Description (on RUS)
Program is a script generator with collection of parameters and recommendations from CIS Benchmarks and DoD STIGs with some adjusments.
All parameters placed in databases with the names of the operating systems that are used to.
Parameters were checked and tested according to official MS documentation and researchers opinion.
Scripts generates in 2 modes - auto and manual.
All databases have profiles for each operating system min/med/full which corresponds with Minimum (only level 3 parameters (CIS lvl 2/STIG lvl 3)), Medium (level 2 & 3 parameters (CIS lvl 1 & 2/STIG lvl 2)) and Full (lvl 1-3 parameters).
For every operating system were made additional profiles that you can generate separate or after generating the general script:
- Windows XP
- Windows Firewall (ShieldUp mode has separate confirmation)
- Windows Vista
- Windows Firewall (ShieldUp mode has separate confirmation)
- Windows Defender
- Windows 7
- Windows Firewall (ShieldUp mode has separate confirmation)
- Windows Defender
- BitLocker
- Windows 8
- Windows Firewall (ShieldUp mode has separate confirmation)
- Windows Defender
- BitLocker
- Windows 8.1
- Windows Firewall (ShieldUp mode has separate confirmation)
- Windows Defender
- BitLocker
- Windows 10
- Windows Firewall (ShieldUp mode has separate confirmation)
- Windows Defender
- BitLocker
- MS Edge
- Next Generation Security
- Windows 11
- Windows Firewall (ShieldUp mode has separate confirmation)
- Windows Defender
- BitLocker
- MS Edge
- Next Generation Security
Warning
ShieldUp mode block all incoming connections, including those in the list of allowed apps setting found in either the Windows Settings app or Control Panel
In manual mode you can check every parameter with description. Description will be translated (Google Translate) to system language if you have internet connection.
Every generated script has command to create a system restore point (if it disabled, script will enable it (not addons)).
Applying parameters contains secedit template and db, auditpol parameters, disabling some services with powershell and parameters from dbs.
All scripts will be .bat
files. I don't like Powershell syntax :)
All additional files like secedit templates and others placed in Templates folder.
Note
For using EMET parameters for Windows 7 - 8.1 you need to install EMET 5.52 (zip file in release contains it)
-
Download files
-
Start with
python AHWT.py
-
Choose OS
-
Enter the name to your script
-
Choose mode
-
Choose the level of hardening
-
Add parameters of additional profiles if you need
-
Get additional files from Templates and place it with generated script
-
Run it on targeted PC
Caution
Before applying scripts on real PC test your configurations on VMs
- Enrich DBs with new parameters for every OS
- Optimize code (for now its shitty code, i know :))
- Add support for third party software, Server editions and everything that relates to Windows operating systems
- Anything else...
Made with desire to help all Blue Teamers ❤️