mirror of
https://github.com/NexusOne23/noid-privacy.git
synced 2026-03-07 01:20:34 +01:00
815a7e39d0
Some checks failed
CI - PowerShell Quality Checks / PSScriptAnalyzer (push) Has been cancelled
CI - PowerShell Quality Checks / Test on PowerShell 5.1 (push) Has been cancelled
CI - PowerShell Quality Checks / Test on PowerShell 7.4 (push) Has been cancelled
CI - PowerShell Quality Checks / Validate Project Structure (push) Has been cancelled
Pester Tests / test (push) Has been cancelled
Bumps remaining 13 files that still referenced v2.2.2:
- 3 AdvancedSecurity config JSONs (AdminShares, Credentials, RDP)
- 4 AdvancedSecurity PS1 headers (Block-FingerProtocol, Set-SRPRules,
Set-WindowsUpdate, Invoke-AdvancedSecurity)
- 2 AntiAI PS1 headers (Disable-CopilotAdvanced, Test-AntiAICompliance)
- 1 Privacy runtime output (Invoke-PrivacyHardening)
- CONTRIBUTING.md templates + FEATURES.md docs
- bug_report.md issue template
Historical annotations in Backup-PrivacySettings.ps1 ("added in v2.2.2")
intentionally preserved as they document feature introduction dates.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
78 lines
2.9 KiB
JSON
78 lines
2.9 KiB
JSON
{
|
|
"$schema": "http://json-schema.org/draft-07/schema#",
|
|
"title": "Credential Protection Configuration",
|
|
"description": "Configuration for credential hardening including WDigest protection",
|
|
"version": "2.2.3",
|
|
|
|
"WDigest_Protection": {
|
|
"description": "Prevent WDigest from storing plaintext passwords in LSASS memory",
|
|
"enabled": true,
|
|
"deprecated_in": "Windows 11 24H2",
|
|
"status": "Deprecated in Win11 24H2+ but kept for backwards compatibility and defense-in-depth",
|
|
|
|
"registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",
|
|
"settings": {
|
|
"UseLogonCredential": {
|
|
"description": "Control whether WDigest stores credentials in memory",
|
|
"value": 0,
|
|
"type": "DWORD",
|
|
"values": {
|
|
"0": "Secure - Do NOT store plaintext credentials in memory",
|
|
"1": "Insecure - Store plaintext credentials in memory (VULNERABLE!)"
|
|
},
|
|
"attack_prevention": [
|
|
"Prevents Mimikatz from dumping plaintext passwords",
|
|
"Prevents Windows Credential Editor (WCE) attacks",
|
|
"Prevents other memory-dumping credential theft tools"
|
|
],
|
|
"impact": "None - Modern systems (Win 8.1+) already default to 0"
|
|
}
|
|
},
|
|
|
|
"default_behavior": {
|
|
"Windows_7": 1,
|
|
"Windows_8": 1,
|
|
"Windows_8.1": 0,
|
|
"Windows_10": 0,
|
|
"Windows_11": 0,
|
|
"Windows_11_24H2_plus": "Setting ignored (deprecated)"
|
|
},
|
|
|
|
"rationale": {
|
|
"why_set_if_deprecated": [
|
|
"Protects older Windows versions (Win7/8/Server 2008/2012)",
|
|
"Protects early Win10/11 builds that may not be fully patched",
|
|
"Defense-in-depth: Explicit is better than implicit",
|
|
"Ensures compatibility in mixed environments",
|
|
"No negative impact on Win11 24H2+ (setting is ignored)"
|
|
]
|
|
},
|
|
|
|
"microsoft_advisory": {
|
|
"kb_article": "KB2871997",
|
|
"date": "May 2014",
|
|
"title": "Update to improve credentials protection and management",
|
|
"url": "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
|
|
"baseline_removal": {
|
|
"version": "Windows 11 25H2 Security Baseline",
|
|
"reason": "Engineering teams deprecated this policy in Windows 11 24H2",
|
|
"url": "https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-25h2-security-baseline/4456231"
|
|
}
|
|
}
|
|
},
|
|
|
|
"Profiles": {
|
|
"Balanced": true,
|
|
"Enterprise": true,
|
|
"Maximum": true
|
|
},
|
|
|
|
"Compatibility": {
|
|
"windows_versions": ["All Windows versions"],
|
|
"notes": [
|
|
"Setting is ignored on Windows 11 24H2+ (deprecated)",
|
|
"No compatibility issues or breakage on any Windows version",
|
|
"Recommended for all profiles for defense-in-depth"
|
|
]
|
|
}
|
|
}
|