Harden-Windows-Security icon indicating copy to clipboard operation
Harden-Windows-Security copied to clipboard
Published 2 weeks ago verified publisher icon HotCakeX

[Suggestion]: Multiple measures

Open thekimpc opened this issue 5 months ago • 1 comments

Are you sure the Security measure is not already implemented?

  • [x] Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡

Please explain your new Security measure suggestion

  1. Inactivity reboot within Y amount of time. One example implementation.

Rebooting may clear non-persistent malware, apply crucial updates, return to BFU, plus more. The weakness with the above example implementation is malware changing time or disabling the scheduled script.

  1. "Beef Up Your Windows Security With These Group Policies"

Screen Lockout Time is already implemented, while fully "Enable Account Audit Policies" is not. See the other categories and please compare further with Harden Windows Security module.

  1. "9 Windows Features to Disable for Better Security"

The measures are grouped in 9 categories. Network settings, Windows Script Hosting (WSH), Windows PowerShell, Command Prompt, File/Printer sharing may be areas of interest.

  1. Please mention which, if any, you'd not implement.

If you want more information or rationale, feel free to ask. Can't wait to see Harden Windows Security module with all the other new features you've planned to implement in the near future! When is the module available on the Microsoft store?

thekimpc avatar Jul 03 '25 06:07 thekimpc

Hi, thanks for the suggestions, the Harden Windows Security app will be released in a few weeks from now, i'd say in about 2 weeks. It has a factor that could increase the time it takes to be released which is making it Native AOT, it would add an extra 2 weeks to the development time required but if i make it Native AOT AFTER it is released then i think i can finish it in 2 weeks, maybe less.

  • About suggestion 1, i really don't think it's a good idea. Windows is moving towards requiring less reboots, that's why in 24H2 build it supports adding and removing App Control policies without the need for reboot, or updating the OS itself without reboot (for enterprise scenarios at the moment), so creating a scheduled task to reboot the system periodically is against that flow, plus realistically it doesn't provide enough benefits that could offset the inconvenience it causes because it's all about balancing security with user convenience. It could lead to all kinds of problems such as data loss. The best way is to use AppControl Manager and to make sure malware can't run on the system in the first place.

  • Account audit policies are useful, many are enabled when you apply the Microsoft Security baselines, i'll have to check which extra ones, if any, are not enabled and make sense to be enabled (e.g., without generating too much noise in the logs that could quickly overwrite older logs).

  • The Harden Windows Security module disables many removable features and capabilities from the OS, particularly those that are marked as deprecated by Microsoft. Anything beyond that is opinionated decisions such as OS clipboard, printer sharing, remote desktop etc. because they can be securely used as a result of applying all of the policies and don't necessarily need to be completely disabled, but since there is also a dedicated section in the module that offers other features to be disabled, i could offer the extra ones in there for user to optionally use.

HotCakeX avatar Jul 04 '25 14:07 HotCakeX