Merge pull request #37 from Harvester57/defender-sandboxing

Harvester57 · web-flow · commit b823d483a621 · 2024-12-08T23:47:08.000+01:00
Add Defender sandboxing policy
diff --git a/AdditionalHardening.admx b/AdditionalHardening.admx
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!--
 Author: Florian Stosse <florian.stosse@gmail.com>
-Version: 1.1
+Version: 1.1.1
 Date: 2024-12-08
 -->
 <policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
diff --git a/AdditionalSystemHardening.admx b/AdditionalSystemHardening.admx
@@ -137,16 +137,12 @@
             <enabledList defaultKey="Software\Microsoft\Cryptography\Wintrust\Config">
                 <item valueName="EnableCertPaddingCheck">
                     <value>
-                        <string>
-                            1
-                        </string>
+                        <string>1</string>
                     </value>
                 </item>
                 <item key="Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config" valueName="EnableCertPaddingCheck">
                     <value>
-                        <string>
-                            1
-                        </string>
+                        <string>1</string>
                     </value>
                 </item>
             </enabledList>
@@ -200,14 +196,10 @@
             <parentCategory ref="System" />
             <supportedOn ref="windows:SUPPORTED_Windows_6_3" />
             <enabledValue>
-                <string>
-                    4
-                </string>
+                <string>4</string>
             </enabledValue>
             <disabledValue>
-                <string>
-                    0
-                </string>
+                <string>0</string>
             </disabledValue>
         </policy>
         <policy name="LoadAppInit_DLLs" class="Machine" displayName="$(string.LoadAppInit_DLLs)" explainText="$(string.LoadAppInit_DLLs_Explain)" key="Software\Microsoft\Windows NT\CurrentVersion\Windows" valueName="LoadAppInit_DLLs">
@@ -339,9 +331,7 @@
                 </enum>
                 <boolean id="HyperVMitigations" key="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization" valueName="MinVmVersionForCpuBasedMitigations">
                     <trueValue>
-                        <string>
-                            1.0
-                        </string>
+                        <string>1.0</string>
                     </trueValue>
                     <falseValue>
                         <delete />
@@ -412,9 +402,7 @@
             <enabledList defaultKey="SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon">
                 <item valueName="CachedLogonsCount">
                     <value>
-                        <string>
-                            2
-                        </string>
+                        <string>2</string>
                     </value>
                 </item>
                 <item key="SYSTEM\CurrentControlSet\Control\Lsa" valueName="TokenLeakDetectDelaySecs">
@@ -531,5 +519,15 @@
                 <decimal value="0" />
             </disabledValue>
         </policy>
+        <policy name="DefenderSandboxing" class="Machine" displayName="$(string.DefenderSandboxing)" explainText="$(string.DefenderSandboxing_Explain)" key="SYSTEM\CurrentControlSet\Control\Session Manager\Environment" valueName="MP_FORCE_USE_SANDBOX">
+            <parentCategory ref="System" />
+            <supportedOn ref="windows:SUPPORTED_Windows_6_3" />
+            <enabledValue>
+                <string>1</string>
+            </enabledValue>
+            <disabledValue>
+                <string>0</string>
+            </disabledValue>
+        </policy>
     </policies>
 </policyDefinitions>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [v1.1.1] - 2024-12-08
+### Added
+- New policy to enable or disable the Windows Defender sandbox
+### Fixed
+- Indentation value for REG_SZ-based policies
+
 ## [v1.1] - 2024-12-08
 ### Changed
 - Major refactoring of the codebase
diff --git a/en-US/AdditionalSystemHardening.adml b/en-US/AdditionalSystemHardening.adml
@@ -84,11 +84,11 @@ Disabling this policy will explicitly disable the ASLR mechanism.</string>
                   <string id="User32_Exception">Additional registry fix for CVE-2015-6161</string>
                   <string id="User32_Exception_Explain">Enable this policy to change the registry value FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING to 1.
 
-This modification is necessary to fully fix an ASLR bypass vulnerability (CVE-2015-6161). For more informations, refer to the MS15-124 security bulletin (https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-124).</string>
+This modification is necessary to fully fix an ASLR bypass vulnerability (CVE-2015-6161). For more information, refer to the MS15-124 security bulletin (https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-124).</string>
                   <string id="Info_Disclosure">Additional registry fix for CVE-2017-8529</string>
                   <string id="Info_Disclosure_Explain">Enable this policy to change the registry value FEATURE_ENABLE_PRINT_INFO_DISCLOSURE_FIX to 1.
 
-This modification is necessary to fully fix an information disclosure vulnerability in Microsoft browsers (CVE-2017-8529). For more informations, refer to the related security update guide (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529).</string>
+This modification is necessary to fully fix an information disclosure vulnerability in Microsoft browsers (CVE-2017-8529). For more information, refer to the related security update guide (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8529).</string>
                   <string id="MSCacheV2_Iteration">Number of PBKDF2 iterations for cached logons credentials hashing</string>
                   <string id="MSCacheV2_Iteration_Explain">For domains logons, if credentials caching is enabled, credentials are stored as MSCacheV2 hashes, dervided using the PBKDF2-SHA1 hashing algorithm.
 
@@ -101,7 +101,7 @@ The recommended value depends on the target environment, the CPU power available
 
 When the policy is enabled, the default value configured is 1954 (2 000 896 rounds). This is the recommended value (at the time of December 2022) for the PBKDF2-HMAC-SHA1 algorithm, considering the compute power of a RTX 4090 GPU in a offline bruteforce attack model.
 
-More informations:
+More information:
 - https://tobtu.com/minimum-password-settings/
 - https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2</string>
                   <string id="PSLockDownPolicy">Enable PowerShell Constrained Language Mode</string>
@@ -167,7 +167,7 @@ It is recommended to use the default behavior and let the Sudo command open a ne
 
 Mandatory mode is a new functionnality introduced to prevent the Windows Downdate attack (and other related dowgrading attacks) by forcing the verification of the components of the Secure Kernel and the hypervisor at boot time. Consequently, enabling this functionnality can lead to boot failure (and a denial of service) in case of a modification of a core component of Secure Kernel, hypervisor or a related dependant module.
 
-NOTE: if you already have Virtualization-Based Security enabled with UEFI Lock, this setting will not do anything, as the VBS configuration is already written and locked in a UEFI variable. This variable needs to be deleted using the bcdedit.exe tool before deploying the Mandatory flag and the UEFI Lock. Guidance and more informations about this procedure are available here:
+NOTE: if you already have Virtualization-Based Security enabled with UEFI Lock, this setting will not do anything, as the VBS configuration is already written and locked in a UEFI variable. This variable needs to be deleted using the bcdedit.exe tool before deploying the Mandatory flag and the UEFI Lock. Guidance and more information about this procedure are available here:
 
 https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/configure?tabs=reg#disable-virtualization-based-security
 
@@ -182,6 +182,12 @@ Disabling this policy will disable the verification of the components, only if t
 If you enable this setting, co-installers execution will be prevented, and additional configuration software for specific devices (mouses, gaming keyboards, etc) must be downloaded and manually installed from the manufacturer website.
 
 If you disable this setting, co-installers execution will be permitted, which is a significant security risk (potentially dangerous code execution).</string>
+                  <string id="DefenderSandboxing">Enable Windows Defender sandbox</string>
+                  <string id="DefenderSandboxing_Explain">This policy enables the sandbox (content process) for the main process of Windows Defender.
+                  
+The new content processes, which run with low privileges, aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded.
+
+More information: https://www.microsoft.com/en-us/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/</string>
             </stringTable>
             <presentationTable>
                   <presentation id="MSCacheV2_Iteration">
diff --git a/fr-FR/AdditionalSystemHardening.adml b/fr-FR/AdditionalSystemHardening.adml
@@ -184,6 +184,10 @@ Désactiver cette politique désactivera le mode Obligatoire, seulement si le ve
 Si vous activez ce paramètre, l'exécution des co-installeurs sera bloquée. Pour certains périphériques spécifiques (claviers paramétrables, cartes graphiques, etc), il sera nécessaire d'installer manuellement le logiciel de contrôle à partir du site du fabricant.
 
 Si vous désactivez ce paramètre, l'exécution es co-installeurs sera autorisée, ce qui pose un risque de sécurité important (exécution de code non maîtrisé sur le système).</string>
+                  <string id="DefenderSandboxing">Activer le bac à sable de Windows Defender</string>
+                  <string id="DefenderSandboxing_Explain">Cette politique permet d'activer le bac à sable pour le processus principal de Windows Defender, permettant à celui-ci d'appliquer des durcissements modernes au processus (ALSR, CFG, DEP, signature du code chargé, ...)
+
+Plus d'informations : https://www.microsoft.com/en-us/security/blog/2018/10/26/windows-defender-antivirus-can-now-run-in-a-sandbox/</string>
             </stringTable>
             <presentationTable>
                   <presentation id="MSCacheV2_Iteration">
