Harden Windows Security Module v0.4.6 #289
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What's New
The Downloads Defense Measures category now has an optional sub-category that allows you to choose a new type of WDAC policy to deploy automatically. This policy blocks dangerous and very old components on Windows. Please read this post for all the info about them..
Some 3rd party programs might still attempt to use these. Remember that you can easily remove the policy using the Unprotect-WindowsSecurity command at any time.
The components blocked by this optional WDAC policy are:
Improved the overall performance and speed of the Harden Windows Security module through internal reconstruction.
Added a new Attack Surface Reduction rule: Block Webshell creation for Servers to the ASR Category.
Changed the Attack Surface reduction Rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion from
BlocktoBock and Warn, which means it will allow the System Administrator to be able to allow the blocked file or app if they wish to without the need to use group policy editor. This should make it easier for developers or people that want to install newly released versions of programs before their reputation is determined by the system. This doesn't change the threat model whatsoever since you still need to have Administrator privileges to allow a blocked app, just like you need to have Administrator privileges to change the group policies.Changed the Clipboard syncing in the Non-Admin category to be an optional sub-category instead of applying by default in that category.
The
Confirm-SystemCompliancenow takes into account the type of the registry keys too when performing compliance checks. When the registry key path, name and value match but the type doesn't match, (E.g., the module expects aDWORDbut the value isQWORDorString), then that item will be shown as false. This further improves the accuracy and trustworthiness of the results.The Microsoft Defender category now detects when GitHub Desktop or Git (standalone version) is installed and automatically adds their executables to the exceptions for mandatory ASLR as they are not compatible. More info here - Was also mentioned in this issue