mirror of
https://github.com/NexusOne23/noid-privacy.git
synced 2026-02-07 12:11:53 +01:00
v2.2.1: Critical multi-run session bugfix, .Count property fix, ASR prompt improvement, code quality review
This commit is contained in:
NexusOne23
parent
c6f8291d50
commit
b3efcf35fd
68 changed files with 307 additions and 159 deletions
|
|
@ -2,7 +2,7 @@
|
|||
# Module manifest for AdvancedSecurity
|
||||
|
||||
# Version
|
||||
ModuleVersion = '2.2.0'
|
||||
ModuleVersion = '2.2.1'
|
||||
|
||||
# Unique ID
|
||||
GUID = 'e7f5a3d2-8c9b-4f1e-a6d3-9b2c8f4e5a1d'
|
||||
|
|
@ -48,7 +48,7 @@
|
|||
LicenseUri = ''
|
||||
ProjectUri = ''
|
||||
ReleaseNotes = @'
|
||||
v2.2.0 (2025-12-08)
|
||||
v2.2.1 (2025-12-08)
|
||||
- Production release of AdvancedSecurity module
|
||||
- 49 advanced hardening settings implemented (was 36)
|
||||
- NEW: Wireless Display (Miracast) security hardening
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
# AdvancedSecurity Module Loader
|
||||
# Version: 2.2.0
|
||||
# Version: 2.2.1
|
||||
# Description: Advanced Security Hardening - Beyond Microsoft Security Baseline
|
||||
|
||||
# Get module path
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "Administrative Shares Configuration",
|
||||
"description": "Configuration for disabling administrative shares (C$, ADMIN$, etc.) to prevent lateral movement",
|
||||
"version": "2.2.0",
|
||||
"version": "2.2.1",
|
||||
|
||||
"Administrative_Shares": {
|
||||
"description": "Disable automatic creation and remove existing administrative shares",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "Credential Protection Configuration",
|
||||
"description": "Configuration for credential hardening including WDigest protection",
|
||||
"version": "2.2.0",
|
||||
"version": "2.2.1",
|
||||
|
||||
"WDigest_Protection": {
|
||||
"description": "Prevent WDigest from storing plaintext passwords in LSASS memory",
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@
|
|||
"$schema": "http://json-schema.org/draft-07/schema#",
|
||||
"title": "RDP Hardening Configuration",
|
||||
"description": "Configuration for RDP (Remote Desktop Protocol) hardening including NLA enforcement and optional complete disable",
|
||||
"version": "2.2.0",
|
||||
"version": "2.2.1",
|
||||
|
||||
"NLA_Enforcement": {
|
||||
"description": "Network Level Authentication (NLA) enforcement settings",
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ function Block-FingerProtocol {
|
|||
|
||||
.NOTES
|
||||
Author: NexusOne23
|
||||
Version: 2.2.0
|
||||
Version: 2.2.1
|
||||
Requires: Administrator privileges
|
||||
|
||||
REFERENCES:
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ function Set-SRPRules {
|
|||
|
||||
.NOTES
|
||||
Author: NexusOne23
|
||||
Version: 2.2.0
|
||||
Version: 2.2.1
|
||||
Requires: Administrator privileges
|
||||
|
||||
REFERENCES:
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ function Set-WindowsUpdate {
|
|||
|
||||
.NOTES
|
||||
Author: NexusOne23
|
||||
Version: 2.2.0
|
||||
Version: 2.2.1
|
||||
Requires: Administrator privileges
|
||||
Based on: Windows Settings > Windows Update > Advanced options
|
||||
#>
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ function Test-DiscoveryProtocolsSecurity {
|
|||
Tcp5357ListenersClosed = $null
|
||||
Tcp5358ListenersClosed = $null
|
||||
Compliant = $false
|
||||
Pass = $true # Optional feature (Maximum only) - always pass
|
||||
}
|
||||
|
||||
try {
|
||||
|
|
@ -69,7 +70,7 @@ function Test-DiscoveryProtocolsSecurity {
|
|||
|
||||
if ($rules.Count -gt 0) {
|
||||
$result.FirewallRulesPresent = ($rules.Count -eq $ruleNames.Count)
|
||||
$result.FirewallRulesEnabled = ($rules | Where-Object { $_.Enabled -eq 'True' -and $_.Action -eq 'Block' }).Count -eq $ruleNames.Count
|
||||
$result.FirewallRulesEnabled = @($rules | Where-Object { $_.Enabled -eq 'True' -and $_.Action -eq 'Block' }).Count -eq $ruleNames.Count
|
||||
}
|
||||
|
||||
# 4) Optional: check that ports are not listening
|
||||
|
|
|
|||
|
|
@ -16,10 +16,12 @@ function Test-FirewallShieldsUp {
|
|||
$value = Get-ItemProperty -Path $regPath -Name $valueName -ErrorAction SilentlyContinue
|
||||
|
||||
if ($null -eq $value -or $value.$valueName -ne 1) {
|
||||
# Shields Up is OPTIONAL (Maximum profile only) - not a failure if not enabled
|
||||
return @{
|
||||
Pass = $false
|
||||
Message = "Shields Up NOT enabled (Public network allows configured exceptions)"
|
||||
Pass = $true # Optional feature - always pass
|
||||
Message = "Shields Up not enabled (Optional - Maximum profile only)"
|
||||
CurrentValue = if ($null -eq $value) { "Not Set" } else { $value.$valueName }
|
||||
IsEnabled = $false
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -27,13 +29,15 @@ function Test-FirewallShieldsUp {
|
|||
Pass = $true
|
||||
Message = "Shields Up ENABLED (Public network blocks ALL incoming)"
|
||||
CurrentValue = 1
|
||||
IsEnabled = $true
|
||||
}
|
||||
}
|
||||
catch {
|
||||
return @{
|
||||
Pass = $false
|
||||
Pass = $true # Don't fail on error for optional feature
|
||||
Message = "Error checking Shields Up: $_"
|
||||
CurrentValue = "Error"
|
||||
IsEnabled = $false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ function Invoke-AdvancedSecurity {
|
|||
- Enterprise: Conservative approach with domain-safety checks
|
||||
- Maximum: Maximum hardening for air-gapped/high-security environments
|
||||
|
||||
Features implemented (v2.2.0):
|
||||
Features implemented (v2.2.1):
|
||||
- RDP NLA enforcement + optional complete disable
|
||||
- WDigest credential protection
|
||||
- Administrative shares disable (domain-aware)
|
||||
|
|
|
|||
|
|
@ -110,13 +110,15 @@ function Test-AdvancedSecurity {
|
|||
Write-Host "Testing Discovery Protocols (WS-Discovery + mDNS)..." -ForegroundColor Gray
|
||||
$discoveryTest = Test-DiscoveryProtocolsSecurity
|
||||
if ($discoveryTest) {
|
||||
# Optional feature (Maximum profile only) - use Pass field which is always true
|
||||
$statusText = if ($discoveryTest.Compliant) { "Disabled (Maximum)" } else { "Enabled (Optional - Maximum profile only)" }
|
||||
$results += [PSCustomObject]@{
|
||||
Feature = "Discovery Protocols (WS-Discovery + mDNS)"
|
||||
Status = if ($discoveryTest.Compliant) { "Secure" } else { "Insecure" }
|
||||
Status = $statusText
|
||||
Details = "mDNS=" + $(if ($discoveryTest.EnableMDNS -eq 0) { "Disabled" } else { "Enabled/Not Set" }) +
|
||||
"; Services: FDResPub=" + $discoveryTest.FDResPubDisabled + ", fdPHost=" + $discoveryTest.FdPHostDisabled +
|
||||
"; FirewallRulesEnabled=" + $discoveryTest.FirewallRulesEnabled
|
||||
Compliant = $discoveryTest.Compliant
|
||||
Compliant = $discoveryTest.Pass # Always true - optional feature
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -124,9 +126,11 @@ function Test-AdvancedSecurity {
|
|||
Write-Host "Testing Firewall Shields Up (Public)..." -ForegroundColor Gray
|
||||
$shieldsUpTest = Test-FirewallShieldsUp
|
||||
# Always pass - this is an optional hardening only for the Maximum (air-gapped) profile
|
||||
$statusText = if ($shieldsUpTest.IsEnabled) { "Enabled (Maximum)" } else { "Not enabled (Optional - Maximum profile only)" }
|
||||
$results += [PSCustomObject]@{
|
||||
Feature = "Firewall Shields Up (Public)"
|
||||
Compliant = $shieldsUpTest.Pass
|
||||
Status = $statusText
|
||||
Compliant = $shieldsUpTest.Pass # Always true - optional feature
|
||||
Details = $shieldsUpTest.Message
|
||||
}
|
||||
|
||||
|
|
@ -147,8 +151,8 @@ function Test-AdvancedSecurity {
|
|||
Write-Host "============================================" -ForegroundColor Cyan
|
||||
Write-Host ""
|
||||
|
||||
$compliantCount = ($results | Where-Object { $_.Compliant -eq $true }).Count
|
||||
$totalTests = $results.Count
|
||||
$compliantCount = @($results | Where-Object { $_.Compliant -eq $true }).Count
|
||||
$totalTests = @($results).Count
|
||||
$compliancePercent = [math]::Round(($compliantCount / $totalTests) * 100, 1)
|
||||
|
||||
Write-Host "Total Tests: $totalTests" -ForegroundColor White
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue