{"id":30749463,"url":"https://github.com/br3thren-org/windows-device-hardener","last_synced_at":"2026-05-18T09:33:06.319Z","repository":{"id":309188962,"uuid":"1035422385","full_name":"Br3thren-Org/Windows-Device-Hardener","owner":"Br3thren-Org","description":"Automated Windows 10/11 security hardening PowerShell script implementing defence-in-depth controls based on NIST, CIS, and Microsoft security baselines. Features include advanced firewall rules, ASR deployment, BitLocker enforcement, network protocol lockdown, exploit mitigation, and rollback-safe operations for enterprise or standalone deployment","archived":false,"fork":false,"pushed_at":"2025-08-10T11:17:48.000Z","size":32,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-10T13:11:24.225Z","etag":null,"topics":["cybersecurity","endpoint-protection","hardening","infosec","powershell","system-administration","windows-10","windows-11","windows-hardening","windows-security"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Br3thren-Org.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-10T11:15:09.000Z","updated_at":"2025-08-10T11:17:52.000Z","dependencies_parsed_at":"2025-08-10T13:21:43.706Z","dependency_job_id":null,"html_url":"https://github.com/Br3thren-Org/Windows-Device-Hardener","commit_stats":null,"previous_names":["br3thren-org/windows-device-hardener"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/Br3thren-Org/Windows-Device-Hardener","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Br3thren-Org%2FWindows-Device-Hardener","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Br3thren-Org%2FWindows-Device-Hardener/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Br3thren-Org%2FWindows-Device-Hardener/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Br3thren-Org%2FWindows-Device-Hardener/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Br3thren-Org","download_url":"https://codeload.github.com/Br3thren-Org/Windows-Device-Hardener/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Br3thren-Org%2FWindows-Device-Hardener/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":273561386,"owners_count":25127396,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-04T02:00:08.968Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","endpoint-protection","hardening","infosec","powershell","system-administration","windows-10","windows-11","windows-hardening","windows-security"],"created_at":"2025-09-04T06:04:54.805Z","updated_at":"2026-05-18T09:33:06.314Z","avatar_url":"https://github.com/Br3thren-Org.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Windows Endpoint Hardener\n\n[![Version](https://img.shields.io/badge/version-2.2.0-blue.svg)](https://github.com/Br3thren-Org/Windows-Device-Hardener)\n[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)\n[![PowerShell](https://img.shields.io/badge/powershell-5.1+-blue.svg)](https://github.com/PowerShell/PowerShell)\n[![Bash](https://img.shields.io/badge/bash-4.0+-green.svg)](https://www.gnu.org/software/bash/)\n\n\u003e **Comprehensive security hardening scripts for Windows endpoints implementing CISA/NSA compliance standards**\n\nEnterprise-grade security hardening solutions that automate the implementation of defense-in-depth security controls across Windows 10/11 systems. Built for government agencies, security professionals, and organizations requiring high-security baseline configurations.\n\n---\n\n## 🎯 Features\n\n### Windows Endpoint Hardener (v2.2.0)\n\n- ✅ **Three Security Levels**: Quick (30 min), Standard (60 min), Maximum (60+ min)\n- ✅ **Pre-Flight Validation**: Automatic compatibility checks before execution\n- ✅ **Real-Time Progress Tracking**: Visual progress indicators with percentage completion\n- ✅ **Compliance Reporting**: Automated JSON + HTML compliance reports with scoring\n- ✅ **Enterprise Deployment**: Intune/SCCM/RMM ready with silent execution\n- ✅ **Idempotent Design**: Safe to run multiple times without breaking system\n- ✅ **Comprehensive Backup**: Automatic backup before all changes with rollback capability\n- ✅ **150+ Security Controls**: Complete CISA/NSA hardening baseline\n\n---\n\n## 🚀 Quick Start\n\n### Windows\n\n```powershell\n# Download the script\ngit clone https://github.com/yourusername/endpoint-hardener.git\ncd endpoint-hardener\n\n# Run as Administrator - Standard hardening\n.\\Windows-Endpoint-Hardener-Complete.ps1 -SecurityLevel Standard\n\n# Preview mode (see changes without applying)\n.\\Windows-Endpoint-Hardener-Complete.ps1 -Preview -SecurityLevel Quick\n\n# Generate compliance report\n.\\Windows-Endpoint-Hardener-Complete.ps1 -SecurityLevel Maximum -ComplianceReport\n```\n\n---\n\n## 📋 Security Controls Implemented\n\n### Windows Security Domains\n\n| Domain | Controls | Description |\n|--------|----------|-------------|\n| **Windows Defender** | Real-time protection, ASR rules, tamper protection, cloud protection, PUA protection | Complete endpoint protection configuration |\n| **Firewall** | Profile hardening, logging, rule management | Network perimeter security |\n| **Network Security** | LLMNR, NetBIOS, SMB, WinRM, NTLM hardening | Protocol-level attack prevention |\n| **Credential Protection** | LSA Protection, Credential Guard, WDigest disable | Credential theft mitigation |\n| **BitLocker** | Full disk encryption with TPM/recovery password | Data at rest protection |\n| **TLS/SSL** | Disable weak protocols (SSL 2/3, TLS 1.0/1.1), enable TLS 1.2/1.3 | Transport security |\n| **Audit Policy** | Complete CISA/NSA audit logging | Security monitoring |\n| **UAC** | Advanced User Account Control with STIG compliance | Privilege escalation prevention |\n| **Services** | Disable 15+ dangerous services per CISA guidance | Attack surface reduction |\n| **Boot Security** | Secure Boot, TPM validation, HVCI, VBS | Firmware-level security |\n| **Certificate/PKI** | Weak hash algorithm disable, certificate validation | PKI security |\n| **Exploit Protection** | DEP, SEHOP, CFG, ASLR, control flow guard | Memory corruption prevention |\n| **PowerShell** | Script block logging, module logging, transcription, PSv2 removal | PowerShell security |\n| **RDP** | NLA, security layer, encryption | Remote access security |\n| **Print Spooler** | Point and Print restrictions, RPC security | PrintNightmare mitigation |\n| **DMA Protection** | Kernel DMA protection, Thunderbolt disable | DMA attack prevention |\n| **AppLocker** | Application whitelisting baseline | Application control |\n| **Windows Update** | Automatic updates, Microsoft Update | Patch management |\n\n---\n\n## 📊 Security Levels Explained\n\n### Quick Level (15-30 minutes)\n**Use Case:** Immediate security improvement, time-sensitive deployments\n\n**Windows:** ~30 operations covering firewall, basic Defender, ASR core, TLS basics, basic audit, basic UAC\n\n### Standard Level (30-60 minutes)\n**Use Case:** Recommended for most production environments\n\n**Windows:** ~80 operations including all Quick controls plus LSA Protection, SMB/RDP/NTLM hardening, network protocols, PowerShell security, Print Spooler hardening\n\n### Maximum Level (60+ minutes)\n**Use Case:** High-security environments, government/military, compliance requirements\n\n**Windows:** ~150 operations - complete CISA/NSA baseline including boot security, certificate security, HVCI, Credential Guard, DMA protection, AppLocker, advanced network hardening\n\n---\n\n## 🔧 Requirements\n\n### Windows\n- ✅ Windows 10 or Windows 11 (build 14393+)\n- ✅ PowerShell 5.1 or later\n- ✅ Administrator privileges\n- ✅ 1GB+ free disk space\n- ⚠️ Windows Professional, Enterprise, or Education edition recommended (some features unavailable on Home)\n\n---\n\n## 📖 Usage Examples\n\n### Windows\n\n#### Enterprise Deployment\n```powershell\n# Silent execution for RMM tools\n.\\Windows-Endpoint-Hardener-Complete.ps1 -SecurityLevel Standard -EnterpriseMode -Silent\n\n# Domain-joined systems with compliance report\n.\\Windows-Endpoint-Hardener-Complete.ps1 -SecurityLevel Maximum -EnterpriseMode -ComplianceReport\n\n# Standalone workstation\n.\\Windows-Endpoint-Hardener-Complete.ps1 -SecurityLevel Standard -StandaloneMode\n```\n\n#### Rollback\n```powershell\n# Restore from most recent backup\n.\\Windows-Endpoint-Hardener-Complete.ps1 -RollbackMode\n```\n\n#### Custom Configuration\n```powershell\n# Use custom ASR rules\n.\\Windows-Endpoint-Hardener-Complete.ps1 -ASRRules \"guid1,guid2,guid3\"\n\n# Disable IPv6\n.\\Windows-Endpoint-Hardener-Complete.ps1 -SecurityLevel Maximum -DisableIPv6\n\n# Custom exploit protection XML\n.\\Windows-Endpoint-Hardener-Complete.ps1 -ExploitProtectionXml \"C:\\config\\exploit-protection.xml\"\n```\n\n---\n\n## 📂 Output \u0026 Logs\n\n### Windows\n- **Logs:** `C:\\HardeningLogs\\`\n- **Transcripts:** `C:\\HardeningLogs\\Transcript-YYYYMMDD-HHmmss.log`\n- **Compliance Reports:** `C:\\HardeningLogs\\ComplianceReport-YYYYMMDD-HHmmss.json|.html`\n- **Backups:** `C:\\HardeningBackup\\YYYYMMDD-HHmmss\\`\n\n---\n\n## 🔄 Exit Codes\n\n| Code | Meaning | Action |\n|------|---------|--------|\n| 0 | Success, no reboot required | Continue operations |\n| 1 | Errors encountered | Review logs |\n| 3010 | Success, reboot required | Schedule system reboot |\n| 3011 | Rollback completed | Verify system state |\n| 1601 | Invalid parameters | Check command syntax |\n| 1603 | Incompatible system | Verify requirements |\n\n---\n\n## 🛡️ Security Considerations\n\n### Testing Required\n⚠️ **ALWAYS test in a non-production environment first!**\n\nThese scripts make significant system changes that can affect:\n- Network connectivity\n- Application compatibility\n- Remote access capabilities\n- System performance\n\n### Backup Strategy\n- Scripts automatically create backups before changes\n- Manual VM snapshots recommended for critical systems\n- Test rollback procedures before production deployment\n\n### Known Impacts\n\n**Windows:**\n- Maximum level may disable legacy protocols (SMBv1, TLS 1.0/1.1)\n- Some applications may require exceptions in AppLocker/Controlled Folder Access\n- Remote management tools may need reconfiguration\n\n---\n\n## 📊 Compliance \u0026 Standards\n\n### Frameworks Covered\n- ✅ **CISA/NSA Security Guidelines**\n- ✅ **CIS Benchmarks** (Level 1 \u0026 2)\n- ✅ **NIST Cybersecurity Framework**\n- ✅ **DISA STIGs** (Security Technical Implementation Guides)\n- ✅ **PCI DSS** (Payment Card Industry Data Security Standard)\n- ✅ **HIPAA** (Health Insurance Portability and Accountability Act)\n- ✅ **ISO 27001/27002** (Information Security Management)\n\n### Compliance Reporting (Windows v2.2.0)\n\nThe Windows script generates comprehensive compliance reports including:\n- **Security posture assessment** (13 checks across 6 categories)\n- **Compliance scoring** (0-100% with ratings)\n- **Detailed findings** by security control\n- **Actionable recommendations**\n- **Dual format:** JSON (automation) + HTML (executive review)\n\n---\n\n## 🔍 What's New\n\n### Version 2.2.0 (Windows - 2025-10-27)\n- ✨ Pre-flight system compatibility checks\n- ✨ Real-time progress tracking with percentage\n- ✨ Enhanced compliance reporting (JSON + HTML)\n- ✨ Improved error handling (PSScriptAnalyzer compliant)\n- ✨ Better initialization with visual separators\n- 🐛 Fixed null comparison warnings\n- 🐛 Enhanced reboot detection (added CBS check)\n\n### Version 2.1.0 (Windows)\n- Unified script (all CISA/NSA modules integrated)\n- Three security levels (Quick/Standard/Maximum)\n- Enterprise and Standalone modes\n\n---\n\n## 🤝 Contributing\n\nContributions are welcome! Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on:\n- Code of conduct\n- Development process\n- How to submit pull requests\n- Coding standards\n\n---\n\n## 📄 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n---\n\n## ⚠️ Disclaimer\n\n**USE AT YOUR OWN RISK**\n\nThis software is provided \"as is\" without warranty of any kind. The authors are not responsible for any damage or data loss that may result from using these scripts. Always:\n\n1. Test thoroughly in non-production environments\n2. Create complete system backups before execution\n3. Review all changes in preview mode first\n4. Understand the security controls being implemented\n5. Have a rollback plan ready\n\nThese scripts are designed for security professionals and system administrators who understand the implications of system hardening.\n\n---\n\n## 📞 Support\n\n- **Issues:** [GitHub Issues](https://github.com/Br3thren-Org/Windows-Device-Hardener/issues)\n- **Security Vulnerabilities:** See [SECURITY.md](SECURITY.md) for responsible disclosure\n- **Documentation:** See [CLAUDE.md](CLAUDE.md) for developer guidance\n\n---\n\n## 🙏 Acknowledgments\n\n- CISA/NSA for comprehensive security guidelines\n- Microsoft Security Team for Windows hardening best practices\n- CIS Benchmarks authors\n- DISA STIG contributors\n\n---\n\n## 📚 Additional Resources\n\n- [CISA Security Guidelines](https://www.cisa.gov/uscert/ncas/tips)\n- [NSA Cybersecurity Advisories](https://www.nsa.gov/What-We-Do/Cybersecurity/)\n- [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/)\n- [Microsoft Security Baselines](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines)\n\n---\n\n**Made with ❤️ for security professionals worldwide**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbr3thren-org%2Fwindows-device-hardener","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbr3thren-org%2Fwindows-device-hardener","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbr3thren-org%2Fwindows-device-hardener/lists"}