AHWT - another hardening tool for Windows operating systems.

Description (on RUS)

Program is a script generator with collection of parameters and recommendations from CIS Benchmarks and DoD STIGs with some adjusments.

All parameters placed in databases with the names of the operating systems that are used to.

Parameters were checked and tested according to official MS documentation and researchers opinion.

Scripts generates in 2 modes - auto and manual.

All databases have profiles for each operating system min/med/full which corresponds with Minimum (only level 3 parameters (CIS lvl 2/STIG lvl 3)), Medium (level 2 & 3 parameters (CIS lvl 1 & 2/STIG lvl 2)) and Full (lvl 1-3 parameters).

For every operating system were made additional profiles that you can generate separate or after generating the general script:

1. Windows XP
   • Windows Firewall (ShieldUp mode has separate confirmation)
   • Internet Explorer (versions 6-8)
2. Windows Vista
   • Windows Firewall (ShieldUp mode has separate confirmation)
   • Windows Defender
   • Internet Explorer (versions 7-9)
3. Windows 7
   • Windows Firewall (ShieldUp mode has separate confirmation)
   • Windows Defender
   • BitLocker
   • Internet Explorer (versions 8-11)
4. Windows 8
   • Windows Firewall (ShieldUp mode has separate confirmation)
   • Windows Defender
   • BitLocker
   • Internet Explorer (versions 10-11)
5. Windows 8.1
   • Windows Firewall (ShieldUp mode has separate confirmation)
   • Windows Defender
   • BitLocker
   • Internet Explorer (version 11)
6. Windows 10
   • Windows Firewall (ShieldUp mode has separate confirmation)
   • Windows Defender
   • BitLocker
   • MS Edge
   • Next Generation Security
   • Internet Explorer (version 11)
7. Windows 11
   • Windows Firewall (ShieldUp mode has separate confirmation)
   • Windows Defender
   • BitLocker
   • MS Edge
   • Next Generation Security
8. MS Office
   • MS Office 2003
   • MS Office 2007
   • MS Office 2010
   • MS Office 2013
   • MS Office 2016 (including 2019 & 2021)
   • MS Office 365

Warning

ShieldUp mode block all incoming connections, including those in the list of allowed apps setting found in either the Windows Settings app or Control Panel

In manual mode you can check every parameter with description. Description will be translated (Google Translate) to system language if you have internet connection.

Under the hood

Every generated script has command to create a system restore point (if it disabled, script will enable it (not addons)).

Applying parameters contains secedit template and db, auditpol parameters, disabling some services with powershell and parameters from dbs.

All scripts will be .bat files. I don't like Powershell syntax :)

All additional files like secedit templates and others placed in Templates folder.

Note

For using EMET parameters for Windows 7 - 8.1 you need to install EMET 5.52 (zip file in release contains it) MS Office 2016 parameters used by 2019 & 2021 versions. If you have 2019 or 2021, just use Office 2016 hardening.

Usage

1. Download files

2. Start with python AHWT.py

3. Choose OS

   

4. Enter the name to your script

   

5. Choose mode

   

6. Choose the level of hardening

   

7. Add parameters of additional profiles if you need

   

8. Get additional files from Templates and place it with generated script

   -> ->

9. Run it on targeted PC

Caution

Before applying scripts on real PC test your configurations on VMs

Feel free to post any issues

Roadmap

• Enrich DBs with new parameters for every OS
• Optimize code (for now its shitty code, i know :))
• Add support for third party software, Server editions and everything that relates to Windows operating systems
• Anything else...

Made with desire to help all Blue Teamers ❤️