Home

Awesome

HardeningKitty and Windows Hardening

Introduction

The project started as a simple hardening list for Windows 10. After some time, HardeningKitty was created to simplify the hardening of Windows. Now, HardeningKitty supports guidelines from Microsoft, CIS Benchmarks, DoD STIG and BSI SiSyPHuS Win10. And of course my own hardening list.

This is a hardening checklist that can be used in private and business environments for hardening Windows 10. The checklist can be used for all Windows versions, but in Windows 10 Home the Group Policy Editor is not integrated and the adjustment must be done directly in the registry. For this, there is the HailMary mode from HardeningKitty.

The settings should be seen as security and privacy recommendation and should be carefully checked whether they will affect the operation of your infrastructure or impact the usability of key functions. It is important to weigh security against usability.

The project started with the creation of a simple hardening checklist for Windows 10. The focus has shifted to the audit of various well-known frameworks / benchmarks with the development of HardeningKitty. Meanwhile, various CIS benchmarks and Microsoft Security Baselines are supported. With the development of the HailMary mode, it will also be possible to apply settings of any hardening checklist on a Windows system.

HardeningKitty

HardeningKitty supports hardening of a Windows system. The configuration of the system is retrieved and assessed using a finding list. In addition, the system can be hardened according to predefined values. HardeningKitty reads settings from the registry and uses other modules to read configurations outside the registry.

The script was developed for English systems. It is possible that in other languages the analysis is incorrect. Please create an issue if this occurs.

Signed Version

The development of HardeningKitty happens in this repository. In the repository of scip AG is a stable version of HardeningKitty that has been signed with the code signing certificate of scip AG. This means that HardeningKitty can also be run on systems that only allow signed scripts.

How To Run

Run the script with administrative privileges to access machine settings. For the user settings it is better to execute them with a normal user account. Ideally, the user account is used for daily work.

Download HardeningKitty and copy it to the target system (script and lists). Then HardeningKitty can be imported and executed:

PS C:\tmp> Import-Module .\HardeningKitty.psm1
PS C:\tmp> Invoke-HardeningKitty -EmojiSupport


         =^._.^=
        _(      )/  HardeningKitty 0.9.0-1662273740


[*] 9/4/2022 8:54:12 AM - Starting HardeningKitty


[*] 9/4/2022 8:54:12 AM - Getting user information
[*] Hostname: DESKTOP-DG83TOD
[*] Domain: WORKGROUP

...

[*] [*] 9/4/2022 8:54:12 AM - Starting Category Account Policies
[😺] ID 1103, Store passwords using reversible encryption, Result=0, Severity=Passed
[😺] ID 1100, Account lockout threshold, Result=10, Severity=Passed
[😺] ID 1101, Account lockout duration, Result=30, Severity=Passed

...

[*] 9/4/2022 8:54:12 AM - Starting Category User Rights Assignment
[😿] ID 1200, Access this computer from the network, Result=BUILTIN\Administrators;BUILTIN\Users, Recommended=BUILTIN\Administrators, Severity=Medium

...

[*] 9/4/2022 8:54:14 AM - Starting Category Administrative Templates: Printer
[🙀] ID 1764, Point and Print Restrictions: When installing drivers for a new connection (CVE-2021-34527), Result=1, Recommended=0, Severity=High
[🙀] ID 1765, Point and Print Restrictions: When updating drivers for an existing connection (CVE-2021-34527), Result=2, Recommended=0, Severity=High

...

[*] 9/4/2022 8:54:19 AM - Starting Category MS Security Guide
[😿] ID 2200, LSA Protection, Result=, Recommended=1, Severity=Medium
[😼] ID 2201, Lsass.exe audit mode, Result=, Recommended=8, Severity=Low

...

[*] 9/4/2022 8:54:25 AM - HardeningKitty is done
[*] 9/4/2022 8:54:25 AM - Your HardeningKitty score is: 4.82. HardeningKitty Statistics: Total checks: 325 - Passed: 213, Low: 33, Medium: 76, High: 3.

How To Install

First create the directory HardeningKitty and for every version a sub directory like 0.9.2 in a path listed in the PSModulePath environment variable.

Copy the module HardeningKitty.psm1, HardeningKitty.psd1, and the lists directory to this new directory.

PS C:\tmp> $Version = "0.9.2"
PS C:\tmp> New-Item -Path $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty\$Version -ItemType Directory
PS C:\tmp> Copy-Item -Path .\HardeningKitty.psd1,.\HardeningKitty.psm1,.\lists\ -Destination $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty\$Version\ -Recurse

For more information see Microsoft's article Installing a PowerShell Module.

How to Automatically Download and Install the Latest Release

You can use the script below to download and install the latest release of HardeningKitty.

Function InstallHardeningKitty() {
    $Version = (((Invoke-WebRequest "https://api.github.com/repos/0x6d69636b/windows_hardening/releases/latest" -UseBasicParsing) | ConvertFrom-Json).Name).SubString(2)
    $HardeningKittyLatestVersionDownloadLink = ((Invoke-WebRequest "https://api.github.com/repos/0x6d69636b/windows_hardening/releases/latest" -UseBasicParsing) | ConvertFrom-Json).zipball_url
    $ProgressPreference = 'SilentlyContinue'
    Invoke-WebRequest $HardeningKittyLatestVersionDownloadLink -Out HardeningKitty$Version.zip
    Expand-Archive -Path ".\HardeningKitty$Version.zip" -Destination ".\HardeningKitty$Version" -Force
    $Folder = Get-ChildItem .\HardeningKitty$Version | Select-Object Name -ExpandProperty Name
    Move-Item ".\HardeningKitty$Version\$Folder\*" ".\HardeningKitty$Version\"
    Remove-Item ".\HardeningKitty$Version\$Folder\"
    New-Item -Path $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty\$Version -ItemType Directory
    Set-Location .\HardeningKitty$Version
    Copy-Item -Path .\HardeningKitty.psd1,.\HardeningKitty.psm1,.\lists\ -Destination $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty\$Version\ -Recurse
    Import-Module "$Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty\$Version\HardeningKitty.psm1"
}
InstallHardeningKitty

Examples

Audit

The default mode is audit. HardeningKitty performs an audit, saves the results to a CSV file and creates a log file. The files are automatically named and receive a timestamp. Using the parameters ReportFile or LogFile, it is also possible to assign your own name and path.

The Filter parameter can be used to filter the hardening list. For this purpose the PowerShell ScriptBlock syntax must be used, for example { $_.ID -eq 4505 }. The following elements are useful for filtering: ID, Category, Name, Method, and Severity.

Invoke-HardeningKitty -Mode Audit -Log -Report

HardeningKitty can be executed with a specific list defined by the parameter FileFindingList. If HardeningKitty is run several times on the same system, it may be useful to hide the machine information. The parameter SkipMachineInformation is used for this purpose.

Invoke-HardeningKitty -FileFindingList .\lists\finding_list_0x6d69636b_user.csv -SkipMachineInformation

HardeningKitty uses the default list, and checks only tests with the severity Medium.

Invoke-HardeningKitty -Filter { $_.Severity -eq "Medium" }

Config

The mode config retrives all current settings of a system. If a setting has not been configured, HardeningKitty will use a default value stored in the finding list. This mode can be combined with other functions, for example to create a backup.

HardeningKitty gets the current settings and stores them in a report:

Invoke-HardeningKitty -Mode Config -Report -ReportFile C:\tmp\my_hardeningkitty_report.csv

Backup

Backups are important. Really important. Therefore, HardeningKitty also has a function to retrieve the current configuration and save it in a form that can be partially restored.

Disclaimer: HardeningKitty tries to restore the original configuration. This works quite well with registry keys and Hardening Kitty really tries its best. But the backup function is not a snapshot and does not replace a real system backup. It is not possible to restore the system 1:1 with HardeningKitty alone after HailMary. If this is a requirement, create an image or system backup and restore it.

The Backup switch specifies that the file is written in form of a finding list and can thus be used for the HailMary mode. The name and path of the backup can be specified with the parameter BackupFile.

Invoke-HardeningKitty -Mode Config -Backup

Please test this function to see if it really works properly on the target system before making any serious changes. A Schrödinger's backup is dangerous.

Non-Default Finding List

Note that if -FileFindingList is not specified, the backup is referred to the default finding list. Before deploying a specific list in HailMary mode, always create a backup referred to that specific list.

Invoke-HardeningKitty -Mode Config -Backup -BackupFile ".\myBackup.csv" -FileFindingList ".\list\{list}.csv"
Restoring a Backup

The Backup switch creates a file in form of a finding list, to restore the backup load it in HailMary mode like any find list:

Invoke-HardeningKitty -Mode HailMary -Log -Report -FileFindingList ".\myBackup.csv"

HailMary

The HailMary method is very powerful. It can be used to deploy a finding list on a system. All findings are set on this system as recommended in the list. With power comes responsibility. Please use this mode only if you know what you are doing. Be sure to have a backup of the system.

For now, the filter function is only supported in Audit and Config mode. As the HailMary mode is a delicate matter, create your own file and remove all the lines you want to filter.

Invoke-HardeningKitty -Mode HailMary -Log -Report -FileFindingList .\lists\finding_list_0x6d69636b_machine.csv

Before HailMary is run, a finding list must be picked. It is important to check whether the settings have an influence on the stability and functionality of the system. Before running HailMary, a backup should be made.

Create a Group Policy (experimental)

Thanks to @gderybel, HardeningKitty can convert a finding list into a group policy. As a basic requirement, the Group Policy Management PowerShell module must be installed. At the moment only registry settings can be converted and not everything has been tested yet. A new policy is created, as long as it is not assigned to an object, no change is made to the system. Use it with care.

Invoke-HardeningKitty -Mode GPO -FileFindingList .\lists\finding_list_0x6d69636b_machine.csv -GPOName HardeningKitty-Machine-01

HardeningKitty Score

Each Passed finding gives 4 points, a Low finding gives 2 points, a Medium finding gives 1 point and a High Finding gives 0 points.

The formula for the HardeningKitty Score is (Points achieved / Maximum points) * 5 + 1.

Rating

ScoreRating CasualRating Professional
6😹 ExcellentExcellent
5😺 Well doneGood
4😼 SufficientSufficient
3😿 You should do betterInsufficient
2🙀 WeakInsufficient
1😾 BogusInsufficient

HardeningKitty Interface

@ataumo build a web based interface for HardeningKitty. The tool can be used to create your own lists and provides additional information on the hardening settings. The source code is under AGPL license and there is a demo site.

Last Update

HardeningKitty can be used to audit systems against the following baselines / benchmarks:

NameSystem VersionVersion
0x6d69636b Windows 10 (Machine)22H2
0x6d69636b Windows 10 (User)22H2
BSI SiSyPHuS Windows 10 hoher Schutzbedarf Domänenmitglied (Machine)18091.0
BSI SiSyPHuS Windows 10 hoher Schutzbedarf Domänenmitglied (User)18091.0
BSI SiSyPHuS Windows 10 normaler Schutzbedarf Domänenmitglied (Machine)18091.0
BSI SiSyPHuS Windows 10 normaler Schutzbedarf Domänenmitglied (User)18091.0
BSI SiSyPHuS Windows 10 normaler Schutzbedarf Einzelrechner (Machine)18091.0
BSI SiSyPHuS Windows 10 normaler Schutzbedarf Einzelrechner (User)18091.0
CIS Microsoft Windows 10 Enterprise (Machine)18091.6.1
CIS Microsoft Windows 10 Enterprise (User)18091.6.1
CIS Microsoft Windows 10 Enterprise (Machine)19031.7.1
CIS Microsoft Windows 10 Enterprise (User)19031.7.1
CIS Microsoft Windows 10 Enterprise (Machine)19091.8.1
CIS Microsoft Windows 10 Enterprise (User)19091.8.1
CIS Microsoft Windows 10 Enterprise (Machine)20041.9.1
CIS Microsoft Windows 10 Enterprise (User)20041.9.1
CIS Microsoft Windows 10 Enterprise (Machine)20H21.10.1
CIS Microsoft Windows 10 Enterprise (User)20H21.10.1
CIS Microsoft Windows 10 Enterprise (Machine)21H11.11.0
CIS Microsoft Windows 10 Enterprise (User)21H11.11.0
CIS Microsoft Windows 10 Enterprise (Machine)21H21.12.0
CIS Microsoft Windows 10 Enterprise (User)21H21.12.0
CIS Microsoft Windows 10 Enterprise (Machine)22H22.0.0
CIS Microsoft Windows 10 Enterprise (User)22H22.0.0
CIS Microsoft Windows 10 Enterprise (Machine)22H23.0.0
CIS Microsoft Windows 10 Enterprise (User)22H23.0.0
CIS Microsoft Windows 11 Enterprise (Machine)21H21.0.0
CIS Microsoft Windows 11 Enterprise (User)21H21.0.0
CIS Microsoft Windows 11 Enterprise (Machine)22H22.0.0
CIS Microsoft Windows 11 Enterprise (User)22H22.0.0
CIS Microsoft Windows 11 Enterprise (Machine)23H23.0.0
CIS Microsoft Windows 11 Enterprise (User)23H23.0.0
CIS Microsoft Windows Server 2012 R2 (Machine)R22.4.0
CIS Microsoft Windows Server 2012 R2 (User)R22.4.0
CIS Microsoft Windows Server 2012 R2 (Machine)R22.6.0
CIS Microsoft Windows Server 2012 R2 (User)R22.6.0
CIS Microsoft Windows Server 2012 R2 (Machine)R23.0.0
CIS Microsoft Windows Server 2012 R2 (User)R23.0.0
CIS Microsoft Windows Server 2016 (Machine)16071.2.0
CIS Microsoft Windows Server 2016 (User)16071.2.0
CIS Microsoft Windows Server 2016 (Machine)16071.3.0
CIS Microsoft Windows Server 2016 (User)16071.3.0
CIS Microsoft Windows Server 2016 (Machine)16072.0.0
CIS Microsoft Windows Server 2016 (User)16072.0.0
CIS Microsoft Windows Server 2016 (Machine)16073.0.0
CIS Microsoft Windows Server 2016 (User)16073.0.0
CIS Microsoft Windows Server 2019 (Machine)18091.1.0
CIS Microsoft Windows Server 2019 (User)18091.1.0
CIS Microsoft Windows Server 2019 (Machine)18091.2.1
CIS Microsoft Windows Server 2019 (User)18091.2.1
CIS Microsoft Windows Server 2019 (Machine)18092.0.0
CIS Microsoft Windows Server 2019 (User)18092.0.0
CIS Microsoft Windows Server 2019 (Machine)18093.0.0
CIS Microsoft Windows Server 2019 (User)18093.0.0
CIS Microsoft Windows Server 2022 (Machine)21H21.0.0
CIS Microsoft Windows Server 2022 (User)21H21.0.0
CIS Microsoft Windows Server 2022 (Machine)22H22.0.0
CIS Microsoft Windows Server 2022 (User)22H22.0.0
CIS Microsoft Windows Server 2022 (Machine)22H23.0.0
CIS Microsoft Windows Server 2022 (User)22H23.0.0
DoD Microsoft Windows 10 STIG (Machine)20H2v2r1
DoD Microsoft Windows 10 STIG (User)20H2v2r1
DoD Windows Server 2019 Domain Controller STIG (Machine)20H2v2r1
DoD Windows Server 2019 Domain Controller STIG (User)20H2v2r1
DoD Windows Server 2019 Member Server STIG (Machine)20H2v2r1
DoD Windows Server 2019 Member Server STIG (User)20H2v2r1
DoD Windows Defender Antivirus STIG20H2v2r1
DoD Windows Firewall STIG20H2v1r7
Microsoft Security baseline for Microsoft Edge87Final
Microsoft Security baseline for Microsoft Edge88, 89, 90, 91Final
Microsoft Security baseline for Microsoft Edge92Final
Microsoft Security baseline for Microsoft Edge93, 94Final
Microsoft Security baseline for Microsoft Edge95Final
Microsoft Security baseline for Microsoft Edge96Final
Microsoft Security baseline for Microsoft Edge97Final
Microsoft Security baseline for Microsoft Edge98, 99, 100, 101, 102, 103, 104, 105, 106Final
Microsoft Security baseline for Microsoft Edge107, 108, 109, 110, 111Final
Microsoft Security baseline for Microsoft Edge112, 113Final
Microsoft Security baseline for Microsoft Edge114, 115, 116Final
Microsoft Security baseline for Microsoft Edge117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127Final
Microsoft Security baseline for Microsoft Edge128, 129, 130Final
Microsoft Security baseline for Windows 102004Final
Microsoft Security baseline for Windows 1020H2, 21H1Final
Microsoft Security baseline for Windows 1021H2Final
Microsoft Security baseline for Windows 10 (Machine)22H2Final
Microsoft Security baseline for Windows 10 (User)22H2Final
Microsoft Security baseline for Windows 1121H2Final
Microsoft Security baseline for Windows 11 (Machine)22H2Final
Microsoft Security baseline for Windows 11 (User)22H2Final
Microsoft Security baseline for Windows 11 (Machine)23H2Final
Microsoft Security baseline for Windows 11 (User)23H2Final
Microsoft Security baseline for Windows 11 (Machine)24H2Final
Microsoft Security baseline for Windows 11 (User)24H2Final
Microsoft Security baseline for Windows Server (DC)2004Final
Microsoft Security baseline for Windows Server (Member)2004Final
Microsoft Security baseline for Windows Server (DC)20H2Final
Microsoft Security baseline for Windows Server (Member)20H2Final
Microsoft Security baseline for Windows Server 2022 (DC)21H2Final
Microsoft Security baseline for Windows Server 2022 (Member)21H2Final
Microsoft Security baseline for Office 365 ProPlus (Machine)Sept 2019Final
Microsoft Security baseline for Office 365 ProPlus (User)Sept 2019Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine)v2104, v2106Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User)v2104, v2106Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine)v2112Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User)v2112Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine)v2206Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User)v2206Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (Machine)v2306, v2312Final
Microsoft Security Baseline for Microsoft 365 Apps for enterprise (User)v2306, v2312Final
Microsoft Windows Server TLS Settings18091.0
Microsoft Windows Server TLS Settings (Future Use with TLSv1.3)19031.0

Sources