Hide Fast User Switching entry points False
UAC: Behavior of the elevation prompt for administrators in Admin Approval Mode: Prompt for Consent on the Secure Desktop False
UAC: Behavior of the elevation prompt for standard users: Prompt for Credentials on the Secure Desktop False
UAC: Only elevate executables that are signed and Validated False
UAC: Behavior of the elevation prompt for administrators in Enhanced Privilege Protection Mode: Prompt for Credentials on the Secure Desktop False
UAC: The type of Admin Approval Mode to be Admin Approval Mode with enhanced privilege protection False
-------------Device Guard Category-------------
FriendlyName Compliant Value
------------ --------- -----
Enable Virtualization Based Security False False
Require Platform Security Features True VBS with Secure Boot
Hypervisor Enforced Code Integrity - UEFI Lock False False
Require HVCI MAT (Memory Attribute Table) True True
Credential Guard Configuration - UEFI Lock False False
System Guard Launch False False
Configure Kernel Shadow Stacks Launch False
Enable Local Security Authority (LSA) process Protection with UEFI Lock False 2
Configure Machine Identity Isolation Configuration False
Enable VBS and Memory Integrity in Mandatory Mode False
-------------Windows Firewall Category-------------
FriendlyName Compliant Value
------------ --------- -----
Network Location of all connections set to Public True True
mDNS UDP-In Firewall Rules are disabled False False
Enable Windows Firewall for Public profile False
Display notifications for Public profile False
Configure Log file size for Public profile False
Log blocked connections for Public profile False
Configure Log file path for Public profile False
Enable Windows Firewall for Private profile False
Display notifications for Private profile False
Configure Log file size for Private profile False
Log blocked connections for Private profile False
Configure Log file path for Private profile False
Enable Windows Firewall for Domain profile False
Set Default Outbound Action for Domain profile False
Set Default Inbound Action for Domain profile False
Block all Domain profile connections False
Configure Log file path for domain profile False
Configure Log file size for domain profile False
Log blocked connections for domain profile False
Log successful connections for domain profile False
-------------Optional Windows Features Category-------------
FriendlyName Compliant Value
------------ --------- -----
PowerShell v2 is disabled False Enabled
PowerShell v2 Engine is disabled False Enabled
Work Folders client is disabled False Enabled
Internet Printing Client is disabled False Enabled
Windows Media Player (legacy) is disabled False Installed
Microsoft Defender Application Guard is not present True Unknown
Windows Sandbox is enabled False Disabled
Hyper-V is enabled True Enabled
WMIC is not present False Installed
Internet Explorer mode functionality for Edge is not present False Installed
Legacy Notepad is not present False Installed
WordPad is not present True Unknown
PowerShell ISE is not present False Installed
Steps Recorder is not present False Installed
VBSCRIPT is not present False Installed
-------------Windows Networking Category-------------
FriendlyName Compliant Value
------------ --------- -----
Disable Netbios False
Disable Smart Name Resolution False
Disable Multicast False
Disable HTTP Printing False
Disable Web PnP Download False
Enable SMB Server Over QUIC False
Enable SMB Client Over QUIC False
SMB Server Cipher Suite Order False
SMB Client Cipher Suite Order False
Sets the minimum SMB server version False
Sets the minimum SMB client version False
Blocks NTLM for SMB False
Requires encryption for SMB client False
Disable LMHOSTS lookup protocol on all network adapters False 1
Enable SMB Server Encryption False
Network access: Remotely accessible registry paths False 7,System\CurrentControlSet\Control\ProductOptions,System\CurrentControlSet\Control\Server Applications,Software\Microsoft\Windows NT\Cu…
Network access: Remotely accessible registry paths and subpaths False 7,System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server,Software\Mi…
-------------Miscellaneous Category-------------
FriendlyName Compliant Value
------------ --------- -----
All users are part of the Hyper-V Administrators group False False
Audit policy for Other Logon/Logoff Events False NotConfigured
Disable Location False
Include command line in process creation events False
Disable Location Scripting False
Disable Windows Location Provider False
Enable RPC Endpoint Mapper Client Authentication False
Enable Svchost Mitigation False
Boot-Start Driver Initialization Policy set to Good only False
Request claims and compound authentication for DAC and Kerberos armoring False
Enable Windows Protected Print False
Enable support for long paths False 0
Enable enhanced search in Window False
Set Microsoft Edge (Stable) to update over Metered connections False
Set Microsoft Edge (Beta) to update over Metered connections False
Set Microsoft Edge (Dev) to update over Metered connections False
WinVerifyTrust Signature Validation part 1 False
WinVerifyTrust Signature Validation part 2 False
System Cryptography: Force strong key protection for user keys stored on the computer False
SSH Secure MACs False False
-------------Windows Update Category-------------
FriendlyName Compliant Value
------------ --------- -----
Allow updates to be downloaded automatically over metered connections False
Automatically download updates and install them on maintenance day False
Install updates for other Microsoft products False
Enable features introduced via servicing that are off by default False
Specify the number of days before feature updates are installed on devices automatically False
Specify the number of days before quality updates are installed on devices automatically False
Number of days before quality updates are installed on devices automatically False
Number of grace period days before quality updates are installed on devices automatically False
Number of days before feature updates are installed on devices automatically False
Number of grace period days before feature updates are installed on devices automatically False
Set the computer to receive security updates and other important downloads through Windows update False
Install updates during automatic maintenance False
Set scheduled install day to every day False
Set scheduled install time to any time False
Enable restart notification for Windows update False
-------------Microsoft Edge Category-------------
FriendlyName Compliant Value
------------ --------- -----
Block 3rd party cookies False
Set Dns Over Https Mode to use system DoH settings False
Automatically upgrade HTTP connections to HTTPS False
Enable Encrypted Client Hello False
Block Basic authentication for HTTP False
Allow Edge to receive new features even after using policies False
Enforces the audio process to run sandboxed False
Recommends that the share additional operating system region setting to be set to never False
Disable TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - (CBC - SHA1) False
Disable TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - (CBC - SHA1) False
Disable TLS_RSA_WITH_AES_256_CBC_SHA - (NO PFS - CBC - SHA1) False
Disable TLS_RSA_WITH_AES_128_CBC_SHA - (NO PFS - CBC - SHA1) False
Disable TLS_RSA_WITH_AES_128_GCM_SHA256 - (NO PFS) False
Disable TLS_RSA_WITH_AES_256_GCM_SHA384 - (NO PFS) False
Never disable Manifest V2 extension support False
Never let websites ask to access local USB connected devices False
Denies the Window Management permission on all sites by default False
Prevent the browser process from creating dynamic code False
-------------Non-Admin Category-------------
FriendlyName Compliant Value
------------ --------- -----
Show File extensions False 1
Show hidden files False 2
Disable websites accessing local language list False
Turn off safe search in Windows search False
Enable Clipboard History False
Turn on Show text suggestions when typing on the physical keyboard False
Turn on Multilingual text suggestions False
Turn off sticky key shortcut of pressing shift key 5 time fast False 510
Disables show reminders and incoming VoIP calls on the lock screen False
Your compliance score is 13 out of 289!