diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md index 76e3adb..00cd2aa 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.md +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -32,7 +32,7 @@ A clear description of what actually happened. - **CPU**: [e.g., AMD Ryzen 7 9800X3D] - **TPM**: [e.g., 2.0 Present] - **Third-Party AV**: [e.g., None, Windows Defender only] -- **Script Version**: [e.g., v2.2.1] +- **Script Version**: [e.g., v2.2.3] - **Execution Mode**: [Interactive / Direct / DryRun] **Get System Info:** diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c244bc..31b9e90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 --- +## [2.2.3] - 2025-01-07 + +### 🔨 Bugfix Release + +**Critical bugfix for Restore Mode manual module selection.** + +### 🔨 Fixed + +**Restore Mode Module Selection Crash (Critical)** +- Fixed: Selecting `[M] Restore only SELECTED modules` and entering any module number caused a fatal PowerShell error +- Root cause: `.Split(',', ';', ' ')` triggered wrong .NET overload `Split(string, Int32)`, interpreting `;` as count parameter +- Fix: Replaced with native PowerShell `-split '[,; ]'` operator +- Impact: Manual module selection in Restore workflow now works correctly +- Reported by: KatCat2 + +--- + ## [2.2.2] - 2025-12-22 ### 🚀 Performance Release @@ -63,11 +80,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - All 7 registry policies confirmed correct per MS Policy CSP docs - Version numbers aligned across all 50+ files -### 🔐 Verify Download -``` -SHA256: fdb364d48e67a6889b44a519ba061cd570411158b8bdeb9b91ec845b7e270d96 -``` - --- ## [2.2.0] - 2025-12-08 @@ -232,19 +244,19 @@ SHA256: fdb364d48e67a6889b44a519ba061cd570411158b8bdeb9b91ec845b7e270d96 - OneDrive telemetry off (sync functional) - App permissions default-deny -**AntiAI** (24 policies) - AI Lockdown +**AntiAI** (32 policies) - AI Lockdown - Generative AI Master Switch (blocks ALL AI models system-wide) - Windows Recall (complete deactivation + component protection) - Windows Copilot (system-wide disabled + hardware key remapped) - Click to Do, Paint AI, Notepad AI, Settings Agent - all disabled -**EdgeHardening** (20 policies) - Microsoft Edge Security Baseline +**EdgeHardening** (24 policies) - Microsoft Edge Security Baseline - SmartScreen enforced, Tracking Prevention strict - SSL/TLS hardening, Extension security - IE Mode restrictions - Native PowerShell implementation (no LGPO.exe) -**AdvancedSecurity** (44 settings) - Beyond Microsoft Baseline +**AdvancedSecurity** (50 settings) - Beyond Microsoft Baseline - **SRP .lnk Protection (CVE-2025-9491)** - Zero-day mitigation for ClickFix malware - **RDP Hardening** - Disabled by default, TLS + NLA enforced - **Legacy Protocol Blocking** - SMBv1, NetBIOS, LLMNR, WPAD, PowerShell v2 diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 37349e1..1d70898 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -68,7 +68,7 @@ Modules/ ``` Modules/AdvancedSecurity/ -├── AdvancedSecurity.psd1 # Manifest with version 2.2.2 +├── AdvancedSecurity.psd1 # Manifest with version 2.2.3 ├── AdvancedSecurity.psm1 # Loads Private/*.ps1 and Public/*.ps1 ├── Config/ │ ├── RDP.json # RDP hardening config @@ -105,7 +105,7 @@ Modules/AdvancedSecurity/ ```powershell @{ RootModule = 'YourModule.psm1' - ModuleVersion = '2.2.2' + ModuleVersion = '2.2.3' GUID = 'YOUR-GUID-HERE' # Generate with [guid]::NewGuid() Author = 'Your Name' CompanyName = 'NoID Privacy' @@ -128,7 +128,7 @@ Modules/AdvancedSecurity/ Tags = @('Security', 'Hardening', 'Windows11') ProjectUri = 'https://github.com/yourusername/noid-privacy' ReleaseNotes = @" -v2.2.2 - Initial Release +v2.2.3 - Initial Release - Feature 1 - Feature 2 "@ @@ -141,7 +141,7 @@ v2.2.2 - Initial Release ```powershell @{ RootModule = 'AdvancedSecurity.psm1' - ModuleVersion = '2.2.2' + ModuleVersion = '2.2.3' GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' Author = 'NexusOne23' Description = 'Advanced Security hardening beyond Microsoft Security Baseline' @@ -155,7 +155,7 @@ v2.2.2 - Initial Release PSData = @{ Tags = @('Security', 'Hardening', 'RDP', 'TLS', 'Windows11') ReleaseNotes = @" -v2.2.2 - Production Release +v2.2.3 - Production Release - RDP NLA enforcement + optional complete disable - WDigest credential protection - Administrative shares disable (domain-aware) @@ -781,4 +781,4 @@ mkdir "Modules\YourModule\Config" --- -**Questions? Study AdvancedSecurity v2.2.2 - it's the reference implementation!** 🎯 +**Questions? Study AdvancedSecurity v2.2.3 - it's the reference implementation!** 🎯 diff --git a/Core/Config.ps1 b/Core/Config.ps1 index f6e7976..be9c143 100644 --- a/Core/Config.ps1 +++ b/Core/Config.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> @@ -79,83 +79,104 @@ function New-DefaultConfig { ) $defaultConfig = @{ - version = "2.2.2" + version = "2.2.3" modules = @{ SecurityBaseline = @{ - enabled = $true - priority = 1 - status = "IMPLEMENTED" + enabled = $true + priority = 1 + status = "IMPLEMENTED" + bitLockerUSBEnforcement = $false } - ASR = @{ - enabled = $true - priority = 2 - status = "IMPLEMENTED" + ASR = @{ + enabled = $true + priority = 2 + status = "IMPLEMENTED" + usesManagementTools = $false + allowNewSoftware = $false + continueWithoutCloud = $true } - DNS = @{ - enabled = $true + DNS = @{ + enabled = $true priority = 3 - provider = "" - status = "IMPLEMENTED" + status = "IMPLEMENTED" + provider = "Quad9" + dohMode = "REQUIRE" } - Privacy = @{ - enabled = $true - priority = 4 - mode = "" - status = "IMPLEMENTED" + Privacy = @{ + enabled = $true + priority = 4 + status = "IMPLEMENTED" + mode = "MSRecommended" + disableCloudClipboard = $true + removeBloatware = $true } - AntiAI = @{ - enabled = $true - priority = 5 - status = "IMPLEMENTED" + AntiAI = @{ + enabled = $true + priority = 5 + status = "IMPLEMENTED" description = "Disable all Windows 11 AI features (Recall, Copilot, Paint AI, etc.)" } - EdgeHardening = @{ - enabled = $true - priority = 6 - status = "IMPLEMENTED" - description = "Microsoft Edge v139 Security Baseline: 20 security policies including SmartScreen enforcement, site isolation, SSL/TLS hardening, extension blocklist, IE Mode restrictions, and Spectre mitigations. No LGPO.exe dependency." - version = "2.2.2" - baseline = "Edge v139" - policies = 20 - features = @{ - smartscreen_enforcement = $true - site_isolation = $true - ssl_error_blocking = $true - extension_blocklist = $true - ie_mode_restrictions = $true - spectre_mitigations = $true - application_encryption = $true + EdgeHardening = @{ + enabled = $true + priority = 6 + status = "IMPLEMENTED" + description = "Microsoft Edge v139 Security Baseline: 24 security policies" + allowExtensions = $true + version = "2.2.3" + baseline = "Edge v139" + policies = 24 + features = @{ + smartscreen_enforcement = $true + site_isolation = $true + ssl_error_blocking = $true + extension_blocklist = $true + ie_mode_restrictions = $true + spectre_mitigations = $true + application_encryption = $true auth_scheme_restrictions = $true } } AdvancedSecurity = @{ - enabled = $true - priority = 7 - status = "IMPLEMENTED" - description = "Advanced Security hardening beyond MS Baseline: RDP NLA/Disable, WDigest protection, Admin Shares disable, Risky ports/services, Legacy TLS disable, WPAD disable, PowerShell v2 removal, SRP .lnk protection, Windows Update (3 GUI settings), Finger Protocol block. Opt-in by design (use -SecurityProfile Balanced/Enterprise/Maximum)" - version = "2.2.2" - policies = 36 - features = @{ - rdp_hardening = $true - wdigest_protection = $true - admin_shares_disable = $true - risky_ports_closure = $true - risky_services_stop = $true - legacy_tls_disable = $true - wpad_disable = $true - powershell_v2_removal = $true - srp_lnk_protection = $true - windows_update_config = $true - finger_protocol_block = $true + enabled = $true + priority = 7 + status = "IMPLEMENTED" + description = "Advanced Security hardening beyond MS Baseline" + securityProfile = "Balanced" + disableRDP = $true + forceAdminShares = $false + disableUPnP = $true + disableWirelessDisplay = $false + disableDiscoveryProtocols = $true + disableIPv6 = $false + version = "2.2.3" + policies = 50 + features = @{ + rdp_hardening = $true + wdigest_protection = $true + admin_shares_disable = $true + risky_ports_closure = $true + risky_services_stop = $true + legacy_tls_disable = $true + wpad_disable = $true + powershell_v2_removal = $true + srp_lnk_protection = $true + windows_update_config = $true + finger_protocol_block = $true + wireless_display_security = $true + discovery_protocols_security = $true + firewall_shields_up = $true + ipv6_disable = $true } - profiles = @("Balanced", "Enterprise", "Maximum") + profiles = @("Balanced", "Enterprise", "Maximum") } } options = @{ - dryRun = $false - createBackup = $true + dryRun = $false + createBackup = $true verboseLogging = $true - autoReboot = $false + autoReboot = $false + nonInteractive = $false + autoConfirm = $false } } @@ -413,7 +434,7 @@ function Get-EnabledModules { # Check if module is actually implemented if (Test-ModuleAvailability -ModuleName $moduleName) { $enabledModules += [PSCustomObject]@{ - Name = $moduleName + Name = $moduleName Priority = $moduleConfig.priority } } diff --git a/Core/Framework.ps1 b/Core/Framework.ps1 index 8e28443..352f248 100644 --- a/Core/Framework.ps1 +++ b/Core/Framework.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ .EXAMPLE @@ -24,7 +24,7 @@ # All configuration comes from config.json via Initialize-Config. # Script-level variables -$script:FrameworkVersion = "2.2.2" +$script:FrameworkVersion = "2.2.3" $script:FrameworkRoot = Split-Path -Parent $PSScriptRoot $script:ExecutionStartTime = Get-Date @@ -409,8 +409,8 @@ function Invoke-Hardening { else { # CLI mode: Auto-detect session type based on module count $autoSessionType = if ($modulesToExecute.Count -ge 7) { "wizard" } - elseif ($modulesToExecute.Count -eq 1) { "advanced" } - else { "manual" } + elseif ($modulesToExecute.Count -eq 1) { "advanced" } + else { "manual" } Set-SessionType -SessionType $autoSessionType Write-Log -Level DEBUG -Message "Session type auto-detected: $autoSessionType (based on $($modulesToExecute.Count) modules)" -Module "Framework" } @@ -451,7 +451,7 @@ function Invoke-Hardening { $ruleCount = $ruleIds.Count $preFrameworkSnapshot = @{ - ASR = @{ + ASR = @{ RuleIds = $ruleIds RuleActions = $ruleActions SnapshotDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" diff --git a/Core/Logger.ps1 b/Core/Logger.ps1 index e0b2061..ee15c75 100644 --- a/Core/Logger.ps1 +++ b/Core/Logger.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> @@ -26,10 +26,10 @@ enum LogLevel { # NOTE: Must use Get-Variable to check existence (direct access fails in Strict Mode) if (-not (Get-Variable -Name 'LoggerConfig' -Scope Global -ErrorAction SilentlyContinue)) { $global:LoggerConfig = @{ - LogFilePath = "" - MinimumLevel = [LogLevel]::INFO - EnableConsole = $true - EnableFile = $true + LogFilePath = "" + MinimumLevel = [LogLevel]::INFO + EnableConsole = $true + EnableFile = $true TimestampFormat = "yyyy-MM-dd HH:mm:ss" } } @@ -193,10 +193,10 @@ function Write-Log { # Write to console with color coding (suppress DEBUG-level on console) if ($global:LoggerConfig.EnableConsole -and $Level -ge [LogLevel]::INFO) { $consoleColor = switch ($Level) { - ([LogLevel]::DEBUG) { "Gray" } - ([LogLevel]::INFO) { "White" } + ([LogLevel]::DEBUG) { "Gray" } + ([LogLevel]::INFO) { "White" } ([LogLevel]::WARNING) { "Yellow" } - ([LogLevel]::ERROR) { "Red" } + ([LogLevel]::ERROR) { "Red" } ([LogLevel]::SUCCESS) { "Green" } default { "White" } } @@ -245,15 +245,15 @@ function Get-ErrorContext { ) $context = @{ - Message = "" - Exception = "" - Category = "" + Message = "" + Exception = "" + Category = "" TargetObject = "" - ScriptName = "" - LineNumber = 0 - Command = "" - StackTrace = "" - Summary = "" + ScriptName = "" + LineNumber = 0 + Command = "" + StackTrace = "" + Summary = "" } if ($null -eq $ErrorRecord) { @@ -271,13 +271,15 @@ function Get-ErrorContext { if ($ErrorRecord.InvocationInfo) { $context.ScriptName = if ($ErrorRecord.InvocationInfo.ScriptName) { Split-Path -Leaf $ErrorRecord.InvocationInfo.ScriptName - } else { + } + else { "N/A" } $context.LineNumber = $ErrorRecord.InvocationInfo.ScriptLineNumber $context.Command = if ($ErrorRecord.InvocationInfo.MyCommand) { $ErrorRecord.InvocationInfo.MyCommand.Name - } else { + } + else { "N/A" } } diff --git a/Core/NonInteractive.ps1 b/Core/NonInteractive.ps1 index 9cf5a28..26ba39b 100644 --- a/Core/NonInteractive.ps1 +++ b/Core/NonInteractive.ps1 @@ -12,7 +12,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Usage in modules: 1. Call Test-NonInteractiveMode to check if prompts should be skipped @@ -194,7 +194,8 @@ function Write-NonInteractiveDecision { $message = if ($null -ne $Value) { "[GUI] $Decision : $Value" - } else { + } + else { "[GUI] $Decision" } diff --git a/Core/Rollback.ps1 b/Core/Rollback.ps1 index fdce9b7..5baea6d 100644 --- a/Core/Rollback.ps1 +++ b/Core/Rollback.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> @@ -64,7 +64,7 @@ function Initialize-BackupSystem { displayName = "" # Auto-generated based on modules sessionType = "unknown" # wizard | advanced | manual timestamp = Get-Date -Format "o" - frameworkVersion = "2.2.2" + frameworkVersion = "2.2.3" modules = @() totalItems = 0 restorable = $true @@ -116,13 +116,13 @@ function Update-SessionDisplayName { # Calculate ACTUAL settings count (not backup items!) # Each module applies a specific number of settings (Paranoid mode = max): $settingsPerModule = @{ - "SecurityBaseline" = 425 # 335 Registry + 67 Security Template + 23 Audit - "ASR" = 19 # 19 ASR Rules - "DNS" = 5 # 5 DNS Settings - "Privacy" = 78 # 54 Registry (MSRecommended) + 24 Bloatware - "AntiAI" = 32 # 32 Registry Policies (15 features) - "EdgeHardening" = 24 # 24 Edge Policies (22-23 applied depending on extensions) - "AdvancedSecurity" = 50 # 50 Advanced Settings (15 features incl. Discovery Protocols + IPv6) + "SecurityBaseline" = 425 # 335 Registry + 67 Security Template + 23 Audit + "ASR" = 19 # 19 ASR Rules + "DNS" = 5 # 5 DNS Settings + "Privacy" = 78 # 54 Registry (MSRecommended) + 24 Bloatware + "AntiAI" = 32 # 32 Registry Policies (15 features) + "EdgeHardening" = 24 # 24 Edge Policies (22-23 applied depending on extensions) + "AdvancedSecurity" = 50 # 50 Advanced Settings (15 features incl. Discovery Protocols + IPv6) } $totalSettings = 0 @@ -382,10 +382,10 @@ function Backup-RegistryKey { try { $emptyMarker = @{ - KeyPath = $KeyPath + KeyPath = $KeyPath BackupDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - State = "NotExisted" - Message = "Registry key did not exist before hardening - must be deleted during restore" + State = "NotExisted" + Message = "Registry key did not exist before hardening - must be deleted during restore" } | ConvertTo-Json $markerFile = Join-Path $backupFolder "$safeBackupName`_EMPTY.json" @@ -935,10 +935,10 @@ function Restore-FromBackup { try { # Convert reg.exe path to PowerShell path $psKeyPath = $keyPathToRestore -replace 'HKEY_LOCAL_MACHINE', 'HKLM:' ` - -replace 'HKEY_CURRENT_USER', 'HKCU:' ` - -replace 'HKEY_CLASSES_ROOT', 'HKCR:' ` - -replace 'HKEY_USERS', 'HKU:' ` - -replace 'HKEY_CURRENT_CONFIG', 'HKCC:' + -replace 'HKEY_CURRENT_USER', 'HKCU:' ` + -replace 'HKEY_CLASSES_ROOT', 'HKCR:' ` + -replace 'HKEY_USERS', 'HKU:' ` + -replace 'HKEY_CURRENT_CONFIG', 'HKCC:' if (Test-Path $psKeyPath) { Write-Log -Level INFO -Message "Deleting existing protected key: $psKeyPath before re-import." -Module "Rollback" @@ -1033,11 +1033,23 @@ function Invoke-RestoreRebootPrompt { Offers immediate or deferred reboot with countdown. Uses validation loop for consistent behavior. + .PARAMETER NoReboot + Skip the reboot prompt entirely (for automation/GUI usage) + + .PARAMETER ForceReboot + Automatically reboot without prompting (for automation) + .OUTPUTS None #> [CmdletBinding()] - param() + param( + [Parameter(Mandatory = $false)] + [switch]$NoReboot, + + [Parameter(Mandatory = $false)] + [switch]$ForceReboot + ) Write-Host "" Write-Host "========================================" -ForegroundColor Cyan @@ -1077,7 +1089,33 @@ function Invoke-RestoreRebootPrompt { Write-Host "========================================" -ForegroundColor Cyan Write-Host "" - # Prompt user with validation loop + # Check if running in NonInteractive mode (e.g., from GUI) + $isNonInteractive = [Environment]::GetCommandLineArgs() -contains '-NonInteractive' + + # Handle -ForceReboot: immediately reboot without prompt + if ($ForceReboot) { + Write-Host "" + Write-Host "[>] ForceReboot specified - rebooting system now..." -ForegroundColor Yellow + Write-Host "" + Restart-Computer -Force + return + } + + # Handle -NoReboot or NonInteractive mode: skip the prompt + if ($NoReboot -or $isNonInteractive) { + Write-Host "" + if ($NoReboot) { + Write-Host "[!] NoReboot specified - reboot prompt skipped" -ForegroundColor Yellow + } + else { + Write-Host "[!] Running in NonInteractive mode - reboot prompt skipped" -ForegroundColor Yellow + } + Write-Host " Please reboot manually to complete the restore." -ForegroundColor Gray + Write-Host "" + return + } + + # Interactive mode: prompt user do { Write-Host "Reboot now? [Y/N] (default: Y): " -NoNewline -ForegroundColor White $choice = Read-Host @@ -1175,8 +1213,8 @@ function Restore-AllBackups { Write-Log -Level WARNING -Message "Full rollback completed with some failures" -Module "Rollback" } - # Prompt for reboot after restore - Invoke-RestoreRebootPrompt + # Prompt for reboot after restore (pass through reboot parameters) + Invoke-RestoreRebootPrompt -NoReboot:$NoReboot -ForceReboot:$ForceReboot return $allSucceeded } @@ -1344,6 +1382,12 @@ function Restore-Session { .PARAMETER ModuleNames Optional array of specific module names to restore (restores all if not specified) + .PARAMETER NoReboot + Skip the reboot prompt entirely (for automation/GUI usage) + + .PARAMETER ForceReboot + Automatically reboot without prompting (for automation) + .OUTPUTS Boolean indicating overall success #> @@ -1354,7 +1398,13 @@ function Restore-Session { [string]$SessionPath, [Parameter(Mandatory = $false)] - [string[]]$ModuleNames + [string[]]$ModuleNames, + + [Parameter(Mandatory = $false)] + [switch]$NoReboot, + + [Parameter(Mandatory = $false)] + [switch]$ForceReboot ) if (-not (Test-Path $SessionPath)) { @@ -1372,7 +1422,8 @@ function Restore-Session { Write-RestoreLog -Level INFO -Message "Session Path: $SessionPath" if ($ModuleNames) { Write-RestoreLog -Level INFO -Message "Specific Modules: $($ModuleNames -join ', ')" - } else { + } + else { Write-RestoreLog -Level INFO -Message "Restoring: ALL modules" } Write-RestoreLog -Level INFO -Message "========================================" @@ -1800,7 +1851,7 @@ function Restore-Session { for ($i = 0; $i -lt $preFramework.ASR.RuleIds.Count; $i++) { if ($preFramework.ASR.RuleActions[$i] -ne 0) { $asrRulesToRestore += @{ - GUID = $preFramework.ASR.RuleIds[$i] + GUID = $preFramework.ASR.RuleIds[$i] Action = $preFramework.ASR.RuleActions[$i] } } @@ -1843,8 +1894,8 @@ function Restore-Session { $ruleActions = $asrRulesToRestore | ForEach-Object { $_.Action } Set-MpPreference -AttackSurfaceReductionRules_Ids $ruleIds ` - -AttackSurfaceReductionRules_Actions $ruleActions ` - -ErrorAction Stop + -AttackSurfaceReductionRules_Actions $ruleActions ` + -ErrorAction Stop $sourceDesc = if ($usePreFramework) { "PreFramework snapshot (TRUE pre-hardening)" } else { "ASR_ActiveConfiguration.json" } Write-Log -Level SUCCESS -Message "ASR rules restored via Set-MpPreference ($($asrRulesToRestore.Count) active rules from $sourceDesc)" -Module "Rollback" @@ -1912,7 +1963,8 @@ function Restore-Session { Write-Log -Level SUCCESS -Message "Explorer Advanced settings restored via PowerShell" -Module "Rollback" } } - } catch { + } + catch { Write-Log -Level WARNING -Message "PowerShell-based Explorer restore failed: $($_.Exception.Message)" -Module "Rollback" } } @@ -1936,10 +1988,10 @@ function Restore-Session { } $regType = switch ($entry.Type) { - "DWord" { "DWord" } - "String" { "String" } + "DWord" { "DWord" } + "String" { "String" } "MultiString" { "MultiString" } - default { "String" } + default { "String" } } $existing = Get-ItemProperty -Path $keyPath -Name $entry.Name -ErrorAction SilentlyContinue @@ -2178,13 +2230,13 @@ function Restore-Session { } $regType = switch ($entry.Type) { - "DWord" { "DWord" } - "String" { "String" } + "DWord" { "DWord" } + "String" { "String" } "MultiString" { "MultiString" } "ExpandString" { "ExpandString" } - "Binary" { "Binary" } - "QWord" { "QWord" } - default { "String" } + "Binary" { "Binary" } + "QWord" { "QWord" } + default { "String" } } New-ItemProperty -Path $entry.Path -Name $entry.Name -Value $entry.Value -PropertyType $regType -Force -ErrorAction Stop | Out-Null @@ -2246,7 +2298,7 @@ function Restore-Session { "HKCU:\Software\Microsoft\Windows\CurrentVersion\SystemSettings\AccountNotifications", "HKCU:\Software\Microsoft\Windows\CurrentVersion\UserProfileEngagement", "HKCU:\SOFTWARE\Microsoft\Personalization\Settings", - # NEW: Input Personalization Settings (v2.2.2 - FIX missing HKCU restore) + # NEW: Input Personalization Settings (v2.2.3 - FIX missing HKCU restore) "HKCU:\SOFTWARE\Microsoft\InputPersonalization", "HKCU:\SOFTWARE\Microsoft\InputPersonalization\TrainedDataStore", "HKCU:\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\appDiagnostics" @@ -2263,7 +2315,8 @@ function Restore-Session { Remove-ItemProperty -Path $keyPath -Name $prop -ErrorAction SilentlyContinue } } - } catch { + } + catch { Write-Log -Level DEBUG -Message "Could not clear $keyPath : $_" -Module "Rollback" } } @@ -2280,12 +2333,12 @@ function Restore-Session { } $regType = switch ($entry.Type) { - "DWord" { "DWord" } - "String" { "String" } + "DWord" { "DWord" } + "String" { "String" } "MultiString" { "MultiString" } "ExpandString" { "ExpandString" } - "Binary" { "Binary" } - default { "String" } + "Binary" { "Binary" } + default { "String" } } New-ItemProperty -Path $entry.Path -Name $entry.Name -Value $entry.Value -PropertyType $regType -Force -ErrorAction Stop | Out-Null @@ -2463,13 +2516,13 @@ function Restore-Session { } $regType = switch ($entry.Type) { - "DWord" { "DWord" } - "String" { "String" } + "DWord" { "DWord" } + "String" { "String" } "MultiString" { "MultiString" } "ExpandString" { "ExpandString" } - "Binary" { "Binary" } - "QWord" { "QWord" } - default { "String" } + "Binary" { "Binary" } + "QWord" { "QWord" } + default { "String" } } New-ItemProperty -Path $entry.Path -Name $entry.Name -Value $entry.Value -PropertyType $regType -Force -ErrorAction Stop | Out-Null @@ -2677,7 +2730,8 @@ function Restore-Session { Write-Host " All security settings have been reverted to backup state" -ForegroundColor White Write-Host " Modules restored: $($reversedModules.Count) | Total items: $($manifest.totalItems)" -ForegroundColor Gray Write-Host "" - } else { + } + else { Write-Host "" Write-Host " RESTORE COMPLETED WITH ISSUES " -ForegroundColor Yellow Write-Host "" @@ -2690,8 +2744,8 @@ function Restore-Session { Write-Host "" Write-Host "" - # Prompt for reboot after restore - Invoke-RestoreRebootPrompt + # Prompt for reboot after restore (pass through reboot parameters) + Invoke-RestoreRebootPrompt -NoReboot:$NoReboot -ForceReboot:$ForceReboot # Final restore log entry $endTime = Get-Date diff --git a/Core/Validator.ps1 b/Core/Validator.ps1 index 186eca4..2319f25 100644 --- a/Core/Validator.ps1 +++ b/Core/Validator.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> @@ -27,9 +27,9 @@ function Test-Prerequisites { Write-Log -Level INFO -Message "Starting prerequisite validation" -Module "Validator" $result = [PSCustomObject]@{ - Success = $true - Errors = @() - Warnings = @() + Success = $true + Errors = @() + Warnings = @() SystemInfo = $null } @@ -133,11 +133,11 @@ function Get-WindowsVersion { } return [PSCustomObject]@{ - Version = $versionName - BuildNumber = $buildNumber - IsWindows11 = $isWindows11 - IsSupported = $isSupported - Edition = $os.Caption + Version = $versionName + BuildNumber = $buildNumber + IsWindows11 = $isWindows11 + IsSupported = $isSupported + Edition = $os.Caption Architecture = $os.OSArchitecture } } @@ -174,8 +174,8 @@ function Test-InternetConnectivity { param() try { - # Using Google DNS (8.8.8.8) - intentional for internet connectivity check - $response = Test-Connection -ComputerName "8.8.8.8" -Count 1 -Quiet -ErrorAction Stop + # Using Microsoft NCSI endpoint - same as Windows uses for connectivity detection + $response = Test-Connection -ComputerName "www.msftconnecttest.com" -Count 1 -Quiet -ErrorAction Stop return $response } catch { @@ -200,26 +200,26 @@ function Test-TPMAvailable { if ($null -eq $tpm) { return [PSCustomObject]@{ - Present = $false - Version = "N/A" - Enabled = $false + Present = $false + Version = "N/A" + Enabled = $false Activated = $false } } return [PSCustomObject]@{ - Present = $tpm.TpmPresent - Version = if ($tpm.ManufacturerVersion) { $tpm.ManufacturerVersion } else { "2.0" } - Enabled = $tpm.TpmEnabled + Present = $tpm.TpmPresent + Version = if ($tpm.ManufacturerVersion) { $tpm.ManufacturerVersion } else { "2.0" } + Enabled = $tpm.TpmEnabled Activated = $tpm.TpmActivated } } catch { Write-Log -Level WARNING -Message "Unable to check TPM status: $_" -Module "Validator" return [PSCustomObject]@{ - Present = $false - Version = "Unknown" - Enabled = $false + Present = $false + Version = "Unknown" + Enabled = $false Activated = $false } } @@ -294,14 +294,14 @@ function Get-SystemInfo { $internet = Test-InternetConnectivity return [PSCustomObject]@{ - OS = $osInfo - TPM = $tpmInfo - SecureBoot = $secureBoot - Virtualization = $virtualization - IsAdministrator = $isAdmin + OS = $osInfo + TPM = $tpmInfo + SecureBoot = $secureBoot + Virtualization = $virtualization + IsAdministrator = $isAdmin DiskSpaceAvailable = $diskSpace - InternetConnected = $internet - PowerShellVersion = $PSVersionTable.PSVersion.ToString() + InternetConnected = $internet + PowerShellVersion = $PSVersionTable.PSVersion.ToString() } } @@ -332,9 +332,9 @@ function Test-DomainJoined { $result = [PSCustomObject]@{ IsDomainJoined = $isDomainJoined - DomainName = if ($isDomainJoined) { $computerSystem.Domain } else { "N/A" } - Workgroup = if (-not $isDomainJoined) { $computerSystem.Workgroup } else { "N/A" } - UserConfirmed = $false + DomainName = if ($isDomainJoined) { $computerSystem.Domain } else { "N/A" } + Workgroup = if (-not $isDomainJoined) { $computerSystem.Workgroup } else { "N/A" } + UserConfirmed = $false } if ($isDomainJoined) { @@ -384,9 +384,9 @@ function Test-DomainJoined { Write-Log -Level ERROR -Message "Failed to check domain status: $_" -Module "Validator" -Exception $_.Exception return [PSCustomObject]@{ IsDomainJoined = $false - DomainName = "Error" - Workgroup = "Error" - UserConfirmed = $false + DomainName = "Error" + Workgroup = "Error" + UserConfirmed = $false } } } @@ -416,7 +416,7 @@ function Confirm-SystemBackup { Write-Log -Level INFO -Message "Backup recommendation: non-interactive confirmation (no prompt shown)" -Module "Validator" $result = [PSCustomObject]@{ - UserConfirmed = $true + UserConfirmed = $true BackupRecommended = $true } diff --git a/Docs/FEATURES.md b/Docs/FEATURES.md index 4065224..3540755 100644 --- a/Docs/FEATURES.md +++ b/Docs/FEATURES.md @@ -1,6 +1,6 @@ # NoID Privacy - Complete Feature List -**Framework Version:** v2.2.2 +**Framework Version:** v2.2.3 **Total Security Settings:** 633 (Paranoid mode) **Modules:** 7 (All Production-Ready) **Last Updated:** December 22, 2025 @@ -11,13 +11,13 @@ | Module | Settings | Status | Description | |--------|----------|--------|-------------| -| **SecurityBaseline** | 425 | ✅ v2.2.2 | Microsoft Security Baseline for Windows 11 v25H2 | -| **ASR** | 19 | ✅ v2.2.2 | Attack Surface Reduction rules | -| **DNS** | 5 | ✅ v2.2.2 | Secure DNS with DoH encryption | -| **Privacy** | 78 | ✅ v2.2.2 | Telemetry control, OneDrive hardening (Strict: 70 Registry + 2 Services + 6 OneDrive) | -| **AntiAI** | 32 | ✅ v2.2.2 | AI lockdown (15 features, 32 compliance checks) | -| **EdgeHardening** | 24 | ✅ v2.2.2 | Microsoft Edge browser security (24 policies) | -| **AdvancedSecurity** | 50 | ✅ v2.2.2 | Advanced hardening beyond MS Baseline (incl. Wireless Display, Discovery Protocols, IPv6) | +| **SecurityBaseline** | 425 | ✅ v2.2.3 | Microsoft Security Baseline for Windows 11 v25H2 | +| **ASR** | 19 | ✅ v2.2.3 | Attack Surface Reduction rules | +| **DNS** | 5 | ✅ v2.2.3 | Secure DNS with DoH encryption | +| **Privacy** | 78 | ✅ v2.2.3 | Telemetry control, OneDrive hardening (Strict: 70 Registry + 2 Services + 6 OneDrive) | +| **AntiAI** | 32 | ✅ v2.2.3 | AI lockdown (15 features, 32 compliance checks) | +| **EdgeHardening** | 24 | ✅ v2.2.3 | Microsoft Edge browser security (24 policies) | +| **AdvancedSecurity** | 50 | ✅ v2.2.3 | Advanced hardening beyond MS Baseline (incl. Wireless Display, Discovery Protocols, IPv6) | | **TOTAL** | **633** | ✅ **100%** | **Complete Framework (Paranoid mode)** | --- @@ -238,7 +238,7 @@ Clipchamp.Clipchamp, SpotifyAB.SpotifyMusic ## 🤖 Module 5: AntiAI (32 Policies) -**Description:** Disable 15 Windows AI features via 32 registry policies (v2.2.2) +**Description:** Disable 15 Windows AI features via 32 registry policies (v2.2.3) ### 15 AI Features Disabled: @@ -283,7 +283,7 @@ HKCU:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\DisableRecallDataProviders = HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetDenyAppListForRecall = [...] HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetDenyUriListForRecall = [...] HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetMaximumStorageDurationForRecallSnapshots = 30 -HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetMaximumStorageSpaceForRecallSnapshots = 10 +HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\SetMaximumStorageSpaceForRecallSnapshots = 10240 HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI\TurnOffWindowsCopilot = 1 HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot\TurnOffWindowsCopilot = 1 HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot\ShowCopilotButton = 0 @@ -724,7 +724,7 @@ Some UI elements in Paint and Photos apps may **still be visible** but non-funct ``` ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ -NoID Privacy v2.2.2 +NoID Privacy v2.2.3 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Total Settings: 633 ✅ @@ -745,4 +745,4 @@ Framework Completion: 🎉 100% COMPLETE --- **Last Updated:** December 22, 2025 -**Framework Version:** v2.2.2 +**Framework Version:** v2.2.3 diff --git a/Modules/ASR/ASR.psd1 b/Modules/ASR/ASR.psd1 index 0484784..db4391f 100644 --- a/Modules/ASR/ASR.psd1 +++ b/Modules/ASR/ASR.psd1 @@ -1,31 +1,31 @@ @{ - RootModule = 'ASR.psm1' - ModuleVersion = '2.2.2' - GUID = 'b2c3d4e5-f6a7-8901-bcde-f23456789012' - Author = 'NexusOne23' - CompanyName = 'Open Source Project' - Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' - Description = 'Attack Surface Reduction (ASR) - All 19 Microsoft Defender ASR rules in Block mode for maximum protection against modern threats' + RootModule = 'ASR.psm1' + ModuleVersion = '2.2.3' + GUID = 'b2c3d4e5-f6a7-8901-bcde-f23456789012' + Author = 'NexusOne23' + CompanyName = 'Open Source Project' + Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' + Description = 'Attack Surface Reduction (ASR) - All 19 Microsoft Defender ASR rules in Block mode for maximum protection against modern threats' PowerShellVersion = '5.1' - RequiredModules = @() + RequiredModules = @() FunctionsToExport = @( 'Invoke-ASRRules' ) - CmdletsToExport = @() + CmdletsToExport = @() VariablesToExport = @() - AliasesToExport = @() + AliasesToExport = @() - PrivateData = @{ + PrivateData = @{ PSData = @{ - Tags = @('Security', 'ASR', 'AttackSurfaceReduction', 'Defender', 'Windows11', 'Ransomware') - LicenseUri = '' - ProjectUri = '' + Tags = @('Security', 'ASR', 'AttackSurfaceReduction', 'Defender', 'Windows11', 'Ransomware') + LicenseUri = '' + ProjectUri = '' ReleaseNotes = @" -v2.2.2 - Production Release +v2.2.3 - Production Release - All 19 ASR rules implementation - Hybrid approach: Registry backup + Set-MpPreference application - SCCM/Configuration Manager detection diff --git a/Modules/ASR/ASR.psm1 b/Modules/ASR/ASR.psm1 index fbaa557..642924f 100644 --- a/Modules/ASR/ASR.psm1 +++ b/Modules/ASR/ASR.psm1 @@ -11,7 +11,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Administrator privileges, Windows Defender #> diff --git a/Modules/AdvancedSecurity/AdvancedSecurity.psd1 b/Modules/AdvancedSecurity/AdvancedSecurity.psd1 index 0c1c8a9..d12bf76 100644 --- a/Modules/AdvancedSecurity/AdvancedSecurity.psd1 +++ b/Modules/AdvancedSecurity/AdvancedSecurity.psd1 @@ -2,7 +2,7 @@ # Module manifest for AdvancedSecurity # Version - ModuleVersion = '2.2.2' + ModuleVersion = '2.2.3' # Unique ID GUID = 'e7f5a3d2-8c9b-4f1e-a6d3-9b2c8f4e5a1d' @@ -48,7 +48,7 @@ LicenseUri = '' ProjectUri = '' ReleaseNotes = @' -v2.2.2 (2025-12-08) +v2.2.3 (2025-12-08) - Production release of AdvancedSecurity module - 49 advanced hardening settings implemented (was 36) - NEW: Wireless Display (Miracast) security hardening diff --git a/Modules/AdvancedSecurity/AdvancedSecurity.psm1 b/Modules/AdvancedSecurity/AdvancedSecurity.psm1 index 0df4d65..1ded715 100644 --- a/Modules/AdvancedSecurity/AdvancedSecurity.psm1 +++ b/Modules/AdvancedSecurity/AdvancedSecurity.psm1 @@ -1,5 +1,5 @@ # AdvancedSecurity Module Loader -# Version: 2.2.2 +# Version: 2.2.3 # Description: Advanced Security Hardening - Beyond Microsoft Security Baseline # Get module path diff --git a/Modules/AdvancedSecurity/Config/AdminShares.json b/Modules/AdvancedSecurity/Config/AdminShares.json index eb0da25..e804e8f 100644 --- a/Modules/AdvancedSecurity/Config/AdminShares.json +++ b/Modules/AdvancedSecurity/Config/AdminShares.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema#", "title": "Administrative Shares Configuration", "description": "Configuration for disabling administrative shares (C$, ADMIN$, etc.) to prevent lateral movement", - "version": "2.2.2", + "version": "2.2.3", "Administrative_Shares": { "description": "Disable automatic creation and remove existing administrative shares", diff --git a/Modules/AdvancedSecurity/Config/Credentials.json b/Modules/AdvancedSecurity/Config/Credentials.json index 20b8bda..391b215 100644 --- a/Modules/AdvancedSecurity/Config/Credentials.json +++ b/Modules/AdvancedSecurity/Config/Credentials.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema#", "title": "Credential Protection Configuration", "description": "Configuration for credential hardening including WDigest protection", - "version": "2.2.2", + "version": "2.2.3", "WDigest_Protection": { "description": "Prevent WDigest from storing plaintext passwords in LSASS memory", diff --git a/Modules/AdvancedSecurity/Config/RDP.json b/Modules/AdvancedSecurity/Config/RDP.json index 8fc81fe..27e224c 100644 --- a/Modules/AdvancedSecurity/Config/RDP.json +++ b/Modules/AdvancedSecurity/Config/RDP.json @@ -2,7 +2,7 @@ "$schema": "http://json-schema.org/draft-07/schema#", "title": "RDP Hardening Configuration", "description": "Configuration for RDP (Remote Desktop Protocol) hardening including NLA enforcement and optional complete disable", - "version": "2.2.2", + "version": "2.2.3", "NLA_Enforcement": { "description": "Network Level Authentication (NLA) enforcement settings", diff --git a/Modules/AdvancedSecurity/Private/Block-FingerProtocol.ps1 b/Modules/AdvancedSecurity/Private/Block-FingerProtocol.ps1 index 77fb865..7e1080f 100644 --- a/Modules/AdvancedSecurity/Private/Block-FingerProtocol.ps1 +++ b/Modules/AdvancedSecurity/Private/Block-FingerProtocol.ps1 @@ -21,7 +21,7 @@ function Block-FingerProtocol { .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Administrator privileges REFERENCES: diff --git a/Modules/AdvancedSecurity/Private/Set-SRPRules.ps1 b/Modules/AdvancedSecurity/Private/Set-SRPRules.ps1 index 665b771..89446e2 100644 --- a/Modules/AdvancedSecurity/Private/Set-SRPRules.ps1 +++ b/Modules/AdvancedSecurity/Private/Set-SRPRules.ps1 @@ -27,7 +27,7 @@ function Set-SRPRules { .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Administrator privileges REFERENCES: diff --git a/Modules/AdvancedSecurity/Private/Set-WindowsUpdate.ps1 b/Modules/AdvancedSecurity/Private/Set-WindowsUpdate.ps1 index 7891e1e..7940d6f 100644 --- a/Modules/AdvancedSecurity/Private/Set-WindowsUpdate.ps1 +++ b/Modules/AdvancedSecurity/Private/Set-WindowsUpdate.ps1 @@ -22,7 +22,7 @@ function Set-WindowsUpdate { .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Administrator privileges Based on: Windows Settings > Windows Update > Advanced options #> diff --git a/Modules/AdvancedSecurity/Public/Invoke-AdvancedSecurity.ps1 b/Modules/AdvancedSecurity/Public/Invoke-AdvancedSecurity.ps1 index e534b4a..ec27d65 100644 --- a/Modules/AdvancedSecurity/Public/Invoke-AdvancedSecurity.ps1 +++ b/Modules/AdvancedSecurity/Public/Invoke-AdvancedSecurity.ps1 @@ -11,7 +11,7 @@ function Invoke-AdvancedSecurity { - Enterprise: Conservative approach with domain-safety checks - Maximum: Maximum hardening for air-gapped/high-security environments - Features implemented (v2.2.2): + Features implemented (v2.2.3): - RDP NLA enforcement + optional complete disable - WDigest credential protection - Administrative shares disable (domain-aware) diff --git a/Modules/AntiAI/AntiAI.psd1 b/Modules/AntiAI/AntiAI.psd1 index a96fdd9..47dc6e7 100644 --- a/Modules/AntiAI/AntiAI.psd1 +++ b/Modules/AntiAI/AntiAI.psd1 @@ -1,21 +1,21 @@ @{ - RootModule = 'AntiAI.psm1' - ModuleVersion = '2.2.2' - GUID = 'f8e9d7c6-5b4a-3c2d-1e0f-9a8b7c6d5e4f' - Author = 'NexusOne23' - CompanyName = 'Open Source Project' - Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' - Description = 'Comprehensive Windows 11 AI deactivation - Disables all 15 AI features using official Microsoft policies (Recall, Copilot, Paint AI, Notepad AI, Click to Do, Settings Agent, etc.). Maximum compliance mode with enterprise-grade Recall protection.' + RootModule = 'AntiAI.psm1' + ModuleVersion = '2.2.3' + GUID = 'f8e9d7c6-5b4a-3c2d-1e0f-9a8b7c6d5e4f' + Author = 'NexusOne23' + CompanyName = 'Open Source Project' + Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' + Description = 'Comprehensive Windows 11 AI deactivation - Disables all 15 AI features using official Microsoft policies (Recall, Copilot, Paint AI, Notepad AI, Click to Do, Settings Agent, etc.). Maximum compliance mode with enterprise-grade Recall protection.' PowerShellVersion = '5.1' FunctionsToExport = @( 'Invoke-AntiAI' ) - PrivateData = @{ + PrivateData = @{ PSData = @{ - Tags = @('Windows11', 'AI', 'Privacy', 'Security', 'Recall', 'Copilot', 'AntiAI') - ProjectUri = 'https://github.com/yourusername/NoIDPrivacy' + Tags = @('Windows11', 'AI', 'Privacy', 'Security', 'Recall', 'Copilot', 'AntiAI') + ProjectUri = 'https://github.com/yourusername/NoIDPrivacy' ReleaseNotes = @' v1.0.0 - Initial Release - Disables 8+ Windows 11 AI features using official Microsoft policies diff --git a/Modules/AntiAI/AntiAI.psm1 b/Modules/AntiAI/AntiAI.psm1 index 7f0009d..274d6c3 100644 --- a/Modules/AntiAI/AntiAI.psm1 +++ b/Modules/AntiAI/AntiAI.psm1 @@ -11,7 +11,7 @@ .NOTES Module: AntiAI - Version: 2.2.2 + Version: 2.2.3 Author: NoID Privacy #> @@ -22,14 +22,12 @@ $script:ModuleRoot = $PSScriptRoot # Import private functions $privateFunctions = @( - 'Backup-AntiAISettings' - 'Restore-AntiAISettings' 'Test-AntiAICompliance' 'Set-SystemAIModels' 'Disable-Recall' 'Set-RecallProtection' 'Disable-Copilot' - 'Disable-CopilotAdvanced' # NEW v2.2.2: URI handlers, Edge sidebar, Recall export + 'Disable-CopilotAdvanced' # NEW v2.2.3: URI handlers, Edge sidebar, Recall export 'Disable-ClickToDo' 'Disable-SettingsAgent' 'Disable-ExplorerAI' # NEW: File Explorer AI Actions menu diff --git a/Modules/AntiAI/Config/AntiAI-Settings.json b/Modules/AntiAI/Config/AntiAI-Settings.json index ebb1293..a8a9266 100644 --- a/Modules/AntiAI/Config/AntiAI-Settings.json +++ b/Modules/AntiAI/Config/AntiAI-Settings.json @@ -100,8 +100,8 @@ }, "SetMaximumStorageSpaceForRecallSnapshots": { "Type": "DWord", - "Value": 10, - "Description": "Maximum snapshot storage: 10 GB (Choices: 10/25/50/75/100/150 GB, 0=OS default)" + "Value": 10240, + "Description": "Maximum snapshot storage: 10 GB = 10240 MB (Choices: 10240/25600/51200/76800/102400/153600 MB, 0=OS default)" } } } diff --git a/Modules/AntiAI/Private/Disable-CopilotAdvanced.ps1 b/Modules/AntiAI/Private/Disable-CopilotAdvanced.ps1 index bc77e65..6c08840 100644 --- a/Modules/AntiAI/Private/Disable-CopilotAdvanced.ps1 +++ b/Modules/AntiAI/Private/Disable-CopilotAdvanced.ps1 @@ -40,7 +40,7 @@ .NOTES Requires Administrator privileges. - Part of NoID Privacy AntiAI Module v2.2.2 + Part of NoID Privacy AntiAI Module v2.2.3 #> function Disable-CopilotAdvanced { [CmdletBinding()] diff --git a/Modules/AntiAI/Private/Set-RecallProtection.ps1 b/Modules/AntiAI/Private/Set-RecallProtection.ps1 index cd5ab56..292ebfd 100644 --- a/Modules/AntiAI/Private/Set-RecallProtection.ps1 +++ b/Modules/AntiAI/Private/Set-RecallProtection.ps1 @@ -95,14 +95,14 @@ function Set-RecallProtection { Write-Log -Level DEBUG -Message "Set max snapshot retention: 30 days" -Module "AntiAI" $result.Applied++ - # 4. Storage Space Limit - Max 10 GB + # 4. Storage Space Limit - Max 10 GB (10240 MB per MS CSP) $existing = Get-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -ErrorAction SilentlyContinue if ($null -ne $existing) { - Set-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -Value 10 -Force + Set-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -Value 10240 -Force } else { - New-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -Value 10 -PropertyType DWord -Force | Out-Null + New-ItemProperty -Path $regPath -Name "SetMaximumStorageSpaceForRecallSnapshots" -Value 10240 -PropertyType DWord -Force | Out-Null } - Write-Log -Level DEBUG -Message "Set max snapshot storage: 10 GB" -Module "AntiAI" + Write-Log -Level DEBUG -Message "Set max snapshot storage: 10 GB (10240 MB)" -Module "AntiAI" $result.Applied++ # Verify @@ -111,7 +111,7 @@ function Set-RecallProtection { $verified = ($null -ne $values.SetDenyAppListForRecall) -and ($null -ne $values.SetDenyUriListForRecall) -and ($values.SetMaximumStorageDurationForRecallSnapshots -eq 30) -and - ($values.SetMaximumStorageSpaceForRecallSnapshots -eq 10) + ($values.SetMaximumStorageSpaceForRecallSnapshots -eq 10240) if ($verified) { Write-Log -Level DEBUG -Message "Verification SUCCESS: All Recall protection policies applied" -Module "AntiAI" diff --git a/Modules/AntiAI/Private/Test-AntiAICompliance.ps1 b/Modules/AntiAI/Private/Test-AntiAICompliance.ps1 index abecfaa..936de75 100644 --- a/Modules/AntiAI/Private/Test-AntiAICompliance.ps1 +++ b/Modules/AntiAI/Private/Test-AntiAICompliance.ps1 @@ -42,7 +42,7 @@ .NOTES Author: NoID Privacy - Version: 2.2.2 (Extended validation) + Version: 2.2.3 (Extended validation) Requires: Windows 11 24H2+, Administrator privileges #> @@ -235,7 +235,7 @@ $protectionChecks = @( (Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Name "SetDenyAppListForRecall" -ExpectedValue $expectedDenyApps -Description "App Deny List"), (Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Name "SetDenyUriListForRecall" -ExpectedValue $expectedDenyUris -Description "URI Deny List"), (Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Name "SetMaximumStorageDurationForRecallSnapshots" -ExpectedValue 30 -Description "Max Retention: 30 days"), - (Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Name "SetMaximumStorageSpaceForRecallSnapshots" -ExpectedValue 10 -Description "Max Storage: 10 GB") + (Test-RegistryValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" -Name "SetMaximumStorageSpaceForRecallSnapshots" -ExpectedValue 10240 -Description "Max Storage: 10 GB (10240 MB)") ) foreach ($check in $protectionChecks) { $results.Details += $check diff --git a/Modules/AntiAI/Public/Invoke-AntiAI.ps1 b/Modules/AntiAI/Public/Invoke-AntiAI.ps1 index 67fd3e0..43bbf61 100644 --- a/Modules/AntiAI/Public/Invoke-AntiAI.ps1 +++ b/Modules/AntiAI/Public/Invoke-AntiAI.ps1 @@ -52,7 +52,7 @@ .NOTES Author: NoID Privacy - Version: 2.2.2 + Version: 2.2.3 Requires: Windows 11 24H2 or later, Administrator privileges Impact: All AI features completely disabled, reboot required #> @@ -70,7 +70,7 @@ function Invoke-AntiAI { Write-Host "" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan - Write-Host " ANTI-AI MODULE v2.2.2" -ForegroundColor Cyan + Write-Host " ANTI-AI MODULE v2.2.3" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "" Write-Host "Disables 15 AI features (32 policies):" -ForegroundColor White @@ -171,7 +171,7 @@ function Invoke-AntiAI { @{ Path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Paint"; Name = "DisableImageCreator"; Type = "DWord" }, @{ Path = "HKLM:\SOFTWARE\Policies\WindowsNotepad"; Name = "DisableAIFeatures"; Type = "DWord" }, @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI"; Name = "DisableSettingsAgent"; Type = "DWord" }, - # NEW v2.2.2: Advanced Copilot Blocking + # NEW v2.2.3: Advanced Copilot Blocking @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsAI"; Name = "AllowRecallExport"; Type = "DWord" }, @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name = "EdgeSidebarEnabled"; Type = "DWord" }, @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Edge"; Name = "ShowHubsSidebar"; Type = "DWord" }, @@ -196,7 +196,7 @@ function Invoke-AntiAI { $prop = Get-ItemProperty -Path $t.Path -Name $t.Name -ErrorAction SilentlyContinue if ($null -ne $prop -and $prop.PSObject.Properties.Name -contains $t.Name) { $entry.Exists = $true - $entry.Value = $prop.$($t.Name) + $entry.Value = $prop.$($t.Name) } } } @@ -272,7 +272,8 @@ function Invoke-AntiAI { Register-Backup -Type "AntiAI" -Data $expJson -Name "Explorer_Advanced_Device_JSON" | Out-Null } } - } catch { + } + catch { Write-Host " WARNING: Failed to create JSON backup for Explorer Advanced: $_" -ForegroundColor Yellow } } @@ -355,7 +356,7 @@ function Invoke-AntiAI { } # ============================================================================ - # ADVANCED COPILOT BLOCKING (NEW v2.2.2) + # ADVANCED COPILOT BLOCKING (NEW v2.2.3) # ============================================================================ Write-Host "" Write-Host " [Advanced Copilot Blocks]" -ForegroundColor Cyan diff --git a/Modules/DNS/DNS.psd1 b/Modules/DNS/DNS.psd1 index f1ce468..347dddb 100644 --- a/Modules/DNS/DNS.psd1 +++ b/Modules/DNS/DNS.psd1 @@ -2,7 +2,7 @@ # Module manifest for DNS module RootModule = 'DNS.psm1' - ModuleVersion = '2.2.2' + ModuleVersion = '2.2.3' GUID = 'a8f7b3c9-4e5d-4a2b-9c1d-8f3e5a7b9c2d' Author = 'NexusOne23' CompanyName = 'Open Source Project' diff --git a/Modules/DNS/DNS.psm1 b/Modules/DNS/DNS.psm1 index 2a976ed..47cf81f 100644 --- a/Modules/DNS/DNS.psm1 +++ b/Modules/DNS/DNS.psm1 @@ -12,7 +12,7 @@ .NOTES Author: NoID Privacy - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Administrator privileges #> diff --git a/Modules/EdgeHardening/EdgeHardening.psd1 b/Modules/EdgeHardening/EdgeHardening.psd1 index dfb6941..4f3a282 100644 --- a/Modules/EdgeHardening/EdgeHardening.psd1 +++ b/Modules/EdgeHardening/EdgeHardening.psd1 @@ -1,30 +1,30 @@ @{ # Script module or binary module file associated with this manifest - RootModule = 'EdgeHardening.psm1' + RootModule = 'EdgeHardening.psm1' # Version number of this module - ModuleVersion = '2.2.2' + ModuleVersion = '2.2.3' # ID used to uniquely identify this module - GUID = '8e3f4c2a-9b1d-4e7a-a2c5-6f8b3d9e1a4c' + GUID = '8e3f4c2a-9b1d-4e7a-a2c5-6f8b3d9e1a4c' # Author of this module - Author = 'NexusOne23' + Author = 'NexusOne23' # Company or vendor of this module - CompanyName = 'Open Source Project' + CompanyName = 'Open Source Project' # Copyright statement for this module - Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' + Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' # Description of the functionality provided by this module - Description = 'Microsoft Edge Security Hardening based on MS Edge v139 Security Baseline. Applies 24 security policies to harden Microsoft Edge browser using native PowerShell (no LGPO.exe dependency). Includes SmartScreen enforcement, site isolation, SSL/TLS hardening, extension blocking, and IE mode restrictions.' + Description = 'Microsoft Edge Security Hardening based on MS Edge v139 Security Baseline. Applies 24 security policies to harden Microsoft Edge browser using native PowerShell (no LGPO.exe dependency). Includes SmartScreen enforcement, site isolation, SSL/TLS hardening, extension blocking, and IE mode restrictions.' # Minimum version of the PowerShell engine required by this module PowerShellVersion = '5.1' # Modules that must be imported into the global environment prior to importing this module - RequiredModules = @() + RequiredModules = @() # Functions to export from this module FunctionsToExport = @( @@ -33,22 +33,22 @@ ) # Cmdlets to export from this module - CmdletsToExport = @() + CmdletsToExport = @() # Variables to export from this module VariablesToExport = @() # Aliases to export from this module - AliasesToExport = @() + AliasesToExport = @() # Private data to pass to the module specified in RootModule/ModuleToProcess - PrivateData = @{ + PrivateData = @{ PSData = @{ - Tags = @('Security', 'Edge', 'Browser', 'Hardening', 'Baseline', 'Windows11', 'Privacy') - LicenseUri = '' - ProjectUri = '' + Tags = @('Security', 'Edge', 'Browser', 'Hardening', 'Baseline', 'Windows11', 'Privacy') + LicenseUri = '' + ProjectUri = '' ReleaseNotes = @" -v2.2.2 - Production Release +v2.2.3 - Production Release - Microsoft Edge v139 Security Baseline implementation - 20 security policies (native PowerShell, no LGPO.exe) - SmartScreen enforcement with override prevention diff --git a/Modules/EdgeHardening/EdgeHardening.psm1 b/Modules/EdgeHardening/EdgeHardening.psm1 index b732a67..1346092 100644 --- a/Modules/EdgeHardening/EdgeHardening.psm1 +++ b/Modules/EdgeHardening/EdgeHardening.psm1 @@ -16,7 +16,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Administrator privileges #> diff --git a/Modules/EdgeHardening/Public/Invoke-EdgeHardening.ps1 b/Modules/EdgeHardening/Public/Invoke-EdgeHardening.ps1 index 1ae15af..58b8ea2 100644 --- a/Modules/EdgeHardening/Public/Invoke-EdgeHardening.ps1 +++ b/Modules/EdgeHardening/Public/Invoke-EdgeHardening.ps1 @@ -48,7 +48,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Administrator privileges IMPORTANT: This applies Microsoft's recommended security baseline. diff --git a/Modules/EdgeHardening/Public/Test-EdgeHardening.ps1 b/Modules/EdgeHardening/Public/Test-EdgeHardening.ps1 index b0a698d..b6f55e0 100644 --- a/Modules/EdgeHardening/Public/Test-EdgeHardening.ps1 +++ b/Modules/EdgeHardening/Public/Test-EdgeHardening.ps1 @@ -23,7 +23,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Can be run without Administrator privileges #> @@ -103,8 +103,8 @@ function Test-EdgeHardening { return [PSCustomObject]@{ Compliant = $false - Message = "Test failed: $($_.Exception.Message)" - Details = @() + Message = "Test failed: $($_.Exception.Message)" + Details = @() } } } diff --git a/Modules/Privacy/Privacy.psd1 b/Modules/Privacy/Privacy.psd1 index 4198a66..7aabd85 100644 --- a/Modules/Privacy/Privacy.psd1 +++ b/Modules/Privacy/Privacy.psd1 @@ -1,11 +1,11 @@ @{ - RootModule = 'Privacy.psm1' - ModuleVersion = '2.2.2' - GUID = 'a9f7c8d3-2e5b-4a1f-9c3d-7e8f5a6b2c4d' - Author = 'NexusOne23' - CompanyName = 'Open Source Project' - Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' - Description = 'Privacy & Telemetry hardening module with Bloatware removal and OneDrive configuration. Supports 3 modes: MSRecommended (default), Strict (maximum privacy, apps still work), and Paranoid (hardcore).' + RootModule = 'Privacy.psm1' + ModuleVersion = '2.2.3' + GUID = 'a9f7c8d3-2e5b-4a1f-9c3d-7e8f5a6b2c4d' + Author = 'NexusOne23' + CompanyName = 'Open Source Project' + Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' + Description = 'Privacy & Telemetry hardening module with Bloatware removal and OneDrive configuration. Supports 3 modes: MSRecommended (default), Strict (maximum privacy, apps still work), and Paranoid (hardcore).' PowerShellVersion = '5.1' @@ -15,15 +15,15 @@ 'Test-PrivacyCompliance' ) - CmdletsToExport = @() + CmdletsToExport = @() VariablesToExport = @() - AliasesToExport = @() + AliasesToExport = @() - PrivateData = @{ + PrivateData = @{ PSData = @{ - Tags = @('Privacy', 'Telemetry', 'Bloatware', 'OneDrive', 'Windows11', 'Security') - LicenseUri = 'https://github.com/yourusername/NoIDPrivacyPro/blob/main/LICENSE' - ProjectUri = 'https://github.com/yourusername/NoIDPrivacyPro' + Tags = @('Privacy', 'Telemetry', 'Bloatware', 'OneDrive', 'Windows11', 'Security') + LicenseUri = 'https://github.com/yourusername/NoIDPrivacyPro/blob/main/LICENSE' + ProjectUri = 'https://github.com/yourusername/NoIDPrivacyPro' ReleaseNotes = 'Initial release - Privacy module with 3-mode support' } } diff --git a/Modules/Privacy/Privacy.psm1 b/Modules/Privacy/Privacy.psm1 index dcb76e3..6e96d95 100644 --- a/Modules/Privacy/Privacy.psm1 +++ b/Modules/Privacy/Privacy.psm1 @@ -16,7 +16,7 @@ .NOTES Module: Privacy - Version: 2.2.2 + Version: 2.2.3 Author: NoID Privacy #> @@ -26,7 +26,6 @@ $script:ModuleRoot = $PSScriptRoot # Import private functions $privateFunctions = @( 'Backup-PrivacySettings', - 'Restore-PrivacySettings', 'Set-TelemetrySettings', 'Set-PersonalizationSettings', 'Set-AppPrivacySettings', diff --git a/Modules/Privacy/Public/Invoke-PrivacyHardening.ps1 b/Modules/Privacy/Public/Invoke-PrivacyHardening.ps1 index b56e655..a082c68 100644 --- a/Modules/Privacy/Public/Invoke-PrivacyHardening.ps1 +++ b/Modules/Privacy/Public/Invoke-PrivacyHardening.ps1 @@ -354,7 +354,7 @@ function Invoke-PrivacyHardening { $bloatwareListPath = Join-Path $moduleBackupPath "REMOVED_APPS_LIST.txt" $listContent = @() $listContent += "================================================================" - $listContent += " REMOVED APPS - NoID Privacy v2.2.2" + $listContent += " REMOVED APPS - NoID Privacy v2.2.3" $listContent += " Session: $(Split-Path $moduleBackupPath -Leaf)" $listContent += " Date: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" $listContent += "================================================================" diff --git a/Modules/SecurityBaseline/Public/Invoke-SecurityBaseline.ps1 b/Modules/SecurityBaseline/Public/Invoke-SecurityBaseline.ps1 index b5ba2c3..cb0e6a3 100644 --- a/Modules/SecurityBaseline/Public/Invoke-SecurityBaseline.ps1 +++ b/Modules/SecurityBaseline/Public/Invoke-SecurityBaseline.ps1 @@ -44,7 +44,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 - Self-Contained Edition + Version: 2.2.3 - Self-Contained Edition Requires: PowerShell 5.1+, Administrator privileges BREAKING CHANGE from v1.0: diff --git a/Modules/SecurityBaseline/SecurityBaseline.psd1 b/Modules/SecurityBaseline/SecurityBaseline.psd1 index 3392997..cf6b04e 100644 --- a/Modules/SecurityBaseline/SecurityBaseline.psd1 +++ b/Modules/SecurityBaseline/SecurityBaseline.psd1 @@ -1,32 +1,32 @@ @{ - RootModule = 'SecurityBaseline.psm1' - ModuleVersion = '2.2.2' - GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' - Author = 'NexusOne23' - CompanyName = 'Open Source Project' - Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' - Description = 'Microsoft Security Baseline for Windows 11 25H2 - 425 hardening settings implementing enterprise-grade security standards. Self-contained, no LGPO.exe required. (437 entries parsed, 12 are INF metadata)' + RootModule = 'SecurityBaseline.psm1' + ModuleVersion = '2.2.3' + GUID = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' + Author = 'NexusOne23' + CompanyName = 'Open Source Project' + Copyright = '(c) 2025 NexusOne23. Licensed under GPL-3.0.' + Description = 'Microsoft Security Baseline for Windows 11 25H2 - 425 hardening settings implementing enterprise-grade security standards. Self-contained, no LGPO.exe required. (437 entries parsed, 12 are INF metadata)' PowerShellVersion = '5.1' - RequiredModules = @() + RequiredModules = @() FunctionsToExport = @( 'Invoke-SecurityBaseline', 'Restore-SecurityBaseline' ) - CmdletsToExport = @() + CmdletsToExport = @() VariablesToExport = @() - AliasesToExport = @() + AliasesToExport = @() - PrivateData = @{ + PrivateData = @{ PSData = @{ - Tags = @('Security', 'Hardening', 'Windows11', 'Baseline', 'Microsoft', 'Enterprise') - LicenseUri = '' - ProjectUri = '' + Tags = @('Security', 'Hardening', 'Windows11', 'Baseline', 'Microsoft', 'Enterprise') + LicenseUri = '' + ProjectUri = '' ReleaseNotes = @" -v2.2.2 - Self-Contained Edition +v2.2.3 - Self-Contained Edition - NO LGPO.exe REQUIRED! Fully self-contained implementation - 425 Microsoft Security Baseline settings for Windows 11 25H2 - 335 Registry policies (Computer + User) diff --git a/Modules/SecurityBaseline/SecurityBaseline.psm1 b/Modules/SecurityBaseline/SecurityBaseline.psm1 index a8579fc..74ee338 100644 --- a/Modules/SecurityBaseline/SecurityBaseline.psm1 +++ b/Modules/SecurityBaseline/SecurityBaseline.psm1 @@ -13,7 +13,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Administrator privileges #> diff --git a/NoIDPrivacy-Interactive.ps1 b/NoIDPrivacy-Interactive.ps1 index c22db65..fb30c6e 100644 --- a/NoIDPrivacy-Interactive.ps1 +++ b/NoIDPrivacy-Interactive.ps1 @@ -19,7 +19,7 @@ resulting from its use. USE AT YOUR OWN RISK. Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Administrator For CLI mode use: NoIDPrivacy.ps1 -Module #> @@ -30,7 +30,7 @@ # No parameters - interactive mode only $ErrorActionPreference = 'Stop' -$Host.UI.RawUI.WindowTitle = "NoID Privacy v2.2.2" +$Host.UI.RawUI.WindowTitle = "NoID Privacy v2.2.3" # Set script root path (required by modules to load configs) $script:RootPath = $PSScriptRoot @@ -75,11 +75,11 @@ function Write-Step { $symbol = switch ($Status) { "SUCCESS" { "[+]"; $color = "Green" } - "ERROR" { "[-]"; $color = "Red" } + "ERROR" { "[-]"; $color = "Red" } "WARNING" { "[!]"; $color = "Yellow" } - "INFO" { "[>]"; $color = "Cyan" } - "WAIT" { "[.]"; $color = "Gray" } - default { "[ ]"; $color = "White" } + "INFO" { "[>]"; $color = "Cyan" } + "WAIT" { "[.]"; $color = "Gray" } + default { "[ ]"; $color = "White" } } Write-ColorText $symbol -Color $color -NoNewline @@ -90,7 +90,7 @@ function Write-Banner { Clear-Host Write-Host "" Write-Host " ========================================" -ForegroundColor Cyan - Write-Host " NoID Privacy v2.2.2 " -ForegroundColor Cyan + Write-Host " NoID Privacy v2.2.3 " -ForegroundColor Cyan Write-Host " ========================================" -ForegroundColor Cyan Write-Host "" Write-Host " Professional Windows 11 Security & Privacy Hardening Framework" -ForegroundColor Gray @@ -105,7 +105,7 @@ function Write-Banner { $osBuild = if ($os) { $os.BuildNumber } else { $null } $psVersion = $PSVersionTable.PSVersion.ToString() - $envLine = " Version 2.2.2" + $envLine = " Version 2.2.3" if ($osBuild) { $envLine += " | Windows Build $osBuild" } @@ -356,7 +356,8 @@ function Show-BackupList { # Force result to array to handle single-session case correctly if (Test-Path $backupPath) { $sessions = @(Get-BackupSessions -BackupDirectory $backupPath) - } else { + } + else { $sessions = @() } } @@ -382,8 +383,8 @@ function Show-BackupList { try { $age = (Get-Date) - $session.Timestamp $ageStr = if ($age.TotalHours -lt 1) { "$([math]::Round($age.TotalMinutes)) minutes ago" } - elseif ($age.TotalDays -lt 1) { "$([math]::Round($age.TotalHours)) hours ago" } - else { "$([math]::Round($age.TotalDays)) days ago" } + elseif ($age.TotalDays -lt 1) { "$([math]::Round($age.TotalHours)) hours ago" } + else { "$([math]::Round($age.TotalDays)) days ago" } } catch { $ageStr = "unknown age" @@ -795,7 +796,7 @@ function Invoke-RestoreWorkflow { if ([string]::IsNullOrWhiteSpace($modeInput)) { $modeInput = "A" } $modeInput = $modeInput.Trim().ToUpper() - if ($modeInput -in @('A','M')) { + if ($modeInput -in @('A', 'M')) { $restoreMode = $modeInput break } @@ -818,7 +819,7 @@ function Invoke-RestoreWorkflow { } $indices = @() - foreach ($token in $moduleInput.Split(',', ';', ' ')) { + foreach ($token in ($moduleInput -split '[,; ]')) { if (-not [string]::IsNullOrWhiteSpace($token)) { $parsed = 0 if ([int]::TryParse($token.Trim(), [ref]$parsed)) { @@ -837,7 +838,7 @@ function Invoke-RestoreWorkflow { } foreach ($i in $indices) { - $selectedModuleNames += $availableModules[$i-1].name + $selectedModuleNames += $availableModules[$i - 1].name } } } diff --git a/NoIDPrivacy.ps1 b/NoIDPrivacy.ps1 index e32b83e..a114a19 100644 --- a/NoIDPrivacy.ps1 +++ b/NoIDPrivacy.ps1 @@ -50,7 +50,7 @@ resulting from its use. USE AT YOUR OWN RISK. Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Administrator privileges, Windows 11 License: GPL-3.0 (Core CLI). See LICENSE for full terms. @@ -111,13 +111,13 @@ $global:CurrentModule = "" # ============================================================================ # EXIT CODES - For CI/CD and automation integration # ============================================================================ -$script:EXIT_SUCCESS = 0 # All operations completed successfully -$script:EXIT_ERROR_GENERAL = 1 # General/unspecified error +$script:EXIT_SUCCESS = 0 # All operations completed successfully +$script:EXIT_ERROR_GENERAL = 1 # General/unspecified error $script:EXIT_ERROR_PREREQUISITES = 2 # System requirements not met -$script:EXIT_ERROR_CONFIG = 3 # Configuration file error -$script:EXIT_ERROR_MODULE = 4 # One or more modules failed -$script:EXIT_ERROR_FATAL = 5 # Fatal/unexpected exception -$script:EXIT_SUCCESS_REBOOT = 10 # Success, reboot required +$script:EXIT_ERROR_CONFIG = 3 # Configuration file error +$script:EXIT_ERROR_MODULE = 4 # One or more modules failed +$script:EXIT_ERROR_FATAL = 5 # Fatal/unexpected exception +$script:EXIT_SUCCESS_REBOOT = 10 # Success, reboot required # Script root path $script:RootPath = $PSScriptRoot @@ -135,7 +135,7 @@ try { $logDirectory = Join-Path $script:RootPath "Logs" Initialize-Logger -LogDirectory $logDirectory -MinimumLevel $logLevel - Write-Log -Level INFO -Message "=== NoID Privacy Framework v2.2.2 ===" -Module "Main" + Write-Log -Level INFO -Message "=== NoID Privacy Framework v2.2.3 ===" -Module "Main" Write-Log -Level INFO -Message "Starting framework initialization..." -Module "Main" # Load other Core modules @@ -216,7 +216,7 @@ catch { # Display banner Write-Host "" Write-Host "========================================" -ForegroundColor Cyan -Write-Host " NoID Privacy - v2.2.2" -ForegroundColor Cyan +Write-Host " NoID Privacy - v2.2.3" -ForegroundColor Cyan Write-Host " Windows 11 Security Hardening" -ForegroundColor Cyan Write-Host "========================================" -ForegroundColor Cyan Write-Host "" @@ -255,23 +255,23 @@ if (-not $Module) { if ([string]::IsNullOrWhiteSpace($selection)) { $selection = "99" } $selection = $selection.ToUpper() - if ($selection -notin @('1','2','3','4','5','6','7','99','V','R','B','I','0')) { + if ($selection -notin @('1', '2', '3', '4', '5', '6', '7', '99', 'V', 'R', 'B', 'I', '0')) { Write-Host "" Write-Host "Invalid selection. Please choose from the menu." -ForegroundColor Red Write-Host "" } - } while ($selection -notin @('1','2','3','4','5','6','7','99','V','R','B','I','0')) + } while ($selection -notin @('1', '2', '3', '4', '5', '6', '7', '99', 'V', 'R', 'B', 'I', '0')) switch ($selection) { - "1" { $Module = "SecurityBaseline" } - "2" { $Module = "ASR" } - "3" { $Module = "DNS" } - "4" { $Module = "Privacy" } - "5" { $Module = "AntiAI" } - "6" { $Module = "EdgeHardening" } - "7" { $Module = "AdvancedSecurity" } + "1" { $Module = "SecurityBaseline" } + "2" { $Module = "ASR" } + "3" { $Module = "DNS" } + "4" { $Module = "Privacy" } + "5" { $Module = "AntiAI" } + "6" { $Module = "EdgeHardening" } + "7" { $Module = "AdvancedSecurity" } "99" { $Module = "All" } - "V" { + "V" { # Verify all settings Write-Host "" Write-Host "Running complete verification..." -ForegroundColor Cyan @@ -291,7 +291,7 @@ if (-not $Module) { $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") exit 0 } - "R" { + "R" { # Restore from backup - Interactive session selection from disk Write-Host "" Write-Host "========================================" -ForegroundColor Cyan @@ -365,7 +365,7 @@ if (-not $Module) { $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") exit 0 } - "B" { + "B" { # List backups Write-Host "" Write-Host "========================================" -ForegroundColor Cyan @@ -387,8 +387,8 @@ if (-not $Module) { foreach ($backup in $backups) { $age = (Get-Date) - $backup.CreationTime $ageStr = if ($age.TotalHours -lt 1) { "$([math]::Round($age.TotalMinutes)) minutes ago" } - elseif ($age.TotalDays -lt 1) { "$([math]::Round($age.TotalHours)) hours ago" } - else { "$([math]::Round($age.TotalDays)) days ago" } + elseif ($age.TotalDays -lt 1) { "$([math]::Round($age.TotalHours)) hours ago" } + else { "$([math]::Round($age.TotalDays)) days ago" } Write-Host " - $($backup.Name)" -ForegroundColor Green -NoNewline Write-Host " ($ageStr)" -ForegroundColor Gray @@ -404,7 +404,7 @@ if (-not $Module) { $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") exit 0 } - "I" { + "I" { # System information Write-Host "" Write-Host "========================================" -ForegroundColor Cyan @@ -451,7 +451,7 @@ if (-not $Module) { $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown") exit 0 } - "0" { + "0" { Write-Host "Exiting..." -ForegroundColor Yellow exit 0 } diff --git a/README.md b/README.md index b65fbee..d1d3dc2 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ [![PowerShell](https://img.shields.io/badge/PowerShell-5.1%2B-blue.svg?logo=powershell)](https://github.com/PowerShell/PowerShell) [![Windows 11](https://img.shields.io/badge/Windows%2011-25H2-0078D4.svg?logo=windows11)](https://www.microsoft.com/windows/) [![License](https://img.shields.io/badge/license-GPL--3.0-green.svg?logo=gnu)](LICENSE) -[![Version](https://img.shields.io/badge/version-2.2.2-blue.svg)](CHANGELOG.md) +[![Version](https://img.shields.io/badge/version-2.2.3-blue.svg)](CHANGELOG.md) [![Status](https://img.shields.io/badge/status-production--ready-brightgreen.svg)]() --- @@ -391,13 +391,13 @@ cd noid-privacy | Module | Settings | Description | Status | |--------|----------|-------------|--------| -| **SecurityBaseline** | 425 | Microsoft Security Baseline 25H2 | v2.2.2 | -| **ASR** | 19 | Attack Surface Reduction Rules | v2.2.2 | -| **DNS** | 5 | Secure DNS with DoH encryption | v2.2.2 | -| **Privacy** | 78 | Telemetry, Bloatware, OneDrive hardening (Strict) | v2.2.2 | -| **AntiAI** | 32 | AI lockdown (15 features, 32 compliance checks) | v2.2.2 | -| **EdgeHardening** | 24 | Microsoft Edge security (24 policies) | v2.2.2 | -| **AdvancedSecurity** | 50 | Beyond MS Baseline (SRP, Legacy protocols, Wireless Display, Discovery Protocols, IPv6) | v2.2.2 | +| **SecurityBaseline** | 425 | Microsoft Security Baseline 25H2 | v2.2.3 | +| **ASR** | 19 | Attack Surface Reduction Rules | v2.2.3 | +| **DNS** | 5 | Secure DNS with DoH encryption | v2.2.3 | +| **Privacy** | 78 | Telemetry, Bloatware, OneDrive hardening (Strict) | v2.2.3 | +| **AntiAI** | 32 | AI lockdown (15 features, 32 compliance checks) | v2.2.3 | +| **EdgeHardening** | 24 | Microsoft Edge security (24 policies) | v2.2.3 | +| **AdvancedSecurity** | 50 | Beyond MS Baseline (SRP, Legacy protocols, Wireless Display, Discovery Protocols, IPv6) | v2.2.3 | | **TOTAL** | **633** | **Complete Framework (Paranoid mode)** | **Production** | **Release Highlights:** @@ -769,7 +769,7 @@ Logs/NoIDPrivacy_YYYYMMDD_HHMMSS.log - **[Features](Docs/FEATURES.md)** - Complete 630+ setting reference - **[Changelog](CHANGELOG.md)** - Version history - **[Quick Start](#-quick-start)** - Installation guide (see above) -- **[Troubleshooting](#troubleshooting)** - Common issues (see above) +- **[Troubleshooting](#-troubleshooting)** - Common issues (see above) ### 💬 Community @@ -787,6 +787,16 @@ Logs/NoIDPrivacy_YYYYMMDD_HHMMSS.log --- +## 🔗 The NoID Privacy Ecosystem + +| Platform | Link | +|----------|------| +| 🪟 **Windows** | You're here! | +| 🐧 **Linux** | [NoID Privacy for Linux](https://github.com/NexusOne23/noid-privacy-linux) — 300+ checks, 42 sections, `--ai` flag for AI-powered fixes | +| 📱 **Android** | [NoID Privacy on Google Play](https://play.google.com/store/apps/details?id=com.noid.privacy) — 81 checks, 10 categories, permission audit, Chrome hardening, anti-theft | + +--- + ## 📜 License ### Dual-License Model @@ -852,10 +862,15 @@ The authors are not responsible for any damage or data loss. ## 📈 Project Status -**Current Version:** 2.2.2 -**Last Updated:** December 22, 2025 +**Current Version:** 2.2.3 +**Last Updated:** January 7, 2026 **Status:** Production-Ready +### Release Highlights v2.2.3 + +- **Critical Fix:** Restore Mode manual module selection crash +- Fix: `.Split()` wrong .NET overload → `-split` operator + ### Release Highlights v2.2.2 - **Performance:** Firewall snapshot 60-120s → 2-5s (batch query fix) @@ -867,15 +882,6 @@ The authors are not responsible for any damage or data loss. - **Fix:** `.Count` property bug in 5 files (Where-Object single-object results) - **Improved:** ASR prompt text ("untrusted" → "new software" - more neutral) -### Release Highlights v2.2.0 - -- 630+ settings (expanded from 580+) -- NonInteractive mode for GUI integration -- Third-party AV detection and graceful ASR skip -- AntiAI enhanced to 32 policies (was 24) -- Pre-Framework ASR snapshot -- Smart Registry Backup with JSON fallback - 📋 [See Full Changelog](CHANGELOG.md) --- diff --git a/SECURITY.md b/SECURITY.md index 8f5a7d4..2044910 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -92,9 +92,15 @@ NoID Privacy implements multiple security layers: ### Before Running 1. ✅ **Verify Script Integrity** ```powershell - # Check file hash (coming soon - SHA256 checksums in releases) + # Compare against CHECKSUMS.sha256 from GitHub Release Get-FileHash .\NoIDPrivacy.ps1 -Algorithm SHA256 + + # Or verify the entire release folder: + Get-ChildItem *.ps1, *.psm1 | ForEach-Object { + "$((Get-FileHash $_.FullName -Algorithm SHA256).Hash.ToLower()) $($_.Name)" + } ``` + Each GitHub release includes a `CHECKSUMS.sha256` file with SHA256 hashes of all release files. 2. ✅ **Review Code** - This is open-source - read the code! diff --git a/Start-NoIDPrivacy.bat b/Start-NoIDPrivacy.bat index 09eb3c1..4411509 100644 --- a/Start-NoIDPrivacy.bat +++ b/Start-NoIDPrivacy.bat @@ -7,12 +7,12 @@ REM This script launches NoIDPrivacy-Interactive.ps1 with REM Administrator privileges (auto-elevation). REM REM Author: NexusOne23 -REM Version: 2.2.2 +REM Version: 2.2.3 REM ======================================== setlocal -title NoID Privacy v2.2.2 +title NoID Privacy v2.2.3 REM Get the directory where this batch file is located set "SCRIPT_DIR=%~dp0" @@ -23,7 +23,7 @@ if %errorLevel% == 0 ( REM Already admin, run PowerShell script directly echo Running NoID Privacy Interactive Menu with Administrator privileges... echo. - powershell.exe -ExecutionPolicy Bypass -NoProfile -File "%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1" %* + "%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -File "%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1" %* pause exit /b ) @@ -33,7 +33,7 @@ echo Requesting Administrator privileges... echo. REM Use PowerShell to elevate and run the script -powershell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1\" %*' -Verb RunAs" +"%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Start-Process '%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe' -ArgumentList '-ExecutionPolicy Bypass -NoProfile -File \"%SCRIPT_DIR%NoIDPrivacy-Interactive.ps1\" %*' -Verb RunAs" REM Exit this non-elevated instance exit /b diff --git a/Tests/Run-Tests.ps1 b/Tests/Run-Tests.ps1 index c519315..1202887 100644 --- a/Tests/Run-Tests.ps1 +++ b/Tests/Run-Tests.ps1 @@ -17,7 +17,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+, Pester 5.0+ .EXAMPLE diff --git a/Tests/Setup-TestEnvironment.ps1 b/Tests/Setup-TestEnvironment.ps1 index d1205a0..92c958b 100644 --- a/Tests/Setup-TestEnvironment.ps1 +++ b/Tests/Setup-TestEnvironment.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ .EXAMPLE diff --git a/Tests/Unit/ASR.Tests.ps1 b/Tests/Unit/ASR.Tests.ps1 index 18f38a2..f612724 100644 --- a/Tests/Unit/ASR.Tests.ps1 +++ b/Tests/Unit/ASR.Tests.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Pester 5.0+ #> diff --git a/Tests/Unit/AdvancedSecurity.Tests.ps1 b/Tests/Unit/AdvancedSecurity.Tests.ps1 index aa1111c..f238956 100644 --- a/Tests/Unit/AdvancedSecurity.Tests.ps1 +++ b/Tests/Unit/AdvancedSecurity.Tests.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Pester 5.0+ #> diff --git a/Tests/Unit/AntiAI.Tests.ps1 b/Tests/Unit/AntiAI.Tests.ps1 index 7903243..99243f9 100644 --- a/Tests/Unit/AntiAI.Tests.ps1 +++ b/Tests/Unit/AntiAI.Tests.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Pester 5.0+ #> diff --git a/Tests/Unit/DNS.Tests.ps1 b/Tests/Unit/DNS.Tests.ps1 index 35e959d..3e762e7 100644 --- a/Tests/Unit/DNS.Tests.ps1 +++ b/Tests/Unit/DNS.Tests.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Pester 5.0+ #> diff --git a/Tests/Unit/EdgeHardening.Tests.ps1 b/Tests/Unit/EdgeHardening.Tests.ps1 index e81dc85..20b3afd 100644 --- a/Tests/Unit/EdgeHardening.Tests.ps1 +++ b/Tests/Unit/EdgeHardening.Tests.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Pester 5.0+ #> diff --git a/Tests/Unit/ModuleTemplate.Tests.ps1 b/Tests/Unit/ModuleTemplate.Tests.ps1 index e420dbe..7bdf242 100644 --- a/Tests/Unit/ModuleTemplate.Tests.ps1 +++ b/Tests/Unit/ModuleTemplate.Tests.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Pester 5.0+ #> diff --git a/Tests/Unit/Privacy.Tests.ps1 b/Tests/Unit/Privacy.Tests.ps1 index d363d90..d29b352 100644 --- a/Tests/Unit/Privacy.Tests.ps1 +++ b/Tests/Unit/Privacy.Tests.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: Pester 5.0+ #> diff --git a/Tools/Generate-ReleaseChecksums.ps1 b/Tools/Generate-ReleaseChecksums.ps1 new file mode 100644 index 0000000..8c2dc24 --- /dev/null +++ b/Tools/Generate-ReleaseChecksums.ps1 @@ -0,0 +1,74 @@ +<# +.SYNOPSIS + Generates SHA256 checksums for release files. + +.DESCRIPTION + Creates a CHECKSUMS.sha256 file containing SHA256 hashes of all release files. + Used for verifying download integrity. + +.PARAMETER ReleasePath + Path to the release folder or ZIP file(s). + +.PARAMETER OutputFile + Output file for checksums. Default: CHECKSUMS.sha256 in the same directory. + +.EXAMPLE + .\Generate-ReleaseChecksums.ps1 -ReleasePath "C:\Release\NoIDPrivacy-v2.2.3" + +.EXAMPLE + .\Generate-ReleaseChecksums.ps1 -ReleasePath ".\NoIDPrivacy-v2.2.3.zip" +#> + +[CmdletBinding()] +param( + [Parameter(Mandatory = $true)] + [string]$ReleasePath, + + [Parameter(Mandatory = $false)] + [string]$OutputFile +) + +$ErrorActionPreference = 'Stop' + +Write-Host "`n=== NoID Privacy Release Checksum Generator ===" -ForegroundColor Cyan + +# Determine if path is file or directory +if (Test-Path $ReleasePath -PathType Container) { + $files = Get-ChildItem -Path $ReleasePath -File -Recurse | Where-Object { $_.Extension -in '.zip', '.exe', '.ps1', '.psm1' } + $basePath = $ReleasePath +} +elseif (Test-Path $ReleasePath -PathType Leaf) { + $files = Get-Item $ReleasePath + $basePath = Split-Path $ReleasePath -Parent +} +else { + Write-Error "Path not found: $ReleasePath" + exit 1 +} + +if (-not $OutputFile) { + $OutputFile = Join-Path $basePath "CHECKSUMS.sha256" +} + +Write-Host "Generating checksums for $($files.Count) file(s)..." -ForegroundColor Yellow + +$checksums = @() +$checksums += "# NoID Privacy Release Checksums" +$checksums += "# Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss UTC' -AsUTC)" +$checksums += "# Verify with: Get-FileHash -Algorithm SHA256 " +$checksums += "" + +foreach ($file in $files) { + Write-Host " Hashing: $($file.Name)" -ForegroundColor Gray + $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256).Hash.ToLower() + $relativePath = $file.Name + $checksums += "$hash $relativePath" +} + +$checksums | Out-File -FilePath $OutputFile -Encoding utf8 + +Write-Host "`nChecksums written to: $OutputFile" -ForegroundColor Green +Write-Host "`nContents:" -ForegroundColor Cyan +Get-Content $OutputFile | ForEach-Object { Write-Host " $_" } + +Write-Host "`n=== Done ===" -ForegroundColor Cyan diff --git a/Tools/Parse-EdgeBaseline.ps1 b/Tools/Parse-EdgeBaseline.ps1 index 2484765..c252314 100644 --- a/Tools/Parse-EdgeBaseline.ps1 +++ b/Tools/Parse-EdgeBaseline.ps1 @@ -18,7 +18,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ .EXAMPLE @@ -142,21 +142,26 @@ function Read-PolFile { # Parse based on type switch ($type) { - 1 { # REG_SZ (String) + 1 { + # REG_SZ (String) $data = [System.Text.Encoding]::Unicode.GetString($dataBytes).TrimEnd([char]0) } - 2 { # REG_EXPAND_SZ + 2 { + # REG_EXPAND_SZ $data = [System.Text.Encoding]::Unicode.GetString($dataBytes).TrimEnd([char]0) } - 3 { # REG_BINARY + 3 { + # REG_BINARY $data = $dataBytes } - 4 { # REG_DWORD + 4 { + # REG_DWORD if ($dataBytes.Length -ge 4) { $data = [BitConverter]::ToInt32($dataBytes, 0) } } - 7 { # REG_MULTI_SZ + 7 { + # REG_MULTI_SZ $data = [System.Text.Encoding]::Unicode.GetString($dataBytes).TrimEnd([char]0) -split '\x00' } default { @@ -172,9 +177,9 @@ function Read-PolFile { # Add entry $entries += [PSCustomObject]@{ - KeyName = $keyName + KeyName = $keyName ValueName = $valueName - Type = switch ($type) { + Type = switch ($type) { 1 { "REG_SZ" } 2 { "REG_EXPAND_SZ" } 3 { "REG_BINARY" } @@ -183,7 +188,7 @@ function Read-PolFile { 11 { "REG_QWORD" } default { "Unknown($type)" } } - Data = $data + Data = $data } } @@ -273,9 +278,9 @@ if ($allComputerPolicies.Count -gt 0) { # Create summary $summary = [PSCustomObject]@{ TotalEdgePolicies = $allComputerPolicies.Count - ParsedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" - BaselineVersion = "Edge v139" - RegistryPaths = ($allComputerPolicies | Select-Object -ExpandProperty KeyName -Unique | Sort-Object) + ParsedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss" + BaselineVersion = "Edge v139" + RegistryPaths = ($allComputerPolicies | Select-Object -ExpandProperty KeyName -Unique | Sort-Object) } $summaryFile = Join-Path $OutputPath "Summary.json" diff --git a/Tools/Parse-SecurityBaseline.ps1 b/Tools/Parse-SecurityBaseline.ps1 index 3d0f09c..2afc22b 100644 --- a/Tools/Parse-SecurityBaseline.ps1 +++ b/Tools/Parse-SecurityBaseline.ps1 @@ -25,7 +25,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ .EXAMPLE @@ -150,21 +150,26 @@ function Read-PolFile { # Parse based on type switch ($type) { - 1 { # REG_SZ (String) + 1 { + # REG_SZ (String) $data = [System.Text.Encoding]::Unicode.GetString($dataBytes).TrimEnd([char]0) } - 2 { # REG_EXPAND_SZ + 2 { + # REG_EXPAND_SZ $data = [System.Text.Encoding]::Unicode.GetString($dataBytes).TrimEnd([char]0) } - 3 { # REG_BINARY + 3 { + # REG_BINARY $data = $dataBytes } - 4 { # REG_DWORD + 4 { + # REG_DWORD if ($dataBytes.Length -ge 4) { $data = [BitConverter]::ToInt32($dataBytes, 0) } } - 7 { # REG_MULTI_SZ + 7 { + # REG_MULTI_SZ $data = [System.Text.Encoding]::Unicode.GetString($dataBytes).TrimEnd([char]0) -split '\x00' } default { @@ -180,9 +185,9 @@ function Read-PolFile { # Add entry $entries += [PSCustomObject]@{ - KeyName = $keyName + KeyName = $keyName ValueName = $valueName - Type = switch ($type) { + Type = switch ($type) { 1 { "REG_SZ" } 2 { "REG_EXPAND_SZ" } 3 { "REG_BINARY" } @@ -191,7 +196,7 @@ function Read-PolFile { 11 { "REG_QWORD" } default { "Unknown($type)" } } - Data = $data + Data = $data } } @@ -296,10 +301,10 @@ function Read-AuditCsv { # Skip header row $policies = $csv | Select-Object -Skip 1 | ForEach-Object { [PSCustomObject]@{ - Subcategory = $_.'Subcategory' - SubcategoryGUID = $_.'Subcategory GUID' + Subcategory = $_.'Subcategory' + SubcategoryGUID = $_.'Subcategory GUID' InclusionSetting = $_.'Inclusion Setting' - SettingValue = $_.'Setting Value' + SettingValue = $_.'Setting Value' } } @@ -346,17 +351,17 @@ $gpoMapping = @{ $gpoPath = Join-Path $BaselinePath "GPOs" $allSettings = @{ - RegistryPolicies = @{ + RegistryPolicies = @{ Computer = @() - User = @() + User = @() } SecurityTemplates = @{} - AuditPolicies = @() - Summary = @{ + AuditPolicies = @() + Summary = @{ TotalRegistrySettings = 0 TotalSecuritySettings = 0 - TotalAuditPolicies = 0 - TotalSettings = 0 + TotalAuditPolicies = 0 + TotalSettings = 0 } } @@ -381,11 +386,11 @@ foreach ($guid in $gpoMapping.Keys) { foreach ($entry in $entries) { $allSettings.RegistryPolicies.Computer += [PSCustomObject]@{ - GPO = $gpoName - KeyName = $entry.KeyName + GPO = $gpoName + KeyName = $entry.KeyName ValueName = $entry.ValueName - Type = $entry.Type - Data = $entry.Data + Type = $entry.Type + Data = $entry.Data } } @@ -401,11 +406,11 @@ foreach ($guid in $gpoMapping.Keys) { foreach ($entry in $entries) { $allSettings.RegistryPolicies.User += [PSCustomObject]@{ - GPO = $gpoName - KeyName = $entry.KeyName + GPO = $gpoName + KeyName = $entry.KeyName ValueName = $entry.ValueName - Type = $entry.Type - Data = $entry.Data + Type = $entry.Type + Data = $entry.Data } } @@ -435,11 +440,11 @@ foreach ($guid in $gpoMapping.Keys) { foreach ($policy in $policies) { $allSettings.AuditPolicies += [PSCustomObject]@{ - GPO = $gpoName - Subcategory = $policy.Subcategory - SubcategoryGUID = $policy.SubcategoryGUID + GPO = $gpoName + Subcategory = $policy.Subcategory + SubcategoryGUID = $policy.SubcategoryGUID InclusionSetting = $policy.InclusionSetting - SettingValue = $policy.SettingValue + SettingValue = $policy.SettingValue } } @@ -452,8 +457,8 @@ foreach ($guid in $gpoMapping.Keys) { # Calculate total $allSettings.Summary.TotalSettings = $allSettings.Summary.TotalRegistrySettings + - $allSettings.Summary.TotalSecuritySettings + - $allSettings.Summary.TotalAuditPolicies +$allSettings.Summary.TotalSecuritySettings + +$allSettings.Summary.TotalAuditPolicies # Save outputs Write-Host "Saving parsed settings..." -ForegroundColor Cyan diff --git a/Tools/Verify-Complete-Hardening.ps1 b/Tools/Verify-Complete-Hardening.ps1 index 49e0346..533bebf 100644 --- a/Tools/Verify-Complete-Hardening.ps1 +++ b/Tools/Verify-Complete-Hardening.ps1 @@ -27,7 +27,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 #> #Requires -Version 5.1 @@ -130,10 +130,10 @@ function Get-RegistryChecksFromJson { # Skip metadata and excluded categories # NOTE: EnterpriseProtection is NOT skipped - it contains valid registry paths! if ($propName -in @('Mode', 'Description', 'BestFor', 'Warnings', 'Services', 'ScheduledTasks', - 'Summary', 'AutomaticallyBlockedByMasterSwitch', 'ModuleName', 'Version', - 'TotalFeatures', 'TotalPolicies', 'URIHandlers', 'Note', 'FilePath', - 'HostsEntries', 'CloudBased', 'RequiresReboot', - 'RequiresADMX', 'Impact', 'Name')) { + 'Summary', 'AutomaticallyBlockedByMasterSwitch', 'ModuleName', 'Version', + 'TotalFeatures', 'TotalPolicies', 'URIHandlers', 'Note', 'FilePath', + 'HostsEntries', 'CloudBased', 'RequiresReboot', + 'RequiresADMX', 'Impact', 'Name')) { continue } @@ -962,78 +962,16 @@ try { $currentASRIds = $mpPreference.AttackSurfaceReductionRules_Ids $currentASRActions = $mpPreference.AttackSurfaceReductionRules_Actions - # Load expected ASR rules - JSON is array directly - $asrRules = Get-Content (Join-Path $asrConfigPath "ASR-Rules.json") -Raw | ConvertFrom-Json + # Load expected ASR rules - JSON is array directly + $asrRules = Get-Content (Join-Path $asrConfigPath "ASR-Rules.json") -Raw | ConvertFrom-Json - $asrFailed = @() - $asrPassed = @() + $asrFailed = @() + $asrPassed = @() - # Check if ASR rules are configured at all - if ($null -eq $currentASRIds -or $currentASRIds.Count -eq 0) { - # No ASR rules configured - mark all as failed - foreach ($rule in $asrRules) { - $results.Failed++ - $expectedActionText = if ($rule.Action -eq 1) { "Block" } elseif ($rule.Action -eq 2) { "Audit" } else { "Disabled" } - $asrFailed += [PSCustomObject]@{ - Rule = $rule.Name - GUID = $rule.GUID - Expected = $expectedActionText - Actual = "Not configured" - } - } - } - else { - # Rules where both BLOCK (1) and AUDIT (2) are considered "Pass" - # These are user-configurable rules where either mode is valid - $flexibleRules = @( - "d1e49aac-8f56-4280-b9ba-993a6d77406c", # PSExec/WMI (Management Tools) - "01443614-cd74-433a-b99e-2ecdc07bfc25" # Prevalence (New/Unknown Software) - ) - - foreach ($rule in $asrRules) { - # Case-insensitive GUID matching (Get-MpPreference may return different case) - $index = -1 - for ($i = 0; $i -lt $currentASRIds.Count; $i++) { - if ($currentASRIds[$i] -eq $rule.GUID) { - $index = $i - break - } - } - - if ($index -ge 0) { - $actualAction = $currentASRActions[$index] - $expectedAction = $rule.Action - - # Check if this is a flexible rule (Block or Audit both count as Pass) - $isFlexibleRule = $flexibleRules -contains $rule.GUID - $isActiveMode = $actualAction -in @(1, 2) # Block or Audit - - # For flexible rules: Pass if Block OR Audit - # For other rules: Pass only if exact match - $rulePassed = if ($isFlexibleRule) { $isActiveMode } else { $actualAction -eq $expectedAction } - - if ($rulePassed) { - $results.Verified++ - $actionText = if ($actualAction -eq 1) { "Block" } elseif ($actualAction -eq 2) { "Audit" } else { "Disabled" } - $asrPassed += [PSCustomObject]@{ - Rule = $rule.Name - Expected = $actionText - Actual = $actionText - } - } - else { - $results.Failed++ - $expectedActionText = if ($expectedAction -eq 1) { "Block" } elseif ($expectedAction -eq 2) { "Audit" } else { "Disabled" } - $actualActionText = if ($actualAction -eq 1) { "Block" } elseif ($actualAction -eq 2) { "Audit" } else { "Disabled" } - $asrFailed += [PSCustomObject]@{ - Rule = $rule.Name - GUID = $rule.GUID - Expected = $expectedActionText - Actual = $actualActionText - } - } - } - else { + # Check if ASR rules are configured at all + if ($null -eq $currentASRIds -or $currentASRIds.Count -eq 0) { + # No ASR rules configured - mark all as failed + foreach ($rule in $asrRules) { $results.Failed++ $expectedActionText = if ($rule.Action -eq 1) { "Block" } elseif ($rule.Action -eq 2) { "Audit" } else { "Disabled" } $asrFailed += [PSCustomObject]@{ @@ -1044,28 +982,90 @@ try { } } } - } - - # Add to AllSettings for HTML report - $asrPassedCount = $results.ASRRules - $asrFailed.Count - $results.AllSettings += [PSCustomObject]@{ - Category = "ASR" - Total = $results.ASRRules - Passed = $asrPassedCount - Failed = $asrFailed.Count - PassedDetails = $asrPassed - FailedDetails = $asrFailed - } - - if ($asrFailed.Count -gt 0) { - $results.FailedSettings += [PSCustomObject]@{ - Category = "ASR" - Count = $asrFailed.Count - Details = $asrFailed + else { + # Rules where both BLOCK (1) and AUDIT (2) are considered "Pass" + # These are user-configurable rules where either mode is valid + $flexibleRules = @( + "d1e49aac-8f56-4280-b9ba-993a6d77406c", # PSExec/WMI (Management Tools) + "01443614-cd74-433a-b99e-2ecdc07bfc25" # Prevalence (New/Unknown Software) + ) + + foreach ($rule in $asrRules) { + # Case-insensitive GUID matching (Get-MpPreference may return different case) + $index = -1 + for ($i = 0; $i -lt $currentASRIds.Count; $i++) { + if ($currentASRIds[$i] -eq $rule.GUID) { + $index = $i + break + } + } + + if ($index -ge 0) { + $actualAction = $currentASRActions[$index] + $expectedAction = $rule.Action + + # Check if this is a flexible rule (Block or Audit both count as Pass) + $isFlexibleRule = $flexibleRules -contains $rule.GUID + $isActiveMode = $actualAction -in @(1, 2) # Block or Audit + + # For flexible rules: Pass if Block OR Audit + # For other rules: Pass only if exact match + $rulePassed = if ($isFlexibleRule) { $isActiveMode } else { $actualAction -eq $expectedAction } + + if ($rulePassed) { + $results.Verified++ + $actionText = if ($actualAction -eq 1) { "Block" } elseif ($actualAction -eq 2) { "Audit" } else { "Disabled" } + $asrPassed += [PSCustomObject]@{ + Rule = $rule.Name + Expected = $actionText + Actual = $actionText + } + } + else { + $results.Failed++ + $expectedActionText = if ($expectedAction -eq 1) { "Block" } elseif ($expectedAction -eq 2) { "Audit" } else { "Disabled" } + $actualActionText = if ($actualAction -eq 1) { "Block" } elseif ($actualAction -eq 2) { "Audit" } else { "Disabled" } + $asrFailed += [PSCustomObject]@{ + Rule = $rule.Name + GUID = $rule.GUID + Expected = $expectedActionText + Actual = $actualActionText + } + } + } + else { + $results.Failed++ + $expectedActionText = if ($rule.Action -eq 1) { "Block" } elseif ($rule.Action -eq 2) { "Audit" } else { "Disabled" } + $asrFailed += [PSCustomObject]@{ + Rule = $rule.Name + GUID = $rule.GUID + Expected = $expectedActionText + Actual = "Not configured" + } + } + } } - } - Write-Host " ASR Rules: $($results.ASRRules - $asrFailed.Count)/$($results.ASRRules) verified" -ForegroundColor $(if ($asrFailed.Count -eq 0) { "Green" } else { "Yellow" }) + # Add to AllSettings for HTML report + $asrPassedCount = $results.ASRRules - $asrFailed.Count + $results.AllSettings += [PSCustomObject]@{ + Category = "ASR" + Total = $results.ASRRules + Passed = $asrPassedCount + Failed = $asrFailed.Count + PassedDetails = $asrPassed + FailedDetails = $asrFailed + } + + if ($asrFailed.Count -gt 0) { + $results.FailedSettings += [PSCustomObject]@{ + Category = "ASR" + Count = $asrFailed.Count + Details = $asrFailed + } + } + + Write-Host " ASR Rules: $($results.ASRRules - $asrFailed.Count)/$($results.ASRRules) verified" -ForegroundColor $(if ($asrFailed.Count -eq 0) { "Green" } else { "Yellow" }) } # End of else (Defender active) } catch { @@ -1303,8 +1303,8 @@ try { if ($entry.ServerAddresses -and $entry.ServerAddresses.Count -gt 0) { # Check if it's not DHCP (empty or localhost fallback) $isDHCP = ($entry.ServerAddresses.Count -eq 0) -or - ($entry.ServerAddresses -contains '127.0.0.1') -or - ($entry.AddressOrigin -eq 'DHCP') + ($entry.ServerAddresses -contains '127.0.0.1') -or + ($entry.AddressOrigin -eq 'DHCP') if (-not $isDHCP) { $staticDNS = $true @@ -1796,10 +1796,10 @@ try { # We validate both Enabled=0 and DisabledByDefault=1 per version/component $tlsChecks = @( # Enabled flags - @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.0 Server Disabled"; Optional = $false } - @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.0 Client Disabled"; Optional = $false } - @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.1 Server Disabled"; Optional = $false } - @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.1 Client Disabled"; Optional = $false } + @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.0 Server Disabled"; Optional = $false } + @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.0 Client Disabled"; Optional = $false } + @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.1 Server Disabled"; Optional = $false } + @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"; Name = "Enabled"; Expected = 0; Desc = "TLS 1.1 Client Disabled"; Optional = $false } # DisabledByDefault flags @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server"; Name = "DisabledByDefault"; Expected = 1; Desc = "TLS 1.0 Server DisabledByDefault"; Optional = $false } @{ Path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client"; Name = "DisabledByDefault"; Expected = 1; Desc = "TLS 1.0 Client DisabledByDefault"; Optional = $false } @@ -1812,24 +1812,24 @@ try { # Reference: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/disable-http-proxy-auth-features # NOTE: HKCU AutoDetect is set per-user via HKU in Apply, verified separately below $wpadChecks = @( - @{ Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"; Name = "DisableWpad"; Expected = 1; Desc = "WPAD Disabled (Official MS Key)"; Optional = $false } - @{ Path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"; Name = "WpadOverride"; Expected = 1; Desc = "WPAD Disabled (WpadOverride)"; Optional = $false } - @{ Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"; Name = "AutoDetect"; Expected = 0; Desc = "WPAD AutoDetect (HKLM)"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"; Name = "DisableWpad"; Expected = 1; Desc = "WPAD Disabled (Official MS Key)"; Optional = $false } + @{ Path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"; Name = "WpadOverride"; Expected = 1; Desc = "WPAD Disabled (WpadOverride)"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings"; Name = "AutoDetect"; Expected = 0; Desc = "WPAD AutoDetect (HKLM)"; Optional = $false } ) # SRP Root Policy (2 checks) - ALWAYS required for CVE-2025-9491 mitigation $srpRootChecks = @( - @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"; Name = "DefaultLevel"; Expected = 262144; Desc = "SRP DefaultLevel (Unrestricted)"; Optional = $false } - @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"; Name = "TransparentEnabled"; Expected = 1; Desc = "SRP TransparentEnabled"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"; Name = "DefaultLevel"; Expected = 262144; Desc = "SRP DefaultLevel (Unrestricted)"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers"; Name = "TransparentEnabled"; Expected = 1; Desc = "SRP TransparentEnabled"; Optional = $false } ) # Firewall Shields Up (1 check) - Maximum profile only, blocks ALL incoming on Public network # Optional = true because it's only applied for Maximum profile (user choice) $shieldsUpCheck = @{ - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" - Name = "DoNotAllowExceptions" + Path = "HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + Name = "DoNotAllowExceptions" Expected = 1 - Desc = "Firewall Shields Up (Maximum only)" + Desc = "Firewall Shields Up (Maximum only)" Optional = $true } @@ -1837,10 +1837,10 @@ try { # Optional = true because only applied for Maximum profile (user choice) # Check 1: mDNS disabled via registry $discoveryMdnsCheck = @{ - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" - Name = "EnableMDNS" + Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" + Name = "EnableMDNS" Expected = 0 - Desc = "Discovery Protocols: mDNS Disabled (Maximum only)" + Desc = "Discovery Protocols: mDNS Disabled (Maximum only)" Optional = $true } @@ -1850,10 +1850,10 @@ try { # IPv6 Disable (mitm6 attack mitigation) - Maximum profile only # Optional = true because only applied for Maximum profile (user choice) $ipv6Check = @{ - Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" - Name = "DisabledComponents" + Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters" + Name = "DisabledComponents" Expected = 255 # 0xFF = completely disabled - Desc = "IPv6 Disabled (mitm6 mitigation, Maximum only)" + Desc = "IPv6 Disabled (mitm6 mitigation, Maximum only)" Optional = $true } @@ -1888,10 +1888,10 @@ try { # Windows Update (4 Checks) - ALWAYS required - matches AdvancedSecurity module Config/WindowsUpdate.json $wuChecks = @( - @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "AllowOptionalContent"; Expected = 1; Desc = "WU: Get latest updates immediately (Policy)"; Optional = $false } - @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "SetAllowOptionalContent"; Expected = 1; Desc = "WU: AllowOptionalContent Policy Flag"; Optional = $false } - @{ Path = "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings"; Name = "AllowMUUpdateService"; Expected = 1; Desc = "WU: Microsoft Update (Office, drivers)"; Optional = $false } - @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization"; Name = "DODownloadMode"; Expected = 0; Desc = "WU: P2P Delivery Optimization OFF"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "AllowOptionalContent"; Expected = 1; Desc = "WU: Get latest updates immediately (Policy)"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"; Name = "SetAllowOptionalContent"; Expected = 1; Desc = "WU: AllowOptionalContent Policy Flag"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings"; Name = "AllowMUUpdateService"; Expected = 1; Desc = "WU: Microsoft Update (Office, drivers)"; Optional = $false } + @{ Path = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization"; Name = "DODownloadMode"; Expected = 0; Desc = "WU: P2P Delivery Optimization OFF"; Optional = $false } ) # Finger Protocol (1 check) - verify outbound firewall rule created by AdvancedSecurity @@ -1911,7 +1911,8 @@ try { else { $actualDesc = if ($portFilter) { "Protocol=$($portFilter.Protocol), RemotePort=$($portFilter.RemotePort)" - } else { + } + else { "No port filter" } } @@ -2050,8 +2051,8 @@ try { $hkuPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" $userSIDs = Get-ChildItem -Path "HKU:\" -ErrorAction SilentlyContinue | - Where-Object { $_.PSChildName -match '^S-1-5-21-' -and $_.PSChildName -notmatch '_Classes$' } | - Select-Object -ExpandProperty PSChildName + Where-Object { $_.PSChildName -match '^S-1-5-21-' -and $_.PSChildName -notmatch '_Classes$' } | + Select-Object -ExpandProperty PSChildName $hkuCompliant = $true $hkuActualValue = "All users compliant" @@ -2222,10 +2223,10 @@ try { $totalAdapters = $adapters.Count $disabledCount = 0 - $nonCompliant = @() + $nonCompliant = @() foreach ($adapter in $adapters) { - $adapterName = if ($adapter.Description.Length -gt 40) { $adapter.Description.Substring(0,37) + "..." } else { $adapter.Description } + $adapterName = if ($adapter.Description.Length -gt 40) { $adapter.Description.Substring(0, 37) + "..." } else { $adapter.Description } if ($adapter.TcpipNetbiosOptions -eq 2) { $disabledCount++ } @@ -2545,7 +2546,7 @@ catch { # drift from per-category counters in case some success paths didn't # manually increment $results.Verified. $results.TotalSettings = ($results.AllSettings | Measure-Object -Property Total -Sum).Sum -$results.Verified = ($results.AllSettings | Measure-Object -Property Passed -Sum).Sum +$results.Verified = ($results.AllSettings | Measure-Object -Property Passed -Sum).Sum $results.Duration = (Get-Date) - $startTime @@ -2991,8 +2992,8 @@ try { } .module-content { - max-height: 5000px; - overflow: hidden; + max-height: none; + overflow: visible; transition: max-height 0.3s ease; } @@ -3140,6 +3141,70 @@ try { .controls, .export-section { display: none; } + /* Balanced header for print */ + .header { + padding: 1.5rem 2rem; + page-break-inside: avoid; + } + .header h1 { + font-size: 1.8rem; + margin-bottom: 0.3rem; + } + .header .subtitle { + font-size: 1rem; + } + .header .badge { + margin-top: 0.5rem; + padding: 0.4rem 1.2rem; + font-size: 0.85rem; + } + /* Balanced meta-info for print */ + .meta-info { + padding: 1rem 1.5rem; + gap: 1rem; + page-break-inside: avoid; + } + .meta-label { + font-size: 0.65rem; + } + .meta-value { + font-size: 0.95rem; + } + /* Balanced dashboard for print */ + .dashboard { + padding: 1rem 1.5rem; + page-break-inside: avoid; + } + .stats-grid { + page-break-inside: avoid; + display: flex; + flex-wrap: nowrap; + gap: 1rem; + margin-bottom: 1rem; + } + .stat-card { + flex: 1; + min-width: 0; + padding: 1rem; + } + .stat-value { + font-size: 2rem; + } + .stat-label { + font-size: 0.75rem; + } + .progress-section { + margin: 0.75rem 0; + page-break-inside: avoid; + } + .progress-bar-container { + height: 40px; + } + .progress-bar-fill { + background: #10b981 !important; + -webkit-print-color-adjust: exact !important; + print-color-adjust: exact !important; + } .module-section { page-break-inside: avoid; } @@ -3180,7 +3245,7 @@ try {
-

NoID Privacy v2.2.2

+

NoID Privacy v2.2.3

Complete Hardening Compliance Report

All $totalSettings Settings Verified
@@ -3200,7 +3265,7 @@ try {
Framework Version - NoID Privacy v2.2.2 + NoID Privacy v2.2.3
@@ -3359,11 +3424,11 @@ try { $friendlyName = $zoneSettingNames[$settingName] if ($friendlyName) { $zoneName = if ($pathInfo -like "*Zones\\0*") { "My Computer" } - elseif ($pathInfo -like "*Zones\\1*") { "Local Intranet" } - elseif ($pathInfo -like "*Zones\\2*") { "Trusted Sites" } - elseif ($pathInfo -like "*Zones\\3*") { "Internet" } - elseif ($pathInfo -like "*Zones\\4*") { "Restricted Sites" } - else { "Zone" } + elseif ($pathInfo -like "*Zones\\1*") { "Local Intranet" } + elseif ($pathInfo -like "*Zones\\2*") { "Trusted Sites" } + elseif ($pathInfo -like "*Zones\\3*") { "Internet" } + elseif ($pathInfo -like "*Zones\\4*") { "Restricted Sites" } + else { "Zone" } $settingName = "[$zoneName] $friendlyName" } } @@ -3376,14 +3441,14 @@ try { elseif (($settingName -eq "iexplore.exe" -or $settingName -eq "explorer.exe") -and $pathInfo -like "*FeatureControl*") { # IE FeatureControl settings $featureNames = @{ - "FEATURE_DISABLE_MK_PROTOCOL" = "Disable MK Protocol (Security)" - "FEATURE_MIME_HANDLING" = "MIME Handling Security" - "FEATURE_MIME_SNIFFING" = "MIME Sniffing Protection" + "FEATURE_DISABLE_MK_PROTOCOL" = "Disable MK Protocol (Security)" + "FEATURE_MIME_HANDLING" = "MIME Handling Security" + "FEATURE_MIME_SNIFFING" = "MIME Sniffing Protection" "FEATURE_RESTRICT_ACTIVEXINSTALL" = "Restrict ActiveX Install" - "FEATURE_RESTRICT_FILEDOWNLOAD" = "Restrict File Download" - "FEATURE_SECURITYBAND" = "Security Band (Info Bar)" - "FEATURE_WINDOW_RESTRICTIONS" = "Window Restrictions (Pop-up Block)" - "FEATURE_ZONE_ELEVATION" = "Zone Elevation Block" + "FEATURE_RESTRICT_FILEDOWNLOAD" = "Restrict File Download" + "FEATURE_SECURITYBAND" = "Security Band (Info Bar)" + "FEATURE_WINDOW_RESTRICTIONS" = "Window Restrictions (Pop-up Block)" + "FEATURE_ZONE_ELEVATION" = "Zone Elevation Block" } $processName = if ($settingName -eq "iexplore.exe") { "IE" } else { "Explorer" } foreach ($feature in $featureNames.Keys) { @@ -3521,11 +3586,11 @@ try { $friendlyName = $zoneSettingNames[$settingName] if ($friendlyName) { $zoneName = if ($pathInfo -like "*Zones\\0*" -or $pathInfo -like "*Zones\0*") { "My Computer" } - elseif ($pathInfo -like "*Zones\\1*" -or $pathInfo -like "*Zones\1*") { "Local Intranet" } - elseif ($pathInfo -like "*Zones\\2*" -or $pathInfo -like "*Zones\2*") { "Trusted Sites" } - elseif ($pathInfo -like "*Zones\\3*" -or $pathInfo -like "*Zones\3*") { "Internet" } - elseif ($pathInfo -like "*Zones\\4*" -or $pathInfo -like "*Zones\4*") { "Restricted Sites" } - else { "Zone" } + elseif ($pathInfo -like "*Zones\\1*" -or $pathInfo -like "*Zones\1*") { "Local Intranet" } + elseif ($pathInfo -like "*Zones\\2*" -or $pathInfo -like "*Zones\2*") { "Trusted Sites" } + elseif ($pathInfo -like "*Zones\\3*" -or $pathInfo -like "*Zones\3*") { "Internet" } + elseif ($pathInfo -like "*Zones\\4*" -or $pathInfo -like "*Zones\4*") { "Restricted Sites" } + else { "Zone" } $settingName = "[$zoneName] $friendlyName" } } @@ -3538,14 +3603,14 @@ try { elseif (($settingName -eq "iexplore.exe" -or $settingName -eq "explorer.exe") -and $pathInfo -like "*FeatureControl*") { # IE FeatureControl settings $featureNames = @{ - "FEATURE_DISABLE_MK_PROTOCOL" = "Disable MK Protocol (Security)" - "FEATURE_MIME_HANDLING" = "MIME Handling Security" - "FEATURE_MIME_SNIFFING" = "MIME Sniffing Protection" + "FEATURE_DISABLE_MK_PROTOCOL" = "Disable MK Protocol (Security)" + "FEATURE_MIME_HANDLING" = "MIME Handling Security" + "FEATURE_MIME_SNIFFING" = "MIME Sniffing Protection" "FEATURE_RESTRICT_ACTIVEXINSTALL" = "Restrict ActiveX Install" - "FEATURE_RESTRICT_FILEDOWNLOAD" = "Restrict File Download" - "FEATURE_SECURITYBAND" = "Security Band (Info Bar)" - "FEATURE_WINDOW_RESTRICTIONS" = "Window Restrictions (Pop-up Block)" - "FEATURE_ZONE_ELEVATION" = "Zone Elevation Block" + "FEATURE_RESTRICT_FILEDOWNLOAD" = "Restrict File Download" + "FEATURE_SECURITYBAND" = "Security Band (Info Bar)" + "FEATURE_WINDOW_RESTRICTIONS" = "Window Restrictions (Pop-up Block)" + "FEATURE_ZONE_ELEVATION" = "Zone Elevation Block" } $processName = if ($settingName -eq "iexplore.exe") { "IE" } else { "Explorer" } foreach ($feature in $featureNames.Keys) { @@ -3642,7 +3707,7 @@ try {
-

Generated by NoID Privacy v2.2.2

+

Generated by NoID Privacy v2.2.3

Professional Windows 11 Security & Privacy Hardening Framework

diff --git a/Utils/Compatibility.ps1 b/Utils/Compatibility.ps1 index a355b5b..82689de 100644 --- a/Utils/Compatibility.ps1 +++ b/Utils/Compatibility.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> diff --git a/Utils/Dependencies.ps1 b/Utils/Dependencies.ps1 index 9c79de2..fd1077e 100644 --- a/Utils/Dependencies.ps1 +++ b/Utils/Dependencies.ps1 @@ -7,7 +7,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> @@ -55,9 +55,9 @@ function Test-SecEditAvailable { $result = [PSCustomObject]@{ Available = $false - Path = $null - Version = $null - Error = $null + Path = $null + Version = $null + Error = $null } try { @@ -105,9 +105,9 @@ function Test-AuditPolAvailable { $result = [PSCustomObject]@{ Available = $false - Path = $null - Version = $null - Error = $null + Path = $null + Version = $null + Error = $null } try { @@ -154,10 +154,10 @@ function Test-WindowsDefenderAvailable { param() $result = [PSCustomObject]@{ - Available = $false + Available = $false ServiceRunning = $false - ServiceName = "WinDefend" - Error = $null + ServiceName = "WinDefend" + Error = $null } try { @@ -198,16 +198,16 @@ function Test-AllDependencies { param() $result = [PSCustomObject]@{ - AllAvailable = $true + AllAvailable = $true SecurityBaseline = @{ - secedit = $null + secedit = $null auditpol = $null } - ASR = @{ + ASR = @{ defender = $null } - MissingCritical = @() - MissingOptional = @() + MissingCritical = @() + MissingOptional = @() } # Check secedit.exe (CRITICAL for SecurityBaseline) diff --git a/Utils/Hardware.ps1 b/Utils/Hardware.ps1 index 4bae556..01f11c0 100644 --- a/Utils/Hardware.ps1 +++ b/Utils/Hardware.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> @@ -25,24 +25,24 @@ function Test-VBSCapable { param() $requirements = @{ - UEFI = Test-UEFIBoot - SecureBoot = Test-SecureBootEnabled - TPM = (Test-TPMAvailable).Present + UEFI = Test-UEFIBoot + SecureBoot = Test-SecureBootEnabled + TPM = (Test-TPMAvailable).Present Virtualization = Test-VirtualizationEnabled - Windows11 = (Get-WindowsVersion).IsWindows11 + Windows11 = (Get-WindowsVersion).IsWindows11 } $allMet = $requirements.UEFI -and $requirements.SecureBoot -and ` - $requirements.TPM -and $requirements.Virtualization -and ` - $requirements.Windows11 + $requirements.TPM -and $requirements.Virtualization -and ` + $requirements.Windows11 return [PSCustomObject]@{ - Capable = $allMet - UEFI = $requirements.UEFI - SecureBoot = $requirements.SecureBoot - TPM = $requirements.TPM + Capable = $allMet + UEFI = $requirements.UEFI + SecureBoot = $requirements.SecureBoot + TPM = $requirements.TPM Virtualization = $requirements.Virtualization - Windows11 = $requirements.Windows11 + Windows11 = $requirements.Windows11 } } @@ -90,13 +90,13 @@ function Get-CPUInfo { $cpu = Get-CimInstance -ClassName Win32_Processor -ErrorAction Stop | Select-Object -First 1 return [PSCustomObject]@{ - Name = $cpu.Name - Manufacturer = $cpu.Manufacturer - Cores = $cpu.NumberOfCores - LogicalProcessors = $cpu.NumberOfLogicalProcessors - MaxClockSpeed = $cpu.MaxClockSpeed + Name = $cpu.Name + Manufacturer = $cpu.Manufacturer + Cores = $cpu.NumberOfCores + LogicalProcessors = $cpu.NumberOfLogicalProcessors + MaxClockSpeed = $cpu.MaxClockSpeed VirtualizationEnabled = $cpu.VirtualizationFirmwareEnabled - Architecture = $cpu.Architecture + Architecture = $cpu.Architecture } } catch { @@ -123,9 +123,9 @@ function Get-MemoryInfo { return [PSCustomObject]@{ TotalPhysicalMemoryGB = [math]::Round($cs.TotalPhysicalMemory / 1GB, 2) - FreePhysicalMemoryGB = [math]::Round($os.FreePhysicalMemory / 1MB / 1024, 2) - TotalVirtualMemoryGB = [math]::Round($os.TotalVirtualMemorySize / 1MB / 1024, 2) - FreeVirtualMemoryGB = [math]::Round($os.FreeVirtualMemory / 1MB / 1024, 2) + FreePhysicalMemoryGB = [math]::Round($os.FreePhysicalMemory / 1MB / 1024, 2) + TotalVirtualMemoryGB = [math]::Round($os.TotalVirtualMemorySize / 1MB / 1024, 2) + FreeVirtualMemoryGB = [math]::Round($os.FreeVirtualMemory / 1MB / 1024, 2) } } catch { @@ -192,16 +192,16 @@ function Get-WindowsEditionInfo { $supportsBitLocker = -not $isHome return [PSCustomObject]@{ - Caption = $os.Caption - Version = $os.Version - BuildNumber = $os.BuildNumber - IsHome = $isHome - IsPro = $isPro - IsEnterprise = $isEnterprise - IsEducation = $isEducation + Caption = $os.Caption + Version = $os.Version + BuildNumber = $os.BuildNumber + IsHome = $isHome + IsPro = $isPro + IsEnterprise = $isEnterprise + IsEducation = $isEducation SupportsCredentialGuard = $supportsCredentialGuard - SupportsAppLocker = $supportsAppLocker - SupportsBitLocker = $supportsBitLocker + SupportsAppLocker = $supportsAppLocker + SupportsBitLocker = $supportsBitLocker } } catch { @@ -223,16 +223,16 @@ function Get-HardwareReport { param() return [PSCustomObject]@{ - OS = Get-WindowsVersion - Edition = Get-WindowsEditionInfo - CPU = Get-CPUInfo - Memory = Get-MemoryInfo - UEFI = Test-UEFIBoot - SecureBoot = Test-SecureBootEnabled - TPM = Test-TPMAvailable + OS = Get-WindowsVersion + Edition = Get-WindowsEditionInfo + CPU = Get-CPUInfo + Memory = Get-MemoryInfo + UEFI = Test-UEFIBoot + SecureBoot = Test-SecureBootEnabled + TPM = Test-TPMAvailable Virtualization = Test-VirtualizationEnabled - VBSCapable = Test-VBSCapable - SSD = Test-SSDDrive + VBSCapable = Test-VBSCapable + SSD = Test-SSDDrive } } diff --git a/Utils/Registry.ps1 b/Utils/Registry.ps1 index 1d80a70..b9da902 100644 --- a/Utils/Registry.ps1 +++ b/Utils/Registry.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> diff --git a/Utils/Service.ps1 b/Utils/Service.ps1 index 898c4d2..b225000 100644 --- a/Utils/Service.ps1 +++ b/Utils/Service.ps1 @@ -8,7 +8,7 @@ .NOTES Author: NexusOne23 - Version: 2.2.2 + Version: 2.2.3 Requires: PowerShell 5.1+ #> @@ -213,12 +213,12 @@ function Get-ServiceStatus { $serviceWmi = Get-CimInstance -ClassName Win32_Service -Filter "Name='$ServiceName'" -ErrorAction Stop return [PSCustomObject]@{ - Name = $service.Name + Name = $service.Name DisplayName = $service.DisplayName - Status = $service.Status - StartType = $service.StartType - StartMode = $serviceWmi.StartMode - PathName = $serviceWmi.PathName + Status = $service.Status + StartType = $service.StartType + StartMode = $serviceWmi.StartMode + PathName = $serviceWmi.PathName Description = $serviceWmi.Description } } diff --git a/assets/framework-architecture.png b/assets/framework-architecture.png index b875faf..638ae1a 100644 Binary files a/assets/framework-architecture.png and b/assets/framework-architecture.png differ diff --git a/config.json b/config.json index 34183c1..5c42d3d 100644 --- a/config.json +++ b/config.json @@ -1,5 +1,5 @@ { - "version": "2.2.2", + "version": "2.2.3", "modules": { "SecurityBaseline": { "enabled": true, @@ -48,7 +48,7 @@ "description": "Microsoft Edge v139 Security Baseline: 24 security policies", "_comment": "Interactive: Allow extensions (Y/N, default: Y)", "allowExtensions": true, - "version": "2.2.2", + "version": "2.2.3", "baseline": "Edge v139", "policies": 24, "features": { @@ -75,7 +75,7 @@ "disableWirelessDisplay": false, "disableDiscoveryProtocols": true, "disableIPv6": false, - "version": "2.2.2", + "version": "2.2.3", "policies": 50, "features": { "rdp_hardening": true, @@ -94,7 +94,11 @@ "firewall_shields_up": true, "ipv6_disable": true }, - "profiles": ["Balanced", "Enterprise", "Maximum"] + "profiles": [ + "Balanced", + "Enterprise", + "Maximum" + ] } }, "options": { @@ -106,4 +110,4 @@ "autoConfirm": false, "_comment": "nonInteractive=true: Skip all Read-Host prompts, use config values instead" } -} +} \ No newline at end of file