v2.2.0 - Complete Security Hardening Framework (632 Settings)

2026-02-11 14:04:27 +01:00 · 2025-12-08 10:32:49 +01:00 · 2025-12-08 10:32:49 +01:00 · ba364813ed
commit ba364813ed
195 changed files with 43788 additions and 0 deletions
--- a/Modules/AdvancedSecurity/Config/AdminShares.json
+++ b/Modules/AdvancedSecurity/Config/AdminShares.json
@ -0,0 +1,116 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Administrative Shares Configuration",
+  "description": "Configuration for disabling administrative shares (C$, ADMIN$, etc.) to prevent lateral movement",
+  "version": "2.2.0",
+  
+  "Administrative_Shares": {
+    "description": "Disable automatic creation and remove existing administrative shares",
+    "risk_level": "CRITICAL",
+    "attack_vectors": [
+      "Lateral movement in networks (WannaCry, NotPetya propagation)",
+      "Remote file access by attackers with stolen credentials",
+      "Pass-the-Hash attacks using admin shares",
+      "Automated malware propagation"
+    ],
+    
+    "shares_affected": {
+      "C$": "Root of C: drive",
+      "D$": "Root of D: drive (if exists)",
+      "E$": "Root of E: drive (if exists)",
+      "ADMIN$": "Windows directory (C:\\Windows)",
+      "IPC$": "Named pipes - CANNOT be removed (required by Windows)"
+    },
+    
+    "registry_settings": {
+      "path": "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters",
+      "AutoShareWks": {
+        "description": "Disable automatic shares on Workstation (Home/Pro editions)",
+        "value": 0,
+        "type": "DWORD",
+        "default": 1
+      },
+      "AutoShareServer": {
+        "description": "Disable automatic shares on Server editions",
+        "value": 0,
+        "type": "DWORD",
+        "default": 1
+      }
+    },
+    
+    "firewall_protection": {
+      "description": "Block SMB on Public network profile",
+      "rule_name": "Block Admin Shares (NoID Privacy)",
+      "direction": "Inbound",
+      "protocol": "TCP",
+      "local_port": 445,
+      "profile": "Public",
+      "action": "Block"
+    },
+    
+    "domain_safety": {
+      "enabled": true,
+      "description": "Automatically detect domain-joined systems and skip unless -Force",
+      "check": "Get-CimInstance -ClassName Win32_ComputerSystem | Select-Object PartOfDomain",
+      "warnings": [
+        "Group Policy management may be affected",
+        "SCCM/Management tools may require admin shares",
+        "Remote administration tools may stop working"
+      ],
+      "force_required": true,
+      "enterprise_recommendation": "Test in staging environment before deployment"
+    }
+  },
+  
+  "Profiles": {
+    "Balanced": {
+      "enabled": true,
+      "domain_check": true,
+      "force_required": false
+    },
+    "Enterprise": {
+      "enabled": "conditional",
+      "domain_check": true,
+      "force_required": true,
+      "note": "Auto-disabled for domain-joined systems unless -Force"
+    },
+    "Maximum": {
+      "enabled": true,
+      "domain_check": false,
+      "force_required": false,
+      "note": "Always enabled for maximum security"
+    }
+  },
+  
+  "Impact": {
+    "positive": [
+      "Prevents lateral movement in case of credential theft",
+      "Stops automated ransomware propagation",
+      "Blocks Pass-the-Hash attack vectors using admin shares"
+    ],
+    "negative": [
+      "Remote administration tools may not work",
+      "Group Policy remote management affected",
+      "Some enterprise monitoring tools may require admin shares",
+      "SCCM and similar tools may need explicit shares"
+    ],
+    "recommendations": {
+      "home_users": "Recommended - high security benefit",
+      "enterprise": "Requires testing - may break management tools",
+      "workaround": "Create explicit shares for required management tools"
+    }
+  },
+  
+  "Important_Notes": [
+    "REQUIRES REBOOT to prevent share recreation",
+    "Shares will NOT be recreated after reboot (if registry set)",
+    "IPC$ cannot be disabled (required by Windows)",
+    "File sharing via explicit shares still works",
+    "Can be restored by setting AutoShareWks/AutoShareServer = 1 + reboot"
+  ],
+  
+  "Compatibility": {
+    "windows_versions": ["Windows 10", "Windows 11", "Windows Server 2016+"],
+    "tested": "Windows 11 25H2 (Nov 16, 2025)"
+  }
+}
--- a/Modules/AdvancedSecurity/Config/Credentials.json
+++ b/Modules/AdvancedSecurity/Config/Credentials.json
@ -0,0 +1,78 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Credential Protection Configuration",
+  "description": "Configuration for credential hardening including WDigest protection",
+  "version": "2.2.0",
+  
+  "WDigest_Protection": {
+    "description": "Prevent WDigest from storing plaintext passwords in LSASS memory",
+    "enabled": true,
+    "deprecated_in": "Windows 11 24H2",
+    "status": "Deprecated in Win11 24H2+ but kept for backwards compatibility and defense-in-depth",
+    
+    "registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",
+    "settings": {
+      "UseLogonCredential": {
+        "description": "Control whether WDigest stores credentials in memory",
+        "value": 0,
+        "type": "DWORD",
+        "values": {
+          "0": "Secure - Do NOT store plaintext credentials in memory",
+          "1": "Insecure - Store plaintext credentials in memory (VULNERABLE!)"
+        },
+        "attack_prevention": [
+          "Prevents Mimikatz from dumping plaintext passwords",
+          "Prevents Windows Credential Editor (WCE) attacks",
+          "Prevents other memory-dumping credential theft tools"
+        ],
+        "impact": "None - Modern systems (Win 8.1+) already default to 0"
+      }
+    },
+    
+    "default_behavior": {
+      "Windows_7": 1,
+      "Windows_8": 1,
+      "Windows_8.1": 0,
+      "Windows_10": 0,
+      "Windows_11": 0,
+      "Windows_11_24H2_plus": "Setting ignored (deprecated)"
+    },
+    
+    "rationale": {
+      "why_set_if_deprecated": [
+        "Protects older Windows versions (Win7/8/Server 2008/2012)",
+        "Protects early Win10/11 builds that may not be fully patched",
+        "Defense-in-depth: Explicit is better than implicit",
+        "Ensures compatibility in mixed environments",
+        "No negative impact on Win11 24H2+ (setting is ignored)"
+      ]
+    },
+    
+    "microsoft_advisory": {
+      "kb_article": "KB2871997",
+      "date": "May 2014",
+      "title": "Update to improve credentials protection and management",
+      "url": "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
+      "baseline_removal": {
+        "version": "Windows 11 25H2 Security Baseline",
+        "reason": "Engineering teams deprecated this policy in Windows 11 24H2",
+        "url": "https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-25h2-security-baseline/4456231"
+      }
+    }
+  },
+  
+  "Profiles": {
+    "Balanced": true,
+    "Enterprise": true,
+    "Maximum": true
+  },
+  
+  "Compatibility": {
+    "windows_versions": ["All Windows versions"],
+    "notes": [
+      "Setting is ignored on Windows 11 24H2+ (deprecated)",
+      "No compatibility issues or breakage on any Windows version",
+      "Recommended for all profiles for defense-in-depth"
+    ]
+  }
+}
--- a/Modules/AdvancedSecurity/Config/Firewall.json
+++ b/Modules/AdvancedSecurity/Config/Firewall.json
@ -0,0 +1,20 @@
+{
+  "Description": "Firewall Shields Up - Block all incoming connections on Public network",
+  "Purpose": "Extra protection in public WiFi networks (airports, cafes, hotels)",
+  "Note": "This goes BEYOND Microsoft Security Baseline",
+  
+  "ShieldsUp": {
+    "description": "Block ALL incoming connections on Public profile, including allowed apps",
+    "registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile",
+    "value_name": "DoNotAllowExceptions",
+    "enabled_value": 1,
+    "disabled_value": 0,
+    "profiles": {
+      "Balanced": false,
+      "Enterprise": false,
+      "Maximum": true
+    },
+    "warning": "When enabled, apps like Teams, Discord, Zoom cannot receive incoming calls on Public networks",
+    "recommendation": "Enable only for maximum security (Maximum / air-gapped profile)"
+  }
+}
--- a/Modules/AdvancedSecurity/Config/RDP.json
+++ b/Modules/AdvancedSecurity/Config/RDP.json
@ -0,0 +1,64 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "RDP Hardening Configuration",
+  "description": "Configuration for RDP (Remote Desktop Protocol) hardening including NLA enforcement and optional complete disable",
+  "version": "2.2.0",
+  
+  "NLA_Enforcement": {
+    "description": "Network Level Authentication (NLA) enforcement settings",
+    "enabled": true,
+    "registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp",
+    "settings": {
+      "UserAuthentication": {
+        "description": "Require NLA (Network Level Authentication) before session establishment",
+        "value": 1,
+        "type": "DWORD",
+        "attack_prevention": "Prevents brute-force attacks before login screen appears",
+        "impact": "Minimal - NLA is Windows 7+ standard. May affect pre-Vista RDP clients."
+      },
+      "SecurityLayer": {
+        "description": "Require SSL/TLS encryption for all RDP connections",
+        "value": 2,
+        "type": "DWORD",
+        "attack_prevention": "Forces SSL/TLS encryption, prevents plaintext RDP traffic",
+        "impact": "Minimal - SSL/TLS is standard since Windows Vista"
+      }
+    }
+  },
+  
+  "Complete_Disable": {
+    "description": "Complete RDP disable for air-gapped/high-security environments",
+    "enabled_by_default": false,
+    "profiles": {
+      "Balanced": false,
+      "Enterprise": false,
+      "Maximum": "optional"
+    },
+    "registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server",
+    "settings": {
+      "fDenyTSConnections": {
+        "description": "Completely disable Remote Desktop",
+        "value": 1,
+        "type": "DWORD",
+        "attack_prevention": "Complete RDP attack surface removal",
+        "impact": "HIGH - Remote administration will not work. Windows automatically adjusts firewall rules."
+      }
+    },
+    "requires": {
+      "force_parameter": true,
+      "domain_check": true,
+      "warning": "This will completely disable RDP. Remote administration will not be possible."
+    }
+  },
+  
+  "Compatibility": {
+    "windows_versions": ["Windows 10", "Windows 11", "Windows Server 2016+"],
+    "minimum_rdp_client": "Windows Vista+",
+    "notes": [
+      "NLA is standard since Windows Vista / Server 2008",
+      "Pre-Vista clients will not be able to connect with NLA enforcement",
+      "Complete disable affects all remote management via RDP",
+      "Domain-joined systems should NOT disable RDP without explicit -Force"
+    ]
+  }
+}
--- a/Modules/AdvancedSecurity/Config/SRP-Rules.json
+++ b/Modules/AdvancedSecurity/Config/SRP-Rules.json
@ -0,0 +1,85 @@
+{
+  "Description": "Software Restriction Policies (SRP) for CVE-2025-9491 Mitigation",
+  "Documentation": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-9491",
+  "CVE": "CVE-2025-9491",
+  "Threat": "Windows LNK Remote Code Execution",
+  "Status": "Zero-Day, Actively Exploited since 2017",
+  "Severity": "High (CVSS 7.0)",
+  
+  "SRPConfiguration": {
+    "DefaultLevel": 262144,
+    "Description": "Unrestricted - Allow all programs except explicitly blocked",
+    "TransparentEnabled": 1,
+    "ExecutableTypes": [
+      ".ADE", ".ADP", ".BAS", ".BAT", ".CHM", ".CMD", ".COM", ".CPL", ".CRT", 
+      ".EXE", ".HLP", ".HTA", ".INF", ".INS", ".ISP", ".LNK", ".MDB", ".MDE",
+      ".MSC", ".MSI", ".MSP", ".MST", ".OCX", ".PCD", ".PIF", ".REG", ".SCR",
+      ".SHS", ".URL", ".VB", ".WSC", ".WSF", ".WSH"
+    ]
+  },
+  
+  "PathRules": [
+    {
+      "Name": "Block LNK from Outlook Temp",
+      "Path": "%LOCALAPPDATA%\\Temp\\*.lnk",
+      "SecurityLevel": 0,
+      "Description": "Blocks .lnk files from Outlook email attachments to prevent CVE-2025-9491 exploitation. Outlook saves attachments to %LOCALAPPDATA%\\Temp\\Content.Outlook\\ before execution.",
+      "SaferFlags": 0,
+      "Enabled": true,
+      "AttackVector": "Email attachments (malicious.lnk via Outlook)",
+      "Impact": "Prevents execution of .lnk files from email attachments. Legitimate shortcuts from Start Menu/Desktop/Taskbar still work (different paths)."
+    },
+    {
+      "Name": "Block LNK from Downloads",
+      "Path": "%USERPROFILE%\\Downloads\\*.lnk",
+      "SecurityLevel": 0,
+      "Description": "Blocks .lnk files from browser Downloads folder to prevent CVE-2025-9491 exploitation from web downloads.",
+      "SaferFlags": 0,
+      "Enabled": true,
+      "AttackVector": "Browser downloads (malicious.lnk from web)",
+      "Impact": "Prevents execution of .lnk files downloaded from internet. Move .lnk to another location to execute if needed."
+    }
+  ],
+  
+  "Windows11BugFix": {
+    "Description": "Windows 11 has a bug where SRP is disabled by presence of certain keys in HKLM\\SYSTEM\\CurrentControlSet\\Control\\Srp\\Gp",
+    "Action": "Remove RuleCount and LastWriteTime keys",
+    "RegistryPath": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Srp\\Gp",
+    "KeysToRemove": ["RuleCount", "LastWriteTime"],
+    "Reason": "These keys cause SRP to be ignored on Windows 11. Removing them re-enables SRP functionality."
+  },
+  
+  "RegistryPaths": {
+    "PolicyRoot": "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers",
+    "PathRules": "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers\\0\\Paths",
+    "Win11BugFix": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Srp\\Gp"
+  },
+  
+  "SecurityLevels": {
+    "Disallowed": 0,
+    "Unrestricted": 262144,
+    "Description": "0 = Block execution, 262144 = Allow execution"
+  },
+  
+  "SafeScenarios": [
+    "Start Menu shortcuts (C:\\ProgramData\\Microsoft\\Windows\\Start Menu)",
+    "Desktop shortcuts (C:\\Users\\<user>\\Desktop)",
+    "Taskbar shortcuts (pinned applications)",
+    "Program Files shortcuts (C:\\Program Files)",
+    "System shortcuts (C:\\Windows)"
+  ],
+  
+  "BlockedScenarios": [
+    "Outlook email attachments (%LOCALAPPDATA%\\Temp\\Content.Outlook)",
+    "Browser downloads (%USERPROFILE%\\Downloads)",
+    "Temporary Internet Files",
+    "Other Temp locations matching patterns"
+  ],
+  
+  "Testing": {
+    "VerifyBlockedPath": "%USERPROFILE%\\Downloads\\test.lnk",
+    "ExpectedResult": "Execution blocked with 'This program is blocked by group policy' message",
+    "VerifySafePath": "%USERPROFILE%\\Desktop\\test.lnk",
+    "ExpectedResult2": "Execution allowed (Desktop not in blocked path list)"
+  }
+}
--- a/Modules/AdvancedSecurity/Config/WindowsUpdate.json
+++ b/Modules/AdvancedSecurity/Config/WindowsUpdate.json
@ -0,0 +1,57 @@
+{
+  "Description": "Simple Windows Update Configuration - MS Best Practice (GUI Settings Only)",
+  "Documentation": "Matches Windows Settings > Windows Update > Advanced options",
+  "Purpose": "Enable immediate updates from Microsoft using Windows built-in settings",
+  
+  "Settings": {
+    "1_ReceiveUpdatesImmediately": {
+      "Name": "Get the latest updates as soon as they're available",
+      "RegistryPath": "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate",
+      "Values": {
+        "AllowOptionalContent": {
+          "Type": "DWord",
+          "Value": 1,
+          "Description": "Policy: enable optional content & configuration updates immediately (grays out GUI toggle)"
+        },
+        "SetAllowOptionalContent": {
+          "Type": "DWord",
+          "Value": 1,
+          "Description": "Policy: enforce AllowOptionalContent setting (managed by organization)"
+        }
+      },
+      "GUIPath": "Settings > Windows Update > Advanced options > Get the latest updates as soon as they're available"
+    },
+    
+    "2_MicrosoftUpdate": {
+      "Name": "Receive updates for other Microsoft products",
+      "RegistryPath": "HKLM:\\SOFTWARE\\Microsoft\\WindowsUpdate\\UX\\Settings",
+      "Values": {
+        "AllowMUUpdateService": {
+          "Type": "DWord",
+          "Value": 1,
+          "Description": "Get updates for Office, drivers, and other Microsoft products with Windows Update"
+        }
+      },
+      "GUIPath": "Settings > Windows Update > Advanced options > Receive updates for other Microsoft products"
+    },
+    
+    "3_DeliveryOptimization": {
+      "Name": "Downloads from other devices (DISABLED for privacy)",
+      "RegistryPath": "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization",
+      "Values": {
+        "DODownloadMode": {
+          "Type": "DWord",
+          "Value": 0,
+          "Description": "0 = HTTP only (Microsoft servers), no P2P, no LAN sharing"
+        }
+      },
+      "GUIPath": "Settings > Windows Update > Advanced options > Delivery Optimization > Allow downloads from other devices = OFF"
+    }
+  },
+  
+  "TotalRegistryKeys": 4,
+  "MSBestPractice": "These are the EXACT settings shown in Windows Settings GUI - no hidden schedules, no auto-reboot config",
+  "UserControl": "User keeps full control over installation timing via Windows Settings (except Setting 1 is enforced by policy if enabled)",
+  "NoInteractivePrompt": "No mode selection needed - simple ON/ON/OFF configuration",
+  "CRITICAL_NOTE": "Setting 1 uses Policies\\Microsoft\\Windows\\WindowsUpdate (AllowOptionalContent/SetAllowOptionalContent) and will appear as 'managed by organization'. Setting 2 MUST use UX\\Settings path (NOT Policies path) to avoid locking the Microsoft Update toggle."
+}