v2.2.0 - Complete Security Hardening Framework (632 Settings)

2026-02-07 12:11:53 +01:00 · 2025-12-08 10:32:49 +01:00 · 2025-12-08 10:32:49 +01:00 · ba364813ed
commit ba364813ed
195 changed files with 43788 additions and 0 deletions
--- a/Modules/AdvancedSecurity/Config/Credentials.json
+++ b/Modules/AdvancedSecurity/Config/Credentials.json
@ -0,0 +1,78 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "Credential Protection Configuration",
+  "description": "Configuration for credential hardening including WDigest protection",
+  "version": "2.2.0",
+  
+  "WDigest_Protection": {
+    "description": "Prevent WDigest from storing plaintext passwords in LSASS memory",
+    "enabled": true,
+    "deprecated_in": "Windows 11 24H2",
+    "status": "Deprecated in Win11 24H2+ but kept for backwards compatibility and defense-in-depth",
+    
+    "registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",
+    "settings": {
+      "UseLogonCredential": {
+        "description": "Control whether WDigest stores credentials in memory",
+        "value": 0,
+        "type": "DWORD",
+        "values": {
+          "0": "Secure - Do NOT store plaintext credentials in memory",
+          "1": "Insecure - Store plaintext credentials in memory (VULNERABLE!)"
+        },
+        "attack_prevention": [
+          "Prevents Mimikatz from dumping plaintext passwords",
+          "Prevents Windows Credential Editor (WCE) attacks",
+          "Prevents other memory-dumping credential theft tools"
+        ],
+        "impact": "None - Modern systems (Win 8.1+) already default to 0"
+      }
+    },
+    
+    "default_behavior": {
+      "Windows_7": 1,
+      "Windows_8": 1,
+      "Windows_8.1": 0,
+      "Windows_10": 0,
+      "Windows_11": 0,
+      "Windows_11_24H2_plus": "Setting ignored (deprecated)"
+    },
+    
+    "rationale": {
+      "why_set_if_deprecated": [
+        "Protects older Windows versions (Win7/8/Server 2008/2012)",
+        "Protects early Win10/11 builds that may not be fully patched",
+        "Defense-in-depth: Explicit is better than implicit",
+        "Ensures compatibility in mixed environments",
+        "No negative impact on Win11 24H2+ (setting is ignored)"
+      ]
+    },
+    
+    "microsoft_advisory": {
+      "kb_article": "KB2871997",
+      "date": "May 2014",
+      "title": "Update to improve credentials protection and management",
+      "url": "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
+      "baseline_removal": {
+        "version": "Windows 11 25H2 Security Baseline",
+        "reason": "Engineering teams deprecated this policy in Windows 11 24H2",
+        "url": "https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-25h2-security-baseline/4456231"
+      }
+    }
+  },
+  
+  "Profiles": {
+    "Balanced": true,
+    "Enterprise": true,
+    "Maximum": true
+  },
+  
+  "Compatibility": {
+    "windows_versions": ["All Windows versions"],
+    "notes": [
+      "Setting is ignored on Windows 11 24H2+ (deprecated)",
+      "No compatibility issues or breakage on any Windows version",
+      "Recommended for all profiles for defense-in-depth"
+    ]
+  }
+}