Bringing non-compliant items into compliance: Where do I find additional information

[kapad]

Hi there,

I really liked this repository and immediately found use for it.

When I ran the verification for my system, there were some non-compliant items that I had concerns about.

But when I dug into the wiki, the docs and other resources, I couldn't figure out the options that I would need to enable to bring these items into compliance.

I'm primarily concerned about keeping my network very secure to prevent network-based intrusion attacks. With that context, I ran the verification for firewall and networking. While most of the items are in compliance, some of them are not. I have captured the results of the non-compliant items in the attached screenshots.

I'm no windows expert and tried my best to follow the docs to figure out what each line item means, and what I can do to bring them into compliance.

But I could not,

• Figure out which option(s) I should select in the Protect tab to fix these items
• What changes I could make myself to fix them

Further thoughts
Are there any repos/resources that have links to CVEs, etc. for all of the listed items? I think something like this would be very useful for users to better understand the listed items, along with known attack vectors that could be used to exploit existing vulnerabilities.

[HotCakeX]

Well i put everything on the Readme page, properly categorized based on what you see on the GUI. There are links to Microsoft Learn pages for each item.
https://github.com/HotCakeX/Harden-Windows-Security

[HotCakeX]

Figure out which option(s) I should select in the Protect tab to fix these items

It's showing which categories the non-compliant items belong to, so all you have to do is to navigate to the Protect tab, check the boxes for those categories and run them, it will make any non-compliant item in that category compliant.

So based on the screenshots, Firewall and Windows networking are the 2 categories you need to select in the Protect tab.

Btw these are security measures, not tied to any CVE. To better understand each item there are links to related articles and Microsoft Learn pages for each one.

[kapad]

It's showing which categories the non-compliant items belong to, so all you have to do is to navigate to the Protect tab, check the boxes for those categories and run them, it will make any non-compliant item in that category compliant.

So based on the screenshots, Firewall and Windows networking are the 2 categories you need to select in the Protect tab.

They were already checked IIRC. I am on a different system right now, I will add a screenshot of the protect tab when I am back on my Windows machine.

Btw these are security measures, not tied to any CVE. To better understand each item there are links to related articles and Microsoft Learn pages for each one.

Got it. Tbh, I wish the Microsoft learn pages had the information regarding configuration options available along with information that would explain the relationship between one and/or several configuration permutations and the related features they enable along with the related CVE(s) that a system may be exposed to as a result.

And I do see information about the related features that some options enable/disable, it's the second part of the story that's incomplete for me.

Thanks for your response. As mentioned, I will add a screenshot of the protect tab when I am back on my Windows machine.

[HotCakeX]

There are MSRC articles for 1 or 2 items only.
CVEs are almost always fixed directly by Microsoft through Windows Update, if you follow the Windows Update or Microsoft Security accounts on X you'll get notifications for any CVE that is fixed in each Windows Update release. That's a great way to stay informed about them.

• https://x.com/WindowsUpdate
• https://x.com/msftsecresponse
• https://x.com/MsftSecIntel

so as long as your system is up to date, you're good. The security measures in this repository are extra features to further harden the OS against more sophisticated threats, such as vulnerabilities that haven't been found yet. They are proactive rather than reactive.