github HotCakeX/Harden-Windows-Security WDACConfigv0.3.4
WDACConfig module update v0.3.4
on GitHub

latest releases: HardenSystemSecurity-v1.0.36.0, AppControlManager-v2.0.59.0, HardenSystemSecurity-v1.0.35.0...
22 months ago

What's Changed

Threat Model Upgrade

Some paths are accessible to any user, while others are restricted to Administrator-level privileges. These paths have different security levels and non-elevated processes cannot access them. Based on these facts, the WDACConfig module has been upgraded to utilize the more secure paths.

Install Directory

If the WDACConfig module is located in the Documents folder, which is the default setting, a malicious program without elevated privileges could manipulate its files and interfere with its functionality.

Therefore, it is strongly advised to install it with the AllUsers scope 

Install-Module -name 'WDACConfig' -Scope AllUsers

Which will increase its protection against unauthorized access by installing it in the following path 

C:\Program Files\PowerShell\Modules\WDACConfig

Which is guarded by Administrator privileges. When the module auto-updates, it will also be installed in that path.

User Configurations Directory

Previously, the WDACConfig module saved user configurations in the following path 

C:\Users\UserName\.WDACConfig\UserConfigurations.json

This directory is accessible to any user, and a malicious program or process without elevated privileges could manipulate its files. Therefore, the WDACConfig module has been upgraded to save user configurations in the following path 

C:\Program Files\WDACConfig\UserConfigurations\UserConfigurations.json

Note

In this release, the module automatically moves the user configuration file from the old location to the new one if it doesn't already exist in the new location. This feature is only added temporarily to smooth the transition and will be removed in the next version.

Staging Areas

The module now uses a secure staging area located in 

C:\Program Files\WDACConfig\StagingArea

for all of its operations, including but not limited to: creating, modifying, signing, generating, removing, and simulating WDAC policies. This directory is cleaned up after each operation unless the -Debug parameter is used with the cmdlets that support it. No file operation is performed outside of this area.
 

Other Changes

  • Assigned WHQLFilePublisher as the default value for -Level and FilePublisher, Hash as the default value for -Fallback parameters in all of the cmdlets that support them. This increases security by taking into account the WHQL EKU of any possible drivers in the files being scanned. Read about the comparison of each level in this document.

    • Previously, the default level was FilePublisher and the default fallback was Hash.

  • Added a new parameter called -CipFile to the Test-CiPolicy cmdlet for displaying signer information in the signed .CIP files. This is done because the normal Get-AuthenticodeSignature cmdlet does not reveal a .CIP file's signatures.

  • Enabled OS indicators during WDAC Simulation, this enables Windows Terminal and the taskbar to display little indicators about the progress of the simulation. Also made the progress bar fancier by showing dynamic colors.

  • Improved the speed of WDAC Simulation when calculating the Authenticode file hashes.

  • Added a new parameter called -CSVOutput to Invoke-WDACSimulation cmdlet, indicating the cmdlet will create a CSV file containing the simulation results. Previously, this parameter didn't exist and the cmdlet would always create the CSV output. Now users have more options to control that behavior.

  • Added a confirmation check to the Remove-CommonWDACConfig cmdlet when invoking it without any additional parameters, because in that mode it deletes all of the saved user configurations for the WDACConfig so as a relatively high risk action it is now put behind an extra check. It can be bypassed with the familiar -Force parameter.

  • Added file picker GUI to various parameters of the Edit-SignedWDACConfig and Edit-WDACConfig cmdlets.

  • Hardened more variable types.

  • Improved Certificate common name detection by using Windows APIs instead of custom regex patterns.

  • Refined the logic for both Edit-SignedWDACConfig -UpdateBasePolicy and Edit-WDACConfig -UpdateBasePolicy to handle the case where multiple policies with the same name are deployed and the user selects that name.

  • Simplified the parameters of the New-KernelModeWDACConfig cmdlet.

  • Added progress bars to ConvertTo-WDACPolicy.

  • Lots of code optimization and refactoring that led to reduced code base while adding more functionality at the same time. Thanks to @mklement0 for his help with parts of this.


PR: #206


Check out latest releases or
releases around HotCakeX/Harden-Windows-Security WDACConfigv0.3.4

Don't miss a new Harden-Windows-Security release

NewReleases is sending notifications on new releases.

Get notifications