Skip to content
/ Harden-Windows-Security Public

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels

hotcakex.github.io

License

MIT license
2.9k stars 231 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

HotCakeX/Harden-Windows-Security

BranchesTags

Repository files navigation

Big Yummy DonutBig Yummy DonutBig Yummy Donut

Harden Windows Security | A New Threat to Malware

Harden Windows Safely, Securely, Only With Official Microsoft Methods

Microsoft Store page of Harden System Security App Link AppControl Manager Install

X Share button .NET Badge Visual Studio Badge

How To Use rotating colorful thing Related rotating colorful thing Trust rotating colorful thing Support rotating colorful thing Security Recommendations rotating colorful thing Resources rotating colorful thing License rotating colorful thing Wiki rotating colorful thing Basic FAQs rotating colorful thing Roadmap rotating colorful thing Donation

horizontal super thin rainbow RGB line

Important

Here are Quick Access Points to Important Sections of this Repository

Harden System Security App

Indicator for the AppControl Manager AppControl Manager App

Indicator for App Control for Business Resources Application Control for Business Resources

horizontal super thin rainbow RGB line


Note

Windows by default is secure and safe, this repository does not imply nor claim otherwise. Just like anything, you have to use it wisely and don't compromise yourself with reckless behavior and bad user configuration; Nothing is foolproof. This repository only uses the tools and features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, using well-documented, supported, recommended and official methods. Continue reading for comprehensive info.


How To UseHowToUseIcon

GitHub logo pink SVG Install the Harden System Security From Microsoft Store


Harden System Security App Demo

horizontal super thin rainbow RGB line


GitHub logo pink SVG Install the AppControl Manager From Microsoft Store

install AppControl Manager from Microsoft Store
AppControl Manager app

💡 (back to top)


horizontal super thin rainbow RGB line


Emoji of a Windows eating booboo Rationale

𝐖𝐞𝐥𝐜𝐨𝐦𝐞 to the 𝙷𝚊𝚛𝚍𝚎𝚗 𝚆𝚒𝚗𝚍𝚘𝚠𝚜 𝚂𝚎𝚌𝚞𝚛𝚒𝚝𝚢 𝚁𝚎𝚙𝚘𝚜𝚒𝚝𝚘𝚛𝚢

This section provides the justification and objective of this GitHub repository and its contents. It outlines how it addresses various threats and how to adjust your expectations for different scenarios and environments. It also supplies lots of useful additional resources.

This repository currently has 3 main products. head shaking girl

  1. The Harden System Security App
  2. The Harden Windows Security module <- Will be deprecated soon in favor of the new Harden System Security App.
  3. The AppControl Manager

Let's explore each of them in detail below


Windows modern logo Harden System Security App

Use the Harden System Security app to secure your personal and enterprise devices against the majority of advanced threats. The app is suitable to be used by everyone.

If you are a personal user, you can use the Harden System Security to harden your Operation System, remove unnecessary features or apps and gain advanced visibility into the security structure of your system.

If you are an enterprise user or admin, you can use the provided Intune security policies from this repository and apply them from your Intune Portal to all of your workstations using Microsoft Graph API. You can then use the app to verify the compliance of the workstations against the applied policies and receive a security score.

It uses the same security features built into your device and Windows operating system to fine-tune it towards the highest security and locked-down state. It does not install any outside components and does not increase your attack surface at all.

Let's Take a look at the infographics below:


Only a Small Portion of The Windows OS Security Apparatus

More Info About This Map



Infographic of comparison of security benchmarks

The reasoning behind the infographic above


💡 (back to top)


Modern Windows 11 logo AppControl Manager

AppControl Manager is a secure open-source Windows application designed to help you easily configure Application Control in your system. It is suitable for both personal users as well as enterprises, businesses and highly secure workstations.

Tip

If you aren't familiar with what App Control is, please refer to this article where it's explained in great detail.

Proper usage of Application Control, when coupled with the Harden System Security app's policies, can provide 99% protection from various threats, either from the Internet or physical. It's true that there is no absolute security, but then again there is nothing absolute in the universe either. Everything, even the most fundamental physical laws, are and have been subject to change and conditions.


Microsoft Zune logo How Do You Make the Right Choice?

𝙵𝚒𝚛𝚜𝚝 𝚊𝚗𝚍 𝙵𝚘𝚛𝚎𝚖𝚘𝚜𝚝 use the Harden System Security app to apply the hardening measures it offers, your system will be secure against at least ~98% of the threats when you use Standard (non-Privileged) account for everyday work. These threats aren't the usual computer viruses, they are motivated nation state threat actors.

𝚃𝚑𝚎𝚗 use the AppControl Manager to deploy an App Control policy and have even more control over the operation of the Windows Application Control.

These methods will create multiple layers of security; also known as defense in depth. Additionally, you can create Kernel-level Zero-Trust strategy for your system.

If there will ever be a zero-day vulnerability in one or even some of the security layers at the same time, there will still be enough layers left to protect your device. It's practically impossible to penetrate all of them at once.

Also, zero-day vulnerabilities are patched quickly, so keeping your device and OS up to date, regardless of what OS you use, is one of the most basic security recommendations and best practices you must follow.


💡 (back to top)


Microsoft Identity logo Vulnerabilities Such as Zero-Days Are Disclosed in 3 Different Ways

  1. The vulnerability is disclosed responsibly. It is first communicated privately with the software vendor/developer so they can have the time to fix and issue updates/patches for the vulnerability before it is disclosed publicly. In this way, people are always safe because all that's needed is to keep your OS and software up to date to receive the latest security patches.

  2. The vulnerability is disclosed irresponsibly. It is disclosed publicly, through social media or by creating PoCs (Proof of Concept) so that it can be used and abused by everyone.

  3. The vulnerability is abused by malicious actors. It is exploited by threat actors in cyber attacks and privately. These vulnerabilities are either discovered by the threat actors themselves or bought from security researchers who find them first, all of which is illegal and has consequences.


Stonks up What About More Advanced Security at Scale ?

AI generated image of a girl


To achieve the Highest level of Security at Scale for Businesses, Enterprises and Military scenarios, you can use the following services to create impenetrable devices and environments.

Important

The following services must be used in addition to the measures already talked about in this repository, such as proper Application Control policies and the security measures that the Harden System Security app applies. They are not a replacement for them.

As an individual user you can still utilize these features and services, they add an additional layer of protection to your security stack.


💡 (back to top)


head patting Important Considerations

  • Avoid using any 3rd party security solutions when using Harden System Security app or App Control for Business. 3rd party solutions are weak, incompatible and unnecessary, they also increase your attack surface.

  • Use Virtual machines for any questionable or unsafe software. Use Windows Sandbox or Hyper-V VM.


Surface device gif Which Device to Use ?

Use Microsoft Surface products for the best device and firmware security. They support secured-core PC specifications, the manufacturing process and platform is trusted and secure.

Make sure to use Surface products that support Device Firmware Configuration Interface (DFCI) for extra protection and security. Here is a list of Surface products that support it.

  • How to use Device Firmware Configuration Interface (DFCI) for Surface Devices with Intune

  • Among other features, devices set up with DFCI can be set that boot from USB device(s) is disabled and there is no way to bypass the chip level security directly, not even CMOS clear can bypass it, because it uses non-volatile memory aka flash storage. It sets BIOS cert authentication, and the private key is behind the cloud edge inside Intune and not even Microsoft support can get that key.

  • The list of Surface products supporting DFCI might not get updated quickly in that doc but fear not, this is an active project and all new surface devices have this built in, the docs team might be just a little laggy.

  • Microsoft Surface devices use Project Mu for the source code of their firmware.

  • Surface devices can use certificates instead of password for UEFI. They don't have a reset switch like other devices either. You create and install your own certificate using Surface Management Toolkit. You can build a config package that has the certificate in it and install it to the firmware, then the package can't be removed or changed without the signing cert authorizing the change, aka, cert auth, or you can just use DFCI as previously mentioned and not have to worry because the packages are signed with MS's private key and there is no PKI that you have to self host.

  • Business class Surface devices have dedicated TPM chips.

  • Check out the Device Guard category about Secured-Core specifications.

  • Pluton security chip is not a requirement for Secured-Core certification.

  • Pluton security chip is included in Qualcomm Snapdragon ARM CPUs, AMD and Intel CPUs.

  • Copilot+ PCs are among the most secure consumer grade devices. They are secured-core and incorporate the Pluton security chip.


Important

Attention gif It is important to be aware of potential hardware backdoors that may compromise the security of your system. Some common OEMs, such as Compaq, Dell, Fujitsu, Hewlett-Packard (HP), Sony, and Samsung, with OEMs that use unmodified Insyde H20, or Phoenix firmwares utilize algorithms based on device serial numbers for password resets. These algorithms allow for master password removal from the firmware, potentially granting unauthorized access to the system.


Note

rotating diamond gif When buying 3rd party devices, make sure they have the Pluton security chip, it addresses security needs like booting an operating system securely even against firmware threats and storing sensitive data safely even against physical attacks.


BYOVD device gif animated Protection against BYOVD (Bring Your Own Vulnerable Driver) attacks


💡 (back to top)


Alert gif for what to do when under attack What to Do When There Is an Attack ?

You should have an existing Unified Contract with Microsoft (formerly known as Premier Support). Microsoft offers a wide range of services and teams to help you recover from a cyber attack such as:

  • GHOST: Global Hunting, Oversight and Strategic Triage
  • DART - The Microsoft Detection and Response Team
  • CRSP - Global Compromise Recovery Security Practice Team - including Ransomware

After you've got hacked, you should request them by contacting your Customer Success Account Manager and telling them you need the help of one of these teams.


Tip

When getting cyber security insurance for your company or organization, make sure to get one that covers the cost of hiring Microsoft's elite teams such as GHOST/DART, i.e. those Microsoft teams will be in-network for your insurance.


Color breakdown of security teams in organizations

  • 🔴 Red - Pen Testers/White Hat Hackers
  • 🔵 Blue - SOC/Data Science/Telemetry Analysis/SIEM Junkies
  • 🟢 Green - Fixers, takes input from blue and red and builds the fixes that are needed for identified blind spots (blue) or vulnerability/risk (red)
  • 🟡 Yellow - Tooling, SWE to build new stuff for all of the above to operate faster and more effectively

💡 (back to top)


icon for For Penetration testing and benchmarking section For Penetration testing and benchmarking

How to properly perform a pentest and benchmark a system hardened by this repository and make it as close to a real-world scenario as possible:

  1. Use a physical machine if possible, it should have Windows 11 certified hardware, Standard user account.

    • If you can't use a physical machine, use Hyper-V hypervisor. Your host (aka physical machine) must have Windows 11 certified hardware and meet all the hardware and UEFI security requirements explained in the Readme. VMs however are prone to side channel attacks, so don't use that attack vector in pentests if you want more realistic results.

  2. First apply the Harden System Security app (All categories of it) and then use the AppControl Manager to deploy a suitable Signed App Control policy.


Important

Always Pay attention to the Microsoft Security Servicing Criteria for Windows, specially the Security boundaries. There is no security boundary between Administrator to Kernel.

Some penetration testers overlook this fact, assuming it is a vulnerability that they can perform administrative tasks such as disabling security features as Administrator. This is an expected behavior. Administrators have the power to control the security of a device and can disable security features at their discretion. This is why you need to use a Standard user account when performing a realistic penetration test.

Another aspect to consider is the ambiguity in the word "Admin". There are at least two distinct types of Admins: Local Admin and Cloud Admin. For instance, when you are penetration testing a system that leverages enterprise cloud security solution such as Microsoft Defender for Endpoint (MDE), Admin access should be regarded as Cloud Admin since those devices use Microsoft Entra ID and lack Local Admin. In this situation, Cloud Admin can effortlessly disable security features as expected, rendering a pentest using Local Admin access utterly pointless. Conversely, when pentesting a system that only relies on personal security features such as Microsoft Defender, then Admin should be treated as Local Admin. In this case, the Admin can also disable any security feature for the same reasons stated above.

Of course, Microsoft employs additional security measures such as Protected Process Light (PPL) for Defense in Depth strategies, but they do not alter the facts stated above. The goal is to always hope for the best, plan for the worst.


Ghost emoji Any questions or suggestions?

Please open a new issue or discussion in the repository.


💡 (back to top)


horizontal super thin rainbow RGB line


RelatedRelatedIcon

An AI generated picture of a cat girl working in a server farm


Azure DevOps Repository (mirror) bullet list item Azure DevOps Repository (mirror)

Harden Windows Security website bullet list item Harden Windows Security website

Official global IANA IP block for each country bullet list item Official global IANA IP block for each country

Windows Security Blog bullet list item Windows Security Blog

WinSecureDNSMgr bullet list item WinSecureDNSMgr

Privacy, Anonymity and Compartmentalization bullet list item Privacy, Anonymity and Compartmentalization


horizontal super thin rainbow RGB line


TrustTrustIcon

Trust The Harden Windows Security GitHub Repository

This repository uses effective methods that make it easy to verify:

  • Artifact attestations are used to establish provenance for builds. It guarantees that the package are 100% created from the source code that exist in this repository.

  • SBOMs (Software Bill of Materials) are generated for the entire repository to comply with data protection standards and providing transparency. Together with attestation and isolation they provide SLSA L3 security level for the build process.

  • You can open the files in Visual Studio Code / Visual Studio Code Web / GitHub CodeSpace, and view them in a nice and easy to read environment, they are well formatted, commented and indented.

  • Commits and Tags are verified either with my GPG key or SSH key and Vigilant mode is turned on in my GitHub account.

  • You can fork this repository, verify it until that point in time, then verify any subsequent changes/updates I push to this repository, at your own pace (using Sync fork and Compare options on your fork), and if you are happy with the changes, allow it to be merged with your own copy/fork on your GitHub account.

  • All of the apps offered in this repository are signed and available in the Microsoft Store.


Tip

All files in this repository are zipped and automatically submitted to VirusTotal for scanning. Any available packages in the last release is also directly uploaded for scanning. It is done through a GitHub Action that is triggered every time a release is made or a PR is merged. Find the history of the uploaded files in my Virus Total profile.

  • PSScriptAnalyzer
  • Repository And Package Scan on Virus Total
  • CodeQL Advanced - Quality
  • Sync to Azure DevOps
  • Build AppControl Manager MSIX Package
  • Dependabot Updates
  • Markdown Link Validator
  • Dependency review

Warning

For your own security, exercise caution when considering any other 3rd-party tools, programs, or scripts claiming to harden or modify Windows OS in any way. Verify their legitimacy thoroughly before use and after each release. Avoid blind trust in 3rd party Internet sources. Additionally, if they don't adhere to the same high standards as this repository's offerings, they can cause system damage, unknown issues, and bugs.

💡 (back to top)


horizontal super thin rainbow RGB line


SupportSupportIcon

Support Section - Harden Windows Security Repository

If you have any questions, requests, suggestions etc If you have any questions, requests, suggestions etc. about this GitHub repository and its content, please open a new discussion or Issue.

Reporting a vulnerability on this GitHub repository Reporting a vulnerability on this GitHub repository.

SpyNetGirl aka HotCakeX Outlook Email Address I can also be reached privately at: spynetgirl@outlook.com


💡 (back to top)


horizontal super thin rainbow RGB line


Security RecommendationsSecurityRecommendationIcon

Windows Security Recommendations - Harden Windows Security GitHub Repository

  • Red Star denoting Security Recommendation Always download your operation system from official Microsoft websites. Right now, Windows 11 is the latest version of Windows, its ISO file can be downloaded from this official Microsoft server. One of the worst things you can do to your own security and privacy is downloading your OS, which is the root of all the active and passive security measures, from a 3rd party website claiming they have the official unmodified files. There are countless bad things that can happen as the result of it such as threat actors embedding malware or backdoors inside the customized OS, or pre-installing customized root CA certificates in your OS so that they can perform TLS termination and view all of your HTTPS and encrypted Internet data in plain clear text, even if you use VPN. Having a poisoned and compromised certificate store is the endgame for you, and that's just the tip of the iceberg.


  • Red Star denoting Security Recommendation Whenever you want to install a program or app, first use the Microsoft Store or Winget, if the program or app you are looking for isn't available in there, then download it from its official website. Somebody created a nice web interface for interacting with Winget CLI here. Using Winget or Microsoft store provides many benefits:

    • Microsoft store UWP apps are secure in nature, digitally signed, in MSIX format. That means, installing and uninstalling them is guaranteed and there won't be any leftovers after uninstalling.

    • Microsoft store has Win32 apps too, they are traditional .exe installers that we are all familiar with. The store has a library feature that makes it easy to find the apps you previously installed.

    • Both Microsoft and Winget check the hash of the files by default, if a program or file is tampered, they will warn you and block the installation, whereas when you manually download a program from a website, you will have to manually verify the file hash with the hash shown on the website, if any.





  • Red Star denoting Security Recommendation Make sure OneDrive backup for important folders (Desktop/Documents/Pictures) is enabled. It is fast, secure and works in any network condition and since it's x64 (64-bit), it can handle a Lot of small and large files simultaneously.

  • Red Star denoting Security Recommendation When considering the use of a VPN, it is crucial to exercise discernment and only resort to it when absolutely necessary. A VPN can be a vital tool if you reside in a totalitarian, communist, or dictatorial regime, or in a nation where democratic principles are not upheld. However, if you live in a country that does not fall into these categories, it may be wise to reconsider the necessity of using a VPN. Your local ISP (Internet Service Provider) is likely more trustworthy than the ISP associated with a remote VPN server. By using a VPN, you are merely transferring the trust you place in your local ISP to an unknown entity—the ISP utilized by the VPN provider. It is important not to be swayed by the deceptive marketing tactics employed by VPN companies. The true identities, political affiliations, backgrounds, and loyalties of those behind these services often remain shrouded in mystery. In the permissive and open societies of the Western world, it is conceivable that a VPN service could be established by entities with questionable intentions, including state sponsors of terrorism or other hostile actors. Such services could be utilized to gather intelligence, conduct data mining, and track users, posing significant risks to your privacy and security.


  • Red Star denoting Security Recommendation Go passwordless with your Microsoft account and use Windows Hello authentication. In your Microsoft account which has Outlook service, you can create up to 10 Email aliases in addition to the 1 Email address you get when you made your Microsoft account, that means without creating a new account, you can have 11 Email addresses all of which will use the same inbox and account. You can specify which one of those Email aliases can be used to sign into your account, in the sign in preferences of your Microsoft account settings. So for example, when going passwordless, if you need you can give one of your Email aliases to others for communication or add it to a public profile of yours, then block sign in using that Email alias so nobody can send you authenticator notifications by entering that Email alias in the sign in page, and use the other 10 aliases that are private to sign into your Microsoft account with peace of mind. You can create a rule in your Outlook so that all of the Emails sent to your public Email alias will be stored in a different folder, apart from your other inbox emails. All of this can be done using free Microsoft account and Outlook webapp.

  • Red Star denoting Security Recommendation Set a strong password for the UEFI firmware of your device so that it will ask for password before allowing any changes to be made to firmware. You can also configure the password to be required on startup.

  • Red Star denoting Security Recommendation Use NTFS (which is the default Filesystem in Windows) or ReFS (Resilient File System, newer). In addition to all their benefits, they support Mark Of The Web (MOTW) or zone.identifier. When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. You can read all the information about it in here. If your USB flash drive is formatted as FAT32, change it to NTFS, because FAT32 does not keep the MOTW of the files. If the file you are downloading is compressed in .zip format, make sure you open/extract it using Windows built-in support for .zip files because it keeps the MOTW of the files. If the compressed file you downloaded is in other formats such as .7zip or .rar, make sure you use an archive program that supports keeping the mark of the Web of files after extraction. One of those programs is NanaZip which is a fork of 7zip, available in Microsoft Store and GitHub, compared to 7zip, it has better and modern GUI, and the application is digitally signed. After installation, open it, navigate to Tools at the top then select Options, set Propagate zone.id stream to Yes. You can use this PowerShell command to find all the info about the Zone Identifier of the files you downloaded from the Internet.
Get-Content <Path-To-File> -stream zone.identifier

  • Red Star denoting Security Recommendation When using Xbox, make sure you configure sign-in preference and set it to either Ask for my PIN or Lock it down. The latter is the most secure one since it will require authentication using Microsoft Authenticator app. Ask for my PIN is recommended for the most people because it will only require a PIN to be entered using controller.

  • Red Star denoting Security Recommendation A few reminders about open source programs:

    • Unless you are a skilled programmer who can understand and verify every line of code in the source, and spends time to personally build the software from the source, and repeats all the aforementioned tasks for each subsequent version, then seeing the source code won't have any effect on you because you aren't able to understand nor verify it.

    • Do not assume that the entire Open Source community audits and verifies every line of code just because the source code is available, as we've seen in the XZ utility's backdoor by state sponsored actors, they can have backdoors implanted in them in broad daylight and nobody might notice it for a long time.

    • The majority of open source programs are unsigned, meaning they don't have a digital signature, their developers haven't bought and used a code signing certificate to sign their program. Among other problems, this might pose a danger to the end-users by making it harder to create trust for those programs in security solutions such as Application Control or App Whitelisting, and makes it hard to authenticate them. Read Microsoft's Introduction to Code Signing. Use Azure Trusted Signing which is affordable.


  • Red Star denoting Security Recommendation Use Microsoft account (MSA) or Microsoft Entra ID to sign into Windows. Never use local administrators. Real security is achieved when there is no local administrator and identities are managed using Entra ID. You will be able to enforce Multi-factor unlock, for example use PIN + Fingerprint or PIN + Facial recognition, to unlock your device.

  • Red Star denoting Security Recommendation Enable Random Hardware Addresses In Windows Settings -> Network & Internet -> WIFI. Currently, there is no Group Policy or associated registry key to automatically turn it on, that is why it is mentioned here in the security recommendations section. It has various security and privacy benefits such as your device cannot be uniquely identified by its hardware Mac address and the routers your connect to cannot uniquely identify you. You can set it to change daily in your WIFI network adapter's settings in Windows settings for even more benefits.

  • Red Star denoting Security Recommendation More Security Recommendations coming soon...

💡 (back to top)


horizontal super thin rainbow RGB line


ResourcesResourcesIcon

A beautiful pink laptop Windows 11, located on the table with coffee on the side

💡 (back to top)


horizontal super thin rainbow RGB line


RoadmapRoadmapIcon

The Harden Windows Security Repository Roadmap


💡 (back to top)


horizontal super thin rainbow RGB line


LicenseLicenseFreeIcon

Using MIT License. Free information without any paywall or things of that nature. The only mission of this GitHub repository is to give all Windows users accurate, up to date and correct facts and information about how to stay secure and safe in dangerous environments, and to stay not one, but Many steps, ahead of threat actors.

Credits

Harden-Windows-Security is a PowerShell module


GitHub profile and icon Lastfm profile and icon Spotify profile and icon StackExchange profile and icon Steam profile and icon Twitch profile and icon Website and icon X profile and icon Xbox profile and icon YouTube profile and icon Reddit profile and icon Rockstar Social Club profile and icon Uplay profile and icon Microsoft Tech Community profile and icon OutLook Email address and icon Orcid profile and icon Medium profile and icon Facebook profile and icon MVP profile and icon Credly profile and icon

Harden-Windows-Security is a PowerShell module


💡 (back to top)


Donations DonateIcon

If you would like to support my work financially, your generosity is greatly appreciated. You can donate using any of the following methods and then let me know via DM on X or Discord or Teams/Email via spynetgirl@outlook.com so I can thank you personally. xo

Your support helps me continue to create and maintain this project. You can also use donations to request special or extraordinary features.

Bitcoin

  • Bitcoin donation Harden Windows Security Wallet Address for BTC
bc1qa948wr4mg2qkx2us5g8rv5ca75ppyy2ngl8k4e

Bitcoin Cash

  • Bitcoin Cash donation Harden Windows Security Wallet Address for BCH
qrrj03927q90z4wg4nu2e3nf4y3qnun2ku7muv8rvm

Ethereum

  • Ethereum donation Harden Windows Security Wallet Address for ETH
0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D

BSC (Binance Smart Chain - Coin)

  • Binance Smart Chain donation Harden Windows Security Wallet Address for BSC
0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D

💡 (back to top)

About

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels

hotcakex.github.io

Topics

windows security encryption powershell defender security-hardening tpm2 powershell-script proactive bitlocker firewall-configuration harden windowsdefender enterprise-security wdac windows11 applicationcontrol operation-system-security 1st-party-security

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

2.9k stars

Watchers

51 watching

Forks

231 forks
Report repository

Releases 177

Harden System Security v1.0.6.0 Latest
Aug 22, 2025
+ 176 releases

Sponsor this project

Contributors 19

+ 5 contributors

Languages