2025-12-08 10:32:49 +01:00
function Invoke-AdvancedSecurity {
<#
. SYNOPSIS
Apply Advanced Security hardening based on selected profile
. DESCRIPTION
Applies advanced security hardening settings beyond Microsoft Security Baseline .
Features 3 profiles :
2025-12-09 06:59:57 +01:00
- Balanced : Safe defaults for home users and workstations
2025-12-08 10:32:49 +01:00
- Enterprise : Conservative approach with domain-safety checks
- Maximum : Maximum hardening for air-gapped / high-security environments
2025-12-20 23:08:01 +01:00
Features implemented ( v2 . 2 . 1 ) :
2025-12-08 10:32:49 +01:00
- RDP NLA enforcement + optional complete disable
- WDigest credential protection
- Administrative shares disable ( domain-aware )
- Risky firewall ports closure ( LLMNR , NetBIOS , UPnP / SSDP )
- Risky network services stop
- Legacy TLS 1.0 / 1.1 disable
- WPAD auto-discovery disable
- PowerShell v2 removal
. PARAMETER SecurityProfile
Security profile to apply :
2025-12-09 06:59:57 +01:00
- Balanced : Safe for home users and workstations ( default )
2025-12-08 10:32:49 +01:00
- Enterprise : Safe for corporate environments
- Maximum : Maximum hardening for air-gapped systems
. PARAMETER DisableRDP
Completely disable Remote Desktop Protocol ( bypasses interactive prompt for Home profile , AirGapped always disables )
. PARAMETER Force
Force operations that are normally skipped ( e . g . , admin shares on domain-joined systems )
. PARAMETER WhatIf
Show what would be changed without actually applying changes
. PARAMETER SkipBackup
Skip backup creation ( NOT RECOMMENDED ! )
. PARAMETER DryRun
Preview changes without applying them ( alias for WhatIf )
. EXAMPLE
2025-12-09 06:59:57 +01:00
Invoke-AdvancedSecurity -SecurityProfile Balanced
2025-12-08 10:32:49 +01:00
Applies safe hardening for home users
. EXAMPLE
Invoke-AdvancedSecurity -SecurityProfile Enterprise -WhatIf
Preview changes for enterprise environment
. EXAMPLE
Invoke-AdvancedSecurity -SecurityProfile Maximum -DisableRDP -Force
Maximum hardening with RDP disable for air-gapped system
#>
[ CmdletBinding ( SupportsShouldProcess = $true ) ]
param (
[ Parameter ( Mandatory = $false ) ]
[ ValidateSet ( 'Balanced' , 'Enterprise' , 'Maximum' ) ]
[ string ] $SecurityProfile = 'Balanced' ,
[ Parameter ( Mandatory = $false ) ]
[ switch ] $DisableRDP ,
[ Parameter ( Mandatory = $false ) ]
[ switch ] $Force ,
[ Parameter ( Mandatory = $false ) ]
[ switch ] $DryRun ,
[ Parameter ( Mandatory = $false ) ]
[ switch ] $SkipBackup
)
try {
Write-Host " "
Write-Host " ======================================== " -ForegroundColor Cyan
Write-Host " ADVANCED SECURITY MODULE " -ForegroundColor Cyan
Write-Host " ======================================== " -ForegroundColor Cyan
Write-Host " "
if ( -not ( [ Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity ] :: GetCurrent ( ) ) . IsInRole ( [ Security.Principal.WindowsBuiltInRole ] :: Administrator ) ) {
Write-Host " ERROR: Administrator rights required! " -ForegroundColor Red
Write-Host " Please run this script as Administrator. " -ForegroundColor Yellow
Write-Host " "
return [ PSCustomObject ] @ {
Success = $false
ErrorMessage = " Administrator rights required "
}
}
# Detect Domain membership EARLY for better recommendations
$computerSystem = Get-CimInstance -ClassName Win32_ComputerSystem
$isDomainJoined = $computerSystem . PartOfDomain
# Profile Selection - NonInteractive or Interactive
if ( -not $PSBoundParameters . ContainsKey ( 'SecurityProfile' ) ) {
if ( Test-NonInteractiveMode ) {
# NonInteractive mode (GUI) - use config value
2025-12-09 06:59:57 +01:00
$SecurityProfile = Get-NonInteractiveValue -Module " AdvancedSecurity " -Key " securityProfile " -Default " Balanced "
2025-12-08 10:32:49 +01:00
Write-NonInteractiveDecision -Module " AdvancedSecurity " -Decision " Security Profile " -Value $SecurityProfile
}
else {
# Interactive mode
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " SECURITY PROFILE SELECTION " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
# Show domain status if applicable
if ( $isDomainJoined ) {
Write-Host " SYSTEM STATUS: Domain-joined " -ForegroundColor Yellow
Write-Host " Domain: $( $computerSystem . Domain ) " -ForegroundColor Gray
Write-Host " "
}
Write-Host " Choose your security profile: " -ForegroundColor White
Write-Host " "
Write-Host " [1] Balanced " -ForegroundColor $ ( if ( -not $isDomainJoined ) { " Cyan " } else { " White " } )
Write-Host " - For: Home users, standalone workstations " -ForegroundColor Gray
Write-Host " - All security features enabled " -ForegroundColor Gray
Write-Host " - Domain-aware admin shares (asks on domain systems) " -ForegroundColor Gray
if ( -not $isDomainJoined ) {
Write-Host " (Recommended for your system) " -ForegroundColor Cyan
}
Write-Host " "
Write-Host " [2] Enterprise " -ForegroundColor $ ( if ( $isDomainJoined ) { " Cyan " } else { " White " } )
Write-Host " - For: Corporate/managed environments " -ForegroundColor Gray
Write-Host " - Keeps admin shares on domain (for IT management) " -ForegroundColor Gray
Write-Host " - Safe for business networks " -ForegroundColor Gray
if ( $isDomainJoined ) {
Write-Host " (Recommended for your domain system) " -ForegroundColor Cyan
}
Write-Host " "
Write-Host " [3] Maximum " -ForegroundColor White
Write-Host " - For: High-security environments " -ForegroundColor Gray
Write-Host " - Maximum hardening, no compromises " -ForegroundColor Gray
Write-Host " - RDP always disabled, Shields Up enabled " -ForegroundColor Gray
Write-Host " "
$defaultChoice = if ( $isDomainJoined ) { '2' } else { '1' }
2025-12-09 07:16:50 +01:00
do {
$profileChoice = Read-Host " Select profile [1-3] (default: $defaultChoice ) "
if ( [ string ] :: IsNullOrWhiteSpace ( $profileChoice ) ) { $profileChoice = $defaultChoice }
if ( $profileChoice -notin @ ( '1' , '2' , '3' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter 1, 2, or 3. " -ForegroundColor Red
Write-Host " "
}
} while ( $profileChoice -notin @ ( '1' , '2' , '3' ) )
2025-12-08 10:32:49 +01:00
switch ( $profileChoice ) {
'2' { $SecurityProfile = 'Enterprise' ; Write-Host " " ; Write-Host " Selected: Enterprise " -ForegroundColor Green }
'3' { $SecurityProfile = 'Maximum' ; Write-Host " " ; Write-Host " Selected: Maximum " -ForegroundColor Green }
default { $SecurityProfile = 'Balanced' ; Write-Host " " ; Write-Host " Selected: Balanced " -ForegroundColor Cyan }
}
Write-Log -Level DEBUG -Message " User selected AdvancedSecurity profile: $SecurityProfile " -Module " AdvancedSecurity "
Write-Host " "
}
}
Write-Host " Profile: $SecurityProfile " -ForegroundColor White
Write-Host " "
# Display profile info
switch ( $SecurityProfile ) {
'Balanced' {
Write-Host " For: Home users, workstations " -ForegroundColor White
Write-Host " - RDP disable recommended (asks user, default: disable) " -ForegroundColor Gray
Write-Host " - UPnP/SSDP block recommended (asks user, default: block) " -ForegroundColor Gray
Write-Host " - WDigest, Admin Shares (domain-aware), Legacy TLS, PSv2 " -ForegroundColor Gray
}
'Enterprise' {
Write-Host " For: Corporate environments " -ForegroundColor White
Write-Host " - RDP hardening only (no disable), UPnP blocked " -ForegroundColor Gray
Write-Host " - Admin Shares kept on domain (for IT management) " -ForegroundColor Gray
Write-Host " - WDigest, LLMNR/NetBIOS, Legacy TLS, PSv2 " -ForegroundColor Gray
}
'Maximum' {
Write-Host " For: Air-gapped, high-security systems " -ForegroundColor White
Write-Host " - RDP always disabled (no remote access) " -ForegroundColor Gray
Write-Host " - Admin Shares forced, UPnP blocked, all protocols disabled " -ForegroundColor Gray
Write-Host " - Firewall Shields Up: Block ALL incoming on Public network " -ForegroundColor Gray
Write-Host " - WDigest, LLMNR/NetBIOS, Legacy TLS, PSv2 " -ForegroundColor Gray
}
}
Write-Host " "
# WARNING PROMPT: Inform about breaking changes
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " IMPORTANT NOTICES " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " This module will apply the following changes: " -ForegroundColor White
Write-Host " "
Write-Host " Security Hardening: " -ForegroundColor Green
Write-Host " + RDP hardening (NLA + SSL/TLS enforcement) " -ForegroundColor Gray
Write-Host " + WDigest protection (credential security) " -ForegroundColor Gray
# Profile-specific protocol blocking info
if ( $SecurityProfile -eq 'Balanced' ) {
Write-Host " + Risky protocols: LLMNR, NetBIOS blocked | UPnP/SSDP (asks user) " -ForegroundColor Gray
}
else {
Write-Host " + Risky protocols blocked (LLMNR, NetBIOS, UPnP/SSDP) " -ForegroundColor Gray
}
Write-Host " "
Write-Host " Potential Breaking Changes: " -ForegroundColor Red
Write-Host " ! PowerShell v2 removal (REBOOT REQUIRED after completion) " -ForegroundColor Yellow
Write-Host " ! Legacy TLS 1.0/1.1 disabled (old devices may fail) " -ForegroundColor Yellow
# Profile-specific UPnP warning
if ( $SecurityProfile -eq 'Balanced' ) {
Write-Host " ! UPnP/SSDP may be blocked (you will be asked for DLNA compatibility) " -ForegroundColor Yellow
}
else {
Write-Host " ! UPnP/SSDP blocked (DLNA media streaming will not work) " -ForegroundColor Yellow
}
Write-Host " ! NetBIOS blocked (\\HOSTNAME\ requires DNS or .local suffix) " -ForegroundColor Yellow
Write-Host " "
Write-Host " Devices that will still work: " -ForegroundColor Cyan
Write-Host " + Network printers (via IP or vendor software) " -ForegroundColor Gray
Write-Host " + NAS devices (via \\IP\ or manual mapping) " -ForegroundColor Gray
Write-Host " + Smart home devices (modern apps use mDNS/Cloud) " -ForegroundColor Gray
Write-Host " + Streaming services (Netflix, YouTube, Spotify, etc.) " -ForegroundColor Gray
Write-Host " "
# Continue confirmation - auto-confirm in NonInteractive mode
if ( -not ( Test-NonInteractiveMode ) ) {
2025-12-09 07:16:50 +01:00
do {
$continueChoice = Read-Host " Continue with hardening? [Y/N] (default: Y) "
if ( [ string ] :: IsNullOrWhiteSpace ( $continueChoice ) ) { $continueChoice = " Y " }
$continueChoice = $continueChoice . ToUpper ( )
if ( $continueChoice -notin @ ( 'Y' , 'N' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter Y or N. " -ForegroundColor Red
Write-Host " "
}
} while ( $continueChoice -notin @ ( 'Y' , 'N' ) )
2025-12-08 10:32:49 +01:00
2025-12-09 07:16:50 +01:00
if ( $continueChoice -eq 'N' ) {
2025-12-08 10:32:49 +01:00
Write-Host " "
Write-Host " Hardening cancelled by user. " -ForegroundColor Yellow
Write-Host " "
Write-Log -Level WARNING -Message " User cancelled AdvancedSecurity hardening at confirmation prompt " -Module " AdvancedSecurity "
return [ PSCustomObject ] @ {
Success = $false
ErrorMessage = " Cancelled by user "
}
}
}
Write-Host " "
Write-Host " Proceeding with security hardening... " -ForegroundColor Green
Write-Host " "
# Maximum: RDP is ALWAYS disabled (no prompt - air-gapped means no network!)
if ( -not $PSBoundParameters . ContainsKey ( 'DisableRDP' ) -and $SecurityProfile -eq 'Maximum' ) {
$DisableRDP = $true
Write-Log -Level INFO -Message " Profile 'Maximum': RDP will be completely disabled automatically " -Module " AdvancedSecurity "
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " REMOTE DESKTOP (RDP) " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " RDP will be COMPLETELY DISABLED (Air-gapped system) " -ForegroundColor Red
Write-Host " - No remote access on offline systems " -ForegroundColor Gray
Write-Host " - Hardening applied before disable " -ForegroundColor Gray
Write-Host " "
}
# RDP Complete Disable - NonInteractive or Interactive (Home profile only for interactive)
# NOTE: RDP is ALWAYS hardened (NLA + SSL/TLS), this prompt is only for complete disable
# NonInteractive: ALWAYS read config value (respects user choice in any profile)
# Interactive: Only prompt for Home profile (Enterprise/AirGapped have fixed behavior)
if ( -not $PSBoundParameters . ContainsKey ( 'DisableRDP' ) ) {
if ( Test-NonInteractiveMode ) {
# NonInteractive mode (GUI) - ALWAYS read config value (even for Enterprise)
# This respects explicit user choice in config.json
$configDisableRDP = Get-NonInteractiveValue -Module " AdvancedSecurity " -Key " disableRDP " -Default ( $SecurityProfile -eq 'Balanced' )
$DisableRDP = $configDisableRDP
Write-NonInteractiveDecision -Module " AdvancedSecurity " -Decision " RDP " -Value $ ( if ( $DisableRDP ) { " Disabled " } else { " Hardened only " } )
}
elseif ( $SecurityProfile -eq 'Balanced' ) {
# Interactive mode
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " REMOTE DESKTOP (RDP) CONFIGURATION " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " RDP is a common target for ransomware and cyber attacks. " -ForegroundColor White
Write-Host " "
Write-Host " Do you want to COMPLETELY DISABLE Remote Desktop (until you manually re-enable it in Settings)? " -ForegroundColor White
Write-Host " "
Write-Host " [Y] YES - Completely disable RDP (Recommended for security) " -ForegroundColor Cyan
Write-Host " - Maximum security - no RDP attack surface " -ForegroundColor Gray
Write-Host " - Recommended for home users who don't use remote access " -ForegroundColor Gray
Write-Host " - Can be re-enabled later if needed " -ForegroundColor Gray
Write-Host " "
Write-Host " [N] NO - Keep RDP hardened and enabled (For remote access) " -ForegroundColor White
Write-Host " - RDP remains usable with strong security " -ForegroundColor Gray
Write-Host " - Network Level Authentication + SSL/TLS enforced " -ForegroundColor Gray
Write-Host " - Useful if you need remote desktop access " -ForegroundColor Gray
Write-Host " "
2025-12-09 07:16:50 +01:00
do {
$rdpChoice = Read-Host " Disable RDP completely? [Y/N] (default: Y) "
if ( [ string ] :: IsNullOrWhiteSpace ( $rdpChoice ) ) { $rdpChoice = " Y " }
$rdpChoice = $rdpChoice . ToUpper ( )
if ( $rdpChoice -notin @ ( 'Y' , 'N' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter Y or N. " -ForegroundColor Red
Write-Host " "
}
} while ( $rdpChoice -notin @ ( 'Y' , 'N' ) )
2025-12-08 10:32:49 +01:00
2025-12-09 07:16:50 +01:00
if ( $rdpChoice -eq 'N' ) {
2025-12-08 10:32:49 +01:00
$DisableRDP = $false
Write-Host " "
Write-Host " RDP will be HARDENED and kept enabled " -ForegroundColor Cyan
Write-Log -Level INFO -Message " User decision: RDP will be hardened and kept enabled " -Module " AdvancedSecurity "
}
else {
$DisableRDP = $true
Write-Host " "
Write-Host " RDP will be HARDENED and then DISABLED (you can re-enable it later in Settings) " -ForegroundColor Green
Write-Log -Level INFO -Message " User decision: RDP will be hardened then completely disabled " -Module " AdvancedSecurity "
}
Write-Host " "
}
}
# Admin Shares Force (only on domain-joined systems with Home profile) - NonInteractive or Interactive
# Enterprise profile automatically keeps admin shares on domain (no prompt)
if ( -not $PSBoundParameters . ContainsKey ( 'Force' ) -and $isDomainJoined -and $SecurityProfile -eq 'Balanced' ) {
if ( Test-NonInteractiveMode ) {
# NonInteractive mode (GUI) - use config value
$Force = Get-NonInteractiveValue -Module " AdvancedSecurity " -Key " forceAdminShares " -Default $false
Write-NonInteractiveDecision -Module " AdvancedSecurity " -Decision " Admin Shares on domain " -Value $ ( if ( $Force ) { " Disabled (forced) " } else { " Kept " } )
}
else {
# Interactive mode
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " ADMIN SHARES CONFIGURATION " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " WARNING: This system is DOMAIN-JOINED! " -ForegroundColor Red
Write-Host " "
Write-Host " Domain: $( $computerSystem . Domain ) " -ForegroundColor Gray
Write-Host " "
Write-Host " Admin Shares (C $ , ADMIN $ , IPC $ ) are often used by IT management tools. " -ForegroundColor White
Write-Host " "
Write-Host " Do you want to DISABLE admin shares anyway? " -ForegroundColor White
Write-Host " "
Write-Host " [N] NO - Keep admin shares (Recommended for domain) " -ForegroundColor Cyan
Write-Host " - IT can still manage this computer remotely " -ForegroundColor Gray
Write-Host " - SCCM, PDQ Deploy, PowerShell Remoting work " -ForegroundColor Gray
Write-Host " - Other security features still applied " -ForegroundColor Gray
Write-Host " "
Write-Host " [Y] YES - Disable admin shares anyway " -ForegroundColor White
Write-Host " - Maximum security but may break management tools " -ForegroundColor Gray
Write-Host " - IT cannot access C $ , ADMIN $ remotely " -ForegroundColor Gray
Write-Host " - May require manual intervention from IT " -ForegroundColor Gray
Write-Host " "
2025-12-09 07:16:50 +01:00
do {
$adminShareChoice = Read-Host " Disable admin shares on domain system? [Y/N] (default: N) "
if ( [ string ] :: IsNullOrWhiteSpace ( $adminShareChoice ) ) { $adminShareChoice = " N " }
$adminShareChoice = $adminShareChoice . ToUpper ( )
if ( $adminShareChoice -notin @ ( 'Y' , 'N' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter Y or N. " -ForegroundColor Red
Write-Host " "
}
} while ( $adminShareChoice -notin @ ( 'Y' , 'N' ) )
2025-12-08 10:32:49 +01:00
2025-12-09 07:16:50 +01:00
if ( $adminShareChoice -eq 'Y' ) {
2025-12-08 10:32:49 +01:00
$Force = $true
Write-Host " "
Write-Host " Admin Shares will be DISABLED (may break IT tools) " -ForegroundColor Red
Write-Log -Level INFO -Message " User decision: Admin shares will be DISABLED on domain system " -Module " AdvancedSecurity "
}
else {
$Force = $false
Write-Host " "
Write-Host " Admin Shares will be KEPT (safe for domain) " -ForegroundColor Cyan
Write-Log -Level INFO -Message " User decision: Admin shares will be KEPT on domain system " -Module " AdvancedSecurity "
}
Write-Host " "
}
}
# UPnP/SSDP Configuration - NonInteractive or Interactive (Home profile only for interactive)
# NonInteractive: ALWAYS read config value (respects user choice in any profile)
# Interactive: Only prompt for Home profile (Enterprise/AirGapped always block)
$DisableUPnP = $true # Default for all profiles
if ( Test-NonInteractiveMode ) {
# NonInteractive mode (GUI) - ALWAYS read config value (even for Enterprise/AirGapped)
# This respects explicit user choice in config.json
$DisableUPnP = Get-NonInteractiveValue -Module " AdvancedSecurity " -Key " disableUPnP " -Default $true
Write-NonInteractiveDecision -Module " AdvancedSecurity " -Decision " UPnP/SSDP " -Value $ ( if ( $DisableUPnP ) { " Blocked " } else { " Allowed " } )
}
elseif ( $SecurityProfile -eq 'Balanced' ) {
# Interactive mode
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " UPnP/SSDP CONFIGURATION " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " UPnP (Universal Plug and Play) is used by some devices for auto-discovery. " -ForegroundColor White
Write-Host " "
Write-Host " SECURITY RISK: " -ForegroundColor Red
Write-Host " - Port forwarding vulnerabilities (NAT-PMP attacks) " -ForegroundColor Gray
Write-Host " - DDoS amplification attacks " -ForegroundColor Gray
Write-Host " - Network enumeration by attackers " -ForegroundColor Gray
Write-Host " "
Write-Host " WHAT BREAKS: " -ForegroundColor Yellow
Write-Host " ! DLNA Media Streaming (legacy local network discovery) " -ForegroundColor Gray
Write-Host " ! Windows Media Player to TV/receiver " -ForegroundColor Gray
Write-Host " ! Some gaming console auto-discovery features " -ForegroundColor Gray
Write-Host " "
Write-Host " WHAT STILL WORKS: " -ForegroundColor Cyan
Write-Host " + Network printers (use mDNS, not UPnP) " -ForegroundColor Gray
Write-Host " + Media streaming apps (Netflix, YouTube, Spotify, etc.) " -ForegroundColor Gray
Write-Host " + Modern media servers (use app-based access, not DLNA) " -ForegroundColor Gray
Write-Host " + Smart Home apps (Hue, Google, Alexa use mDNS/Cloud) " -ForegroundColor Gray
Write-Host " + Manual IP configuration for any device " -ForegroundColor Gray
Write-Host " "
Write-Host " Do you want to BLOCK UPnP/SSDP for security? " -ForegroundColor White
Write-Host " "
Write-Host " [Y] YES - Block UPnP/SSDP (Recommended for security) " -ForegroundColor Cyan
Write-Host " - Prevents port forwarding attacks " -ForegroundColor Gray
Write-Host " - Blocks DDoS amplification " -ForegroundColor Gray
Write-Host " - DLNA streaming will not work (use modern apps instead) " -ForegroundColor Gray
Write-Host " "
Write-Host " [N] NO - Keep UPnP/SSDP enabled " -ForegroundColor White
Write-Host " - DLNA streaming works " -ForegroundColor Gray
Write-Host " - Gaming console auto-discovery works " -ForegroundColor Gray
Write-Host " - Accepts security risk " -ForegroundColor Gray
Write-Host " "
2025-12-09 07:16:50 +01:00
do {
$upnpChoice = Read-Host " Block UPnP/SSDP? [Y/N] (default: Y) "
if ( [ string ] :: IsNullOrWhiteSpace ( $upnpChoice ) ) { $upnpChoice = " Y " }
$upnpChoice = $upnpChoice . ToUpper ( )
if ( $upnpChoice -notin @ ( 'Y' , 'N' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter Y or N. " -ForegroundColor Red
Write-Host " "
}
} while ( $upnpChoice -notin @ ( 'Y' , 'N' ) )
2025-12-08 10:32:49 +01:00
2025-12-09 07:16:50 +01:00
if ( $upnpChoice -eq 'N' ) {
2025-12-08 10:32:49 +01:00
$DisableUPnP = $false
Write-Host " "
Write-Host " UPnP/SSDP will be KEPT enabled (DLNA works) " -ForegroundColor Yellow
Write-Log -Level INFO -Message " User decision: UPnP/SSDP will be KEPT enabled " -Module " AdvancedSecurity "
}
else {
$DisableUPnP = $true
Write-Host " "
Write-Host " UPnP/SSDP will be BLOCKED (security hardening) " -ForegroundColor Green
Write-Log -Level INFO -Message " User decision: UPnP/SSDP will be BLOCKED " -Module " AdvancedSecurity "
}
Write-Host " "
}
# Wireless Display Configuration - Optional complete disable
# Default for ALL profiles: Block receiving + Require PIN (always applied)
# Optional: Complete disable (user choice like UPnP)
$DisableWirelessDisplayCompletely = $false # Default: only harden, allow sending
if ( Test-NonInteractiveMode ) {
# NonInteractive mode (GUI) - use config value
$DisableWirelessDisplayCompletely = Get-NonInteractiveValue -Module " AdvancedSecurity " -Key " disableWirelessDisplay " -Default $false
Write-NonInteractiveDecision -Module " AdvancedSecurity " -Decision " Wireless Display " -Value $ ( if ( $DisableWirelessDisplayCompletely ) { " Completely Disabled " } else { " Hardened (sending allowed) " } )
}
else {
# Interactive mode
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " WIRELESS DISPLAY (MIRACAST) SECURITY " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " Wireless Display allows screen mirroring to TVs/projectors. " -ForegroundColor White
Write-Host " "
Write-Host " DEFAULT HARDENING (always applied): " -ForegroundColor Cyan
Write-Host " + Block receiving projections (PC can't be used as display) " -ForegroundColor Gray
Write-Host " + Require PIN for all pairing (prevents rogue connections) " -ForegroundColor Gray
Write-Host " + Sending to displays STILL WORKS (presentations, TV mirroring) " -ForegroundColor Green
Write-Host " "
Write-Host " SECURITY RISK if not completely disabled: " -ForegroundColor Red
Write-Host " - Attacker in network can set up fake display to capture your screen " -ForegroundColor Gray
Write-Host " - Man-in-the-middle attacks on Miracast traffic (WPS PIN cracking) " -ForegroundColor Gray
Write-Host " - mDNS spoofing for rogue receiver discovery " -ForegroundColor Gray
Write-Host " "
Write-Host " WHAT BREAKS if completely disabled: " -ForegroundColor Yellow
Write-Host " ! Cannot mirror screen to TV/projector via Miracast " -ForegroundColor Gray
Write-Host " ! Windows + K shortcut won't find wireless displays " -ForegroundColor Gray
Write-Host " ! (HDMI/USB-C cables still work) " -ForegroundColor Gray
Write-Host " "
Write-Host " Do you want to COMPLETELY DISABLE Wireless Display? " -ForegroundColor White
Write-Host " "
Write-Host " [Y] YES - Complete disable (Maximum security) " -ForegroundColor Cyan
Write-Host " - All Miracast functionality blocked " -ForegroundColor Gray
Write-Host " - Ports 7236/7250 blocked " -ForegroundColor Gray
Write-Host " - Use HDMI/USB-C for presentations " -ForegroundColor Gray
Write-Host " "
Write-Host " [N] NO - Keep hardened only (Default, Recommended) " -ForegroundColor Green
Write-Host " - Can still send to TVs/projectors " -ForegroundColor Gray
Write-Host " - PC cannot receive/be misused as display " -ForegroundColor Gray
Write-Host " - PIN always required " -ForegroundColor Gray
Write-Host " "
2025-12-09 07:16:50 +01:00
do {
$wirelessChoice = Read-Host " Completely disable Wireless Display? [Y/N] (default: N) "
if ( [ string ] :: IsNullOrWhiteSpace ( $wirelessChoice ) ) { $wirelessChoice = " N " }
$wirelessChoice = $wirelessChoice . ToUpper ( )
if ( $wirelessChoice -notin @ ( 'Y' , 'N' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter Y or N. " -ForegroundColor Red
Write-Host " "
}
} while ( $wirelessChoice -notin @ ( 'Y' , 'N' ) )
2025-12-08 10:32:49 +01:00
2025-12-09 07:16:50 +01:00
if ( $wirelessChoice -eq 'Y' ) {
2025-12-08 10:32:49 +01:00
$DisableWirelessDisplayCompletely = $true
Write-Host " "
Write-Host " Wireless Display will be COMPLETELY DISABLED " -ForegroundColor Yellow
Write-Log -Level INFO -Message " User decision: Wireless Display completely disabled " -Module " AdvancedSecurity "
}
else {
$DisableWirelessDisplayCompletely = $false
Write-Host " "
Write-Host " Wireless Display will be HARDENED (sending still works) " -ForegroundColor Green
Write-Log -Level INFO -Message " User decision: Wireless Display hardened only " -Module " AdvancedSecurity "
}
Write-Host " "
}
# Discovery Protocols (WS-Discovery + mDNS) Configuration - Maximum profile only
# This controls OS-level mDNS resolver and WS-Discovery service+firewall block.
$DisableDiscoveryProtocolsCompletely = $false
if ( Test-NonInteractiveMode ) {
# NonInteractive mode (GUI) - use config value; effective only for Maximum profile
$DisableDiscoveryProtocolsCompletely = Get-NonInteractiveValue -Module " AdvancedSecurity " -Key " disableDiscoveryProtocols " -Default ( $SecurityProfile -eq 'Maximum' )
Write-NonInteractiveDecision -Module " AdvancedSecurity " -Decision " Discovery Protocols (WS-Discovery/mDNS, Maximum only) " -Value $ ( if ( $DisableDiscoveryProtocolsCompletely ) { " Completely Disabled " } else { " Default (Windows behavior) " } )
}
elseif ( $SecurityProfile -eq 'Maximum' ) {
# Interactive prompt only for Maximum profile
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " DISCOVERY PROTOCOLS (WS-Discovery + mDNS) " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " WS-Discovery and mDNS are used for automatic device discovery (printers, TVs, scanners). " -ForegroundColor White
Write-Host " On high-security / air-gapped systems, these discovery protocols should be COMPLETELY DISABLED. " -ForegroundColor White
Write-Host " "
Write-Host " SECURITY RISK: " -ForegroundColor Red
Write-Host " - Network mapping and lateral movement via WS-Discovery " -ForegroundColor Gray
Write-Host " - mDNS spoofing and fake devices on the local network " -ForegroundColor Gray
Write-Host " "
Write-Host " WHAT BREAKS IF DISABLED: " -ForegroundColor Yellow
Write-Host " ! Automatic discovery of network printers/TVs/scanners " -ForegroundColor Gray
Write-Host " ! Some legacy media streaming / casting workflows " -ForegroundColor Gray
Write-Host " ! Miracast display discovery (even if Miracast allowed above) " -ForegroundColor Gray
Write-Host " "
Write-Host " WHAT STILL WORKS: " -ForegroundColor Cyan
Write-Host " + Direct access via IP address (\\192.168.x.x or http://IP) " -ForegroundColor Gray
Write-Host " + Modern cloud-based apps (e.g. vendor apps, browser UIs) " -ForegroundColor Gray
Write-Host " + All outbound web traffic (browsing, streaming, etc.) " -ForegroundColor Gray
Write-Host " "
Write-Host " Do you want to COMPLETELY DISABLE WS-Discovery and mDNS on this system? " -ForegroundColor White
Write-Host " "
Write-Host " [Y] YES - Maximum security (Recommended for air-gapped / Maximum profile) " -ForegroundColor Cyan
Write-Host " - Disables OS mDNS resolver " -ForegroundColor Gray
Write-Host " - Disables WS-Discovery services " -ForegroundColor Gray
Write-Host " - Blocks WS-Discovery and mDNS ports in the firewall " -ForegroundColor Gray
Write-Host " "
Write-Host " [N] NO - Keep default discovery behavior " -ForegroundColor White
Write-Host " - Device discovery continues to work " -ForegroundColor Gray
Write-Host " - Higher attack surface (not recommended for Maximum profile) " -ForegroundColor Gray
Write-Host " "
2025-12-09 07:16:50 +01:00
do {
$discoveryChoice = Read-Host " Completely disable WS-Discovery and mDNS? [Y/N] (default: N) "
if ( [ string ] :: IsNullOrWhiteSpace ( $discoveryChoice ) ) { $discoveryChoice = " N " }
$discoveryChoice = $discoveryChoice . ToUpper ( )
if ( $discoveryChoice -notin @ ( 'Y' , 'N' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter Y or N. " -ForegroundColor Red
Write-Host " "
}
} while ( $discoveryChoice -notin @ ( 'Y' , 'N' ) )
2025-12-08 10:32:49 +01:00
2025-12-09 07:16:50 +01:00
if ( $discoveryChoice -eq 'Y' ) {
2025-12-08 10:32:49 +01:00
$DisableDiscoveryProtocolsCompletely = $true
Write-Host " "
Write-Host " Discovery protocols (WS-Discovery + mDNS) will be COMPLETELY DISABLED " -ForegroundColor Yellow
Write-Log -Level INFO -Message " User decision: Discovery protocols (WS-Discovery/mDNS) completely disabled on Maximum profile " -Module " AdvancedSecurity "
}
else {
$DisableDiscoveryProtocolsCompletely = $false
Write-Host " "
Write-Host " Discovery protocols will be KEPT enabled (device discovery works) " -ForegroundColor Green
Write-Log -Level INFO -Message " User decision: Discovery protocols (WS-Discovery/mDNS) kept enabled on Maximum profile " -Module " AdvancedSecurity "
}
Write-Host " "
}
# IPv6 Disable Configuration - Maximum profile only (mitm6 attack mitigation)
$DisableIPv6Completely = $false
if ( Test-NonInteractiveMode ) {
# NonInteractive mode (GUI) - use config value; effective only for Maximum profile
$DisableIPv6Completely = Get-NonInteractiveValue -Module " AdvancedSecurity " -Key " disableIPv6 " -Default $false
if ( $DisableIPv6Completely ) {
Write-NonInteractiveDecision -Module " AdvancedSecurity " -Decision " IPv6 (mitm6 protection) " -Value " Completely Disabled "
}
}
elseif ( $SecurityProfile -eq 'Maximum' ) {
# Interactive prompt only for Maximum profile
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " IPv6 SECURITY (mitm6 Attack Mitigation) " -ForegroundColor Yellow
Write-Host " ======================================== " -ForegroundColor Yellow
Write-Host " "
Write-Host " Windows sends DHCPv6 requests even when IPv6 is not configured. " -ForegroundColor White
Write-Host " Attackers can exploit this to perform DNS takeover and credential theft. " -ForegroundColor White
Write-Host " "
Write-Host " ATTACK SCENARIO (mitm6): " -ForegroundColor Red
Write-Host " 1. Attacker responds to DHCPv6 requests as fake server " -ForegroundColor Gray
Write-Host " 2. Attacker becomes DNS server for victim " -ForegroundColor Gray
Write-Host " 3. Combined with WPAD -> NTLM credentials stolen " -ForegroundColor Gray
Write-Host " 4. -> Domain compromise possible! " -ForegroundColor Gray
Write-Host " "
Write-Host " NOTE: WPAD is already disabled by this framework. " -ForegroundColor Cyan
Write-Host " Disabling IPv6 provides additional defense-in-depth. " -ForegroundColor Cyan
Write-Host " "
Write-Host " WHAT BREAKS IF IPv6 DISABLED: " -ForegroundColor Yellow
Write-Host " ! Exchange Server communication (if using IPv6) " -ForegroundColor Gray
Write-Host " ! Some Active Directory features " -ForegroundColor Gray
Write-Host " ! IPv6-only services and websites " -ForegroundColor Gray
Write-Host " "
Write-Host " RECOMMENDED FOR: " -ForegroundColor Cyan
Write-Host " + Air-gapped systems " -ForegroundColor Gray
Write-Host " + Standalone workstations (no Exchange/AD) " -ForegroundColor Gray
Write-Host " + High-security environments " -ForegroundColor Gray
Write-Host " "
Write-Host " Do you want to COMPLETELY DISABLE IPv6? " -ForegroundColor White
Write-Host " "
Write-Host " [Y] YES - Disable IPv6 (Maximum security) " -ForegroundColor Cyan
Write-Host " - Prevents mitm6 attacks completely " -ForegroundColor Gray
Write-Host " - REBOOT REQUIRED " -ForegroundColor Gray
Write-Host " "
Write-Host " [N] NO - Keep IPv6 enabled (Default) " -ForegroundColor Green
Write-Host " - WPAD already disabled (partial mitigation) " -ForegroundColor Gray
Write-Host " - IPv6 functionality preserved " -ForegroundColor Gray
Write-Host " "
2025-12-09 07:16:50 +01:00
do {
$ipv6Choice = Read-Host " Completely disable IPv6? [Y/N] (default: N) "
if ( [ string ] :: IsNullOrWhiteSpace ( $ipv6Choice ) ) { $ipv6Choice = " N " }
$ipv6Choice = $ipv6Choice . ToUpper ( )
if ( $ipv6Choice -notin @ ( 'Y' , 'N' ) ) {
Write-Host " "
Write-Host " Invalid input. Please enter Y or N. " -ForegroundColor Red
Write-Host " "
}
} while ( $ipv6Choice -notin @ ( 'Y' , 'N' ) )
2025-12-08 10:32:49 +01:00
2025-12-09 07:16:50 +01:00
if ( $ipv6Choice -eq 'Y' ) {
2025-12-08 10:32:49 +01:00
$DisableIPv6Completely = $true
Write-Host " "
Write-Host " IPv6 will be COMPLETELY DISABLED (REBOOT REQUIRED) " -ForegroundColor Yellow
Write-Log -Level INFO -Message " User decision: IPv6 completely disabled (mitm6 mitigation) " -Module " AdvancedSecurity "
}
else {
$DisableIPv6Completely = $false
Write-Host " "
Write-Host " IPv6 will be KEPT enabled (WPAD already disabled for partial protection) " -ForegroundColor Green
Write-Log -Level INFO -Message " User decision: IPv6 kept enabled (WPAD disabled provides partial mitm6 protection) " -Module " AdvancedSecurity "
}
Write-Host " "
}
# Handle DryRun parameter (convert to WhatIf for ShouldProcess)
if ( $DryRun ) {
$WhatIfPreference = $true
}
# WhatIf mode
if ( $PSCmdlet . ShouldProcess ( " Advanced Security " , " Apply $SecurityProfile hardening " ) ) {
# PHASE 1: BACKUP
Write-Host " [1/4] BACKUP - Creating restore point... " -ForegroundColor Cyan
if ( -not $SkipBackup ) {
Write-Log -Level INFO -Message " Initializing backup system... " -Module " AdvancedSecurity "
$backupInit = Initialize-BackupSystem
if ( -not $backupInit ) {
Write-Log -Level ERROR -Message " Failed to initialize backup system! " -Module " AdvancedSecurity "
Write-Host " ERROR: Backup system initialization failed! " -ForegroundColor Red
Write-Host " Use -SkipBackup to proceed without backup (NOT RECOMMENDED) " -ForegroundColor Yellow
Write-Host " "
return [ PSCustomObject ] @ {
Success = $false
ErrorMessage = " Backup system initialization failed "
}
}
$backupResult = Backup-AdvancedSecuritySettings
if ( $backupResult ) {
# Register backup in session manifest
Complete-ModuleBackup -ItemsBackedUp $backupResult -Status " Success "
Write-Log -Level SUCCESS -Message " Backup completed: $backupResult items " -Module " AdvancedSecurity "
Write-Host " Backup completed ( $backupResult items) " -ForegroundColor Green
}
else {
Write-Log -Level WARNING -Message " Backup may have failed - proceeding anyway " -Module " AdvancedSecurity "
Write-Host " WARNING: Backup may have issues " -ForegroundColor Yellow
}
}
else {
Write-Log -Level WARNING -Message " Backup SKIPPED by user request! " -Module " AdvancedSecurity "
Write-Host " Skipped (SkipBackup flag) " -ForegroundColor Yellow
}
Write-Host " "
# PHASE 2: APPLY
Write-Host " [2/4] APPLY - Applying security hardening... " -ForegroundColor Cyan
Write-Host " "
$appliedFeatures = @ ( )
$failedFeatures = @ ( )
# Feature 1: RDP Hardening
Write-Host " RDP Security Hardening... " -ForegroundColor White -NoNewline
try {
$rdpDisable = $false
if ( $SecurityProfile -eq 'Maximum' -and $DisableRDP ) {
$rdpDisable = $true
}
elseif ( $DisableRDP ) {
Write-Log -Level INFO -Message " User explicitly requested full RDP disable in profile ' $SecurityProfile ' - applying complete disable with Force override " -Module " AdvancedSecurity "
$rdpDisable = $true
}
$rdpResult = Enable-RdpNLA -DisableRDP: $rdpDisable -Force: $Force
if ( $rdpResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " RDP Hardening "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " RDP Hardening "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " RDP Hardening "
Write-Log -Level ERROR -Message " RDP hardening failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 2: WDigest Protection
Write-Host " WDigest Protection... " -ForegroundColor White -NoNewline
try {
$wdigestResult = Set-WDigestProtection
if ( $wdigestResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " WDigest Protection "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " WDigest Protection "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " WDigest Protection "
Write-Log -Level ERROR -Message " WDigest protection failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 3: Administrative Shares
Write-Host " Admin Shares Disable... " -ForegroundColor White -NoNewline
try {
# Enterprise profile: Auto-skip on domain (for IT management)
if ( $SecurityProfile -eq 'Enterprise' -and $isDomainJoined -and -not $Force ) {
Write-Host " SKIPPED (Enterprise + Domain) " -ForegroundColor Yellow
Write-Log -Level INFO -Message " Admin shares kept on domain (Enterprise profile) " -Module " AdvancedSecurity "
}
else {
$adminSharesForce = $false
if ( $SecurityProfile -eq 'Maximum' ) {
$adminSharesForce = $true
}
elseif ( $Force ) {
$adminSharesForce = $true
}
$adminSharesResult = Disable-AdminShares -Force: $adminSharesForce
if ( $adminSharesResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " Admin Shares Disable "
}
else {
Write-Host " SKIPPED " -ForegroundColor Yellow
}
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Admin Shares Disable "
Write-Log -Level ERROR -Message " Admin shares disable failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 4: Risky Firewall Ports
Write-Host " Risky Ports Hardening... " -ForegroundColor White -NoNewline
try {
# Pass SkipUPnP if user chose to keep UPnP enabled
$riskyPortsResult = Disable-RiskyPorts -SkipUPnP: ( -not $DisableUPnP )
if ( $riskyPortsResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " Risky Firewall Ports "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Risky Firewall Ports "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Risky Firewall Ports "
Write-Log -Level ERROR -Message " Risky ports closure failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 5: Risky Network Services
Write-Host " Risky Services Stop... " -ForegroundColor White -NoNewline
try {
$riskyServicesResult = Stop-RiskyServices
if ( $riskyServicesResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " Risky Network Services "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Risky Network Services "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Risky Network Services "
Write-Log -Level ERROR -Message " Risky services stop failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 6: WPAD Disable
Write-Host " WPAD Disable... " -ForegroundColor White -NoNewline
try {
$wpadResult = Disable-WPAD
if ( $wpadResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " WPAD Disable "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " WPAD Disable "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " WPAD Disable "
Write-Log -Level ERROR -Message " WPAD disable failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 7: Legacy TLS Disable
Write-Host " Legacy TLS 1.0/1.1 Disable... " -ForegroundColor White -NoNewline
try {
$tlsResult = Disable-LegacyTLS
if ( $tlsResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " Legacy TLS Disable "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Legacy TLS Disable "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Legacy TLS Disable "
Write-Log -Level ERROR -Message " Legacy TLS disable failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 8: PowerShell v2 Removal
Write-Host " PowerShell v2 Removal... " -ForegroundColor White -NoNewline
$psv2Changed = $false
try {
$psv2Result = Remove-PowerShellV2
if ( $psv2Result -and $psv2Result . Success ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " PowerShell v2 Removal "
if ( $psv2Result . Changed ) {
$psv2Changed = $true
}
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " PowerShell v2 Removal "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " PowerShell v2 Removal "
Write-Log -Level ERROR -Message " PowerShell v2 removal failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 9: Finger Protocol
Write-Host " Finger Protocol Block... " -ForegroundColor White -NoNewline
try {
$fingerResult = Block-FingerProtocol -DryRun: $DryRun
if ( $fingerResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " Finger Protocol Block "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Finger Protocol Block "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Finger Protocol Block "
Write-Log -Level ERROR -Message " Finger protocol block failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 10: SRP Rules (CVE-2025-9491)
Write-Host " SRP .lnk Protection (CVE-2025-9491)... " -ForegroundColor White -NoNewline
try {
$srpResult = Set-SRPRules -DryRun: $DryRun
if ( $srpResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " SRP .lnk Protection (CVE-2025-9491) "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " SRP .lnk Protection "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " SRP .lnk Protection "
Write-Log -Level ERROR -Message " SRP configuration failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 11: Windows Update
Write-Host " Windows Update Config... " -ForegroundColor White -NoNewline
try {
$wuResult = Set-WindowsUpdate -DryRun: $DryRun
if ( $wuResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " Windows Update (3 GUI settings) "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Windows Update "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Windows Update "
Write-Log -Level ERROR -Message " Windows Update configuration failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 12: Wireless Display Security
Write-Host " Wireless Display Security... " -ForegroundColor White -NoNewline
try {
$wirelessDisplayResult = Set-WirelessDisplaySecurity -DisableCompletely: $DisableWirelessDisplayCompletely
if ( $wirelessDisplayResult ) {
if ( $DisableWirelessDisplayCompletely ) {
Write-Host " OK (Fully Disabled) " -ForegroundColor Green
$appliedFeatures + = " Wireless Display (Fully Disabled) "
}
else {
Write-Host " OK (Hardened) " -ForegroundColor Green
$appliedFeatures + = " Wireless Display (Hardened) "
}
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Wireless Display Security "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Wireless Display Security "
Write-Log -Level ERROR -Message " Wireless Display security failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
# Feature 13: Discovery Protocols (WS-Discovery + mDNS) - Maximum only
if ( $SecurityProfile -eq 'Maximum' ) {
Write-Host " Discovery Protocols (WS-Discovery + mDNS)... " -ForegroundColor White -NoNewline
try {
if ( $DisableDiscoveryProtocolsCompletely ) {
$discoveryResult = Set-DiscoveryProtocolsSecurity -DisableCompletely
if ( $discoveryResult ) {
Write-Host " OK (Disabled) " -ForegroundColor Green
$appliedFeatures + = " Discovery Protocols (WS-Discovery + mDNS Disabled) "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Discovery Protocols (WS-Discovery + mDNS) "
}
}
else {
Write-Host " SKIPPED " -ForegroundColor Yellow
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Discovery Protocols (WS-Discovery + mDNS) "
Write-Log -Level ERROR -Message " Discovery protocol security failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
}
# Feature 14: Firewall Shields Up (Maximum only)
# Blocks ALL incoming connections on Public network, including allowed apps
if ( $SecurityProfile -eq 'Maximum' ) {
Write-Host " Firewall Shields Up (Public)... " -ForegroundColor White -NoNewline
try {
$shieldsUpResult = Set-FirewallShieldsUp -Enable
if ( $shieldsUpResult ) {
Write-Host " OK " -ForegroundColor Green
$appliedFeatures + = " Firewall Shields Up (Block ALL incoming on Public) "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Firewall Shields Up "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " Firewall Shields Up "
Write-Log -Level ERROR -Message " Firewall Shields Up failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
}
# Feature 15: IPv6 Disable (Maximum only, optional)
# Prevents mitm6 attacks (DHCPv6 spoofing → DNS takeover → NTLM relay)
if ( $SecurityProfile -eq 'Maximum' -and $DisableIPv6Completely ) {
Write-Host " IPv6 Disable (mitm6 mitigation)... " -ForegroundColor White -NoNewline
try {
$ipv6Result = Set-IPv6Security -DisableCompletely
if ( $ipv6Result ) {
Write-Host " OK (REBOOT REQUIRED) " -ForegroundColor Green
$appliedFeatures + = " IPv6 Disabled (mitm6 attack mitigation) "
}
else {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " IPv6 Disable "
}
}
catch {
Write-Host " FAILED " -ForegroundColor Red
$failedFeatures + = " IPv6 Disable "
Write-Log -Level ERROR -Message " IPv6 disable failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
}
}
Write-Host " "
# PHASE 3: VERIFY
Write-Host " [3/4] VERIFY - Checking compliance... " -ForegroundColor Cyan
Write-Host " "
if ( $appliedFeatures . Count -gt 0 ) {
try {
$verifyResult = Test-AdvancedSecurity
# Test-AdvancedSecurity now outputs full table + returns structured object
# No need to print summary here - it's already shown above
if ( $verifyResult -and $verifyResult . Compliance -lt 100 ) {
# Log details to file for troubleshooting
Write-Log -Level WARNING -Message " Advanced Security Compliance: $( $verifyResult . CompliantCount ) / $( $verifyResult . TotalChecks ) passed ( $( $verifyResult . Compliance ) %) " -Module " AdvancedSecurity "
if ( $verifyResult . Results ) {
foreach ( $test in $verifyResult . Results ) {
if ( -not $test . Compliant ) {
Write-Log -Level WARNING -Message " [NON-COMPLIANT] $( $test . Feature ) : $( $test . Status ) - $( $test . Details ) " -Module " AdvancedSecurity "
}
}
}
Write-Host " "
Write-Host " Note: $( $verifyResult . TotalChecks - $verifyResult . CompliantCount ) check(s) non-compliant " -ForegroundColor Yellow
Write-Host " This may require reboot or additional configuration " -ForegroundColor Gray
}
elseif ( $verifyResult ) {
Write-Log -Level SUCCESS -Message " Advanced Security Compliance: 100% passed " -Module " AdvancedSecurity "
}
}
catch {
Write-Host " Verification skipped (error occurred) " -ForegroundColor Gray
}
}
else {
Write-Host " Skipped (no features applied) " -ForegroundColor Gray
}
Write-Host " "
# PHASE 4: COMPLETE
Write-Host " [4/4] COMPLETE - Advanced security finished! " -ForegroundColor Green
Write-Host " "
Write-Host " Profile: $SecurityProfile " -ForegroundColor White
2025-12-09 10:48:12 +01:00
Write-Host " Features: $( $appliedFeatures . Count ) /15 applied " -ForegroundColor $ ( if ( $failedFeatures . Count -eq 0 ) { 'Green' } else { 'Yellow' } )
2025-12-08 10:32:49 +01:00
if ( $failedFeatures . Count -gt 0 ) {
Write-Host " Failed: $( $failedFeatures . Count ) " -ForegroundColor Red
}
Write-Host " "
if ( $psv2Changed ) {
Write-Host " REBOOT REQUIRED for some changes (Admin Shares, PowerShell v2) " -ForegroundColor Yellow
}
else {
Write-Host " REBOOT REQUIRED for some changes (Admin Shares) " -ForegroundColor Yellow
}
Write-Host " "
Write-Log -Level SUCCESS -Message " Advanced Security hardening completed: $( $appliedFeatures . Count ) features applied " -Module " AdvancedSecurity "
# GUI parsing marker for settings count (50 advanced settings incl. Wireless Display + Discovery Protocols + IPv6)
Write-Log -Level SUCCESS -Message " Applied 50 settings " -Module " AdvancedSecurity "
# Return structured result object
$hasFailures = $failedFeatures . Count -gt 0
return [ PSCustomObject ] @ {
Success = -not $hasFailures
SecurityProfile = $SecurityProfile
FeaturesApplied = $appliedFeatures
FeaturesFailed = $failedFeatures
TotalFeatures = $appliedFeatures . Count + $failedFeatures . Count
Timestamp = Get-Date -Format " yyyy-MM-dd HH:mm:ss "
RebootRequired = $true
}
}
else {
Write-Host " WhatIf mode - no changes applied " -ForegroundColor Yellow
Write-Host " "
return [ PSCustomObject ] @ {
Success = $true
SecurityProfile = $SecurityProfile
Mode = " WhatIf "
Timestamp = Get-Date -Format " yyyy-MM-dd HH:mm:ss "
}
}
}
catch {
Write-Log -Level ERROR -Message " Advanced Security hardening failed: $_ " -Module " AdvancedSecurity " -Exception $_ . Exception
Write-Host " "
Write-Host " ERROR: Hardening failed! " -ForegroundColor Red
Write-Host $_ . Exception . Message -ForegroundColor Gray
Write-Host " "
# Return structured error object
return [ PSCustomObject ] @ {
Success = $false
SecurityProfile = $SecurityProfile
ErrorMessage = $_ . Exception . Message
Timestamp = Get-Date -Format " yyyy-MM-dd HH:mm:ss "
}
}
}
