base on Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | SLSA Level 3 Compliant for Secure Development and Build Process | Apps Available on MS Store✨ <div align="center"> <img src="https://raw.githubusercontent.com/HotCakeX/.github/ada341c67b0c94ff71f846e5e90d2f1366eddde7/Pictures/Gifs/butterfly1-mirrored.gif"><img src="https://raw.githubusercontent.com/HotCakeX/.github/f69eeab3a49cf90a40e98ca50630d5615ee379c8/Pictures/Gifs/butterfly1.gif"> # Harden Windows Security | A New Threat to Malware <a name="readme-top"></a> ## Harden Windows Safely, Securely, Only With Official Microsoft Methods </div> <div align="center"> <a href="https://apps.microsoft.com/detail/9P7GGFL7DX57"><img src="https://raw.githubusercontent.com/HotCakeX/.github/12a994d0fd231bc9fd0104decece5851179910c0/Pictures/SVG/Badges/HardenSystemSecurityInstallBadge.svg" alt="Microsoft Store page of Harden System Security App"></a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/102a789ed8d91dad3bad1eed72bb5f7fe7d72689/Pictures/Gifs/snowsgiving2phibiscarf-mid.gif" width="25" alt="Link"> <a href="https://apps.microsoft.com/detail/9PNG1JDDTGP8"><img src="https://raw.githubusercontent.com/HotCakeX/.github/refs/heads/main/Pictures/SVG/AppControlManager%20Install.svg" alt="AppControl Manager Install"></a> </div> <h6 align="center"> <a href="https://x.com/intent/post?text=Harden+Windows+Security+%7C+Suitable+for+all+security+levels+and+requirements&hashtags=Windows%2CCyberSecurity&url=https%3A%2F%2Fgithub.com%2FHotCakeX%2FHarden-Windows-Security"><img src="https://raw.githubusercontent.com/HotCakeX/.github/7f64c27fdd600175e29ebad839e81a6ec8deb85c/Pictures/SVG/Share%20it%20on%20X.svg" alt="X Share button"></a> <a href="https://dotnet.microsoft.com/en-us/download"><img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/SVG/Badges/.NET9.svg" alt=".NET Badge"></a> <a href="https://visualstudio.microsoft.com/"><img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/SVG/Badges/VisualStudio.svg" alt="Visual Studio Badge"></a> </h6> <p align="center"> <a href="#how-to-use">How To Use</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="#related">Related</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="#Trust">Trust</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="#support">Support</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="#security-recommendations">Security Recommendations</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="#resources">Resources</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="#license">License</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="https://github.com/HotCakeX/Harden-Windows-Security/wiki"><b>Wiki</b></a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="https://github.com/HotCakeX/Harden-Windows-Security/wiki/Answers-to-the-Basic-Frequently-Asked-Questions">Basic FAQs</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="#roadmap">Roadmap</a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/cool-colours.gif" width="12" alt="rotating colorful thing"> <a href="https://github.com/HotCakeX/Harden-Windows-Security?tab=readme-ov-file#donations-"><b>Donation</b> </a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/ca9d59d8d94e2f9da4a5f58ed875af22cfd2bd92/Pictures/Gifs/stellawave.gif" width="20"/> </p> <img src="https://raw.githubusercontent.com/HotCakeX/.github/febfcc2b3be66ef0d5ecd74694157622a7fde865/Pictures/SVG/SVG%20line%20wave%20yellow%20pink%20inverted.svg" width= "300000" alt="horizontal super thin rainbow RGB line"> > [!IMPORTANT]\ > Here are Quick Access Points to Important Sections of this Repository > > ### <img width="50" src="https://raw.githubusercontent.com/HotCakeX/.github/fd897133c4242294c5b1bf0d9d05fd2b4de88def/Pictures/Gifs/blue-butterfly-holo.gif"/> <a href="https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden-System-Security"> Harden System Security App </a> > > ### <img width="50" src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/colorful-heart.gif" alt="Indicator for the AppControl Manager"> <a href="https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager"> AppControl Manager App </a> > > ### <img width="50" src="https://raw.githubusercontent.com/HotCakeX/.github/d183697c48d9e53e0cc6a2e075d296f2aab8cad5/Pictures/Gifs/diamond1.gif" alt="Indicator for App Control for Business Resources"> <a href="https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction"> Application Control for Business Resources </a> > <img src="https://raw.githubusercontent.com/HotCakeX/.github/febfcc2b3be66ef0d5ecd74694157622a7fde865/Pictures/SVG/SVG%20line%20wave%20yellow%20pink.svg" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> > [!NOTE]\ > This repository only uses the features that have already been implemented by Microsoft in Windows OS to fine-tune it towards the highest security and locked-down state, without relying on any 3rd party component or dependency, using well-documented, supported, recommended and official methods. Continue reading for comprehensive info. <br> ## How To Use<a href="#how-to-use"></a> ### <img width="35" src="https://raw.githubusercontent.com/HotCakeX/.github/9b2e88aad5ba54000a24c904e1f473b039202691/Pictures/Harden%20System%20Security%20Icons/ICON-SVG-SIMPLIFIED.svg" alt="GitHub logo pink SVG"> [Install the Harden System Security From the Microsoft Store](https://apps.microsoft.com/detail/9p7ggfl7dx57) <a href="https://apps.microsoft.com/detail/9p7ggfl7dx57?referrer=appbadge&mode=direct"> <img src="https://get.microsoft.com/images/en-us%20dark.svg" width="300"/> </a> * [**Documentation**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden-System-Security) <img src="https://raw.githubusercontent.com/HotCakeX/.github/80b9f4d1083835cee57f8fc83dd160f06c32c4fa/Pictures/Gifs/foxtailwag.gif" width="20"> <br> <div align="center"> <img src="https://raw.githubusercontent.com/HotCakeX/.github/e98e3a322d2bd04b6a77e2cd4d2d8909d0eb6af0/Pictures/Gifs/HardenWindowsSecurityApp.gif" width="750" alt="Harden System Security App Demo"> </div> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ### <img width="35" src="https://raw.githubusercontent.com/HotCakeX/.github/65086755cd831ab6bbb4eddf10b7b716cee12a48/Pictures/AppControl%20Manager%20Icons/Icon%20smaller.png" alt="GitHub logo pink SVG"> [Install the AppControl Manager From Microsoft Store](https://apps.microsoft.com/detail/9PNG1JDDTGP8) <a href="https://apps.microsoft.com/detail/9png1jddtgp8?mode=direct"> <img src="https://get.microsoft.com/images/en-us%20dark.svg" width="300" alt="install AppControl Manager from Microsoft Store"/> </a> * [**YouTube demo**](https://www.youtube.com/watch?v=SzMs13n7elE) * [**Documentation**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) <img src="https://raw.githubusercontent.com/HotCakeX/.github/80b9f4d1083835cee57f8fc83dd160f06c32c4fa/Pictures/Gifs/foxtailwag.gif" width="20"> <br> <div align="center"> <img src="https://raw.githubusercontent.com/HotCakeX/.github/refs/heads/main/Pictures/APNGs/AppControl%20Manager%20Readme.apng" alt="AppControl Manager app"> </div> <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/585563111520600091.png" alt="Emoji of a Windows eating booboo"> Rationale 𝐖𝐞𝐥𝐜𝐨𝐦𝐞 to the 𝙷𝚊𝚛𝚍𝚎𝚗 𝚆𝚒𝚗𝚍𝚘𝚠𝚜 𝚂𝚎𝚌𝚞𝚛𝚒𝚝𝚢 𝚁𝚎𝚙𝚘𝚜𝚒𝚝𝚘𝚛𝚢 <img src="https://raw.githubusercontent.com/HotCakeX/.github/156e28e9a7e7504b7e1d34491fe8ce114bd34af5/Pictures/Gifs/sparklinglollis.gif" width="40"> This section provides the justification and objective of this GitHub repository and its contents. It outlines how it addresses various threats and how to adjust your expectations for different scenarios and environments. It also supplies lots of useful additional resources. This repository currently has 2 ***main*** products. <img width="30" src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/animebop.gif" alt="head shaking girl"> 1. [**The Harden System Security App**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden-System-Security) 2. [**The AppControl Manager**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) <br> Let's explore each of them in detail below <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/Windows365.png" alt="Windows modern logo"> Harden System Security App Use the [Harden System Security app](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden-System-Security) to secure your personal and enterprise devices against the majority of advanced threats. The app is suitable to be used by everyone. If you are a personal user, you can use the Harden System Security to harden your Operating System, remove unnecessary features or apps and gain advanced visibility into the security structure of your system. If you are an enterprise user or admin, you can use the [provided Intune security policies](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Intune-%7C-Harden-System-Security) and apply them to all of your workstations using the Harden System Security app. You can then use the app to verify the compliance of the workstations against the applied policies and receive a security score. It uses the same security features built into your device and Windows operating system to fine-tune it towards the highest security and locked-down state. It does not install any outside components and does not increase your attack surface at all. Let's take a look at the infographics below: <br> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Only%20a%20Small%20Portion%20of%20The%20Windows%20OS%20Security%20Apparatus/Smaller%20version.png" alt="Only a Small Portion of The Windows OS Security Apparatus"> > [*More Info About This Map*](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Only-a-Small-Portion-of-The-Windows-OS-Security-Apparatus) <br> <br> <p align="center"><img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/PNG%20and%20JPG/SecurityBenchmarksComparisonChart.png" alt="Infographic of comparison of security benchmarks"></p> > [*The reasoning behind the infographic above*](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Comparison-of-security-benchmarks) <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/Windows11.png" alt="Modern Windows 11 logo"> AppControl Manager [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) is a secure [open-source](https://github.com/HotCakeX/Harden-Windows-Security/tree/main/AppControl%20Manager) Windows application designed to help you easily configure Application Control in your system. It is suitable for both personal users as well as enterprises, businesses and highly secure workstations. > [!TIP]\ > If you aren't familiar with what App Control is, [please refer to this article](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction) where it's explained in great detail. Proper usage of Application Control, when coupled with the Harden System Security app's policies, [can provide 99% protection from various threats](https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies), either from the Internet or physical. It's true that there is no absolute security, but then again there is nothing absolute in the universe either. Everything, even the most fundamental physical laws, are and have been subject to change and conditions. * [Here is a walkthrough video of the AppControl Manager](https://www.youtube.com/watch?v=SzMs13n7elE) * [Here is the AppControl Manager's landing page on this repository](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/350387930319028225.png" alt="Microsoft Zune logo"> How Do You Make the Right Choice? 𝙵𝚒𝚛𝚜𝚝 𝚊𝚗𝚍 𝙵𝚘𝚛𝚎𝚖𝚘𝚜𝚝 use the [Harden System Security app](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Harden-System-Security) to apply the hardening measures it offers, your system will be secure against at least ~98% of the threats when you use Standard (non-Privileged) account for everyday work. These threats aren't the usual computer viruses, they are ***motivated nation state threat actors.*** 𝚃𝚑𝚎𝚗 use the [AppControl Manager](https://spynetgirl.github.io/AppControl%20Manager/AppControl%20Manager/) to deploy an App Control policy and have even more control over the operation of the Windows Application Control. These methods will create multiple layers of security; also known as defense in depth. Additionally, you can create [**Kernel-level Zero-Trust strategy**](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) for your system. If there will ever be a zero-day vulnerability in one or even some of the security layers at the same time, there will still be enough layers left to protect your device. It's practically impossible to penetrate all of them at once. Also, zero-day vulnerabilities are patched quickly, so keeping your device and OS up to date, regardless of what OS you use, is one of the most basic security recommendations and best practices you must follow. <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/Account.png" alt="Microsoft Identity logo"> Vulnerabilities Such as Zero-Days Are Disclosed in 3 Different Ways 1. The vulnerability is disclosed responsibly. It is first communicated privately with the software vendor/developer so they can have the time to fix and issue updates/patches for the vulnerability before it is disclosed publicly. In this way, people are always safe because all that's needed is to keep your OS and software up to date to receive the latest security patches. 2. The vulnerability is disclosed irresponsibly. It is disclosed publicly, through social media or by creating PoCs (Proof of Concept) so that it can be used and abused by everyone. 3. The vulnerability is abused by malicious actors. It is exploited by threat actors in cyber attacks and privately. These vulnerabilities are either discovered by the threat actors themselves or bought from security researchers who find them first, all of which is illegal and has consequences. <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/StonkUp.png" alt="Stonks up"> What About More Advanced Security at Scale? <p align="center"><img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/PNG%20and%20JPG/534534.png" width="650" alt="AI generated image of a girl"></p> <br> To achieve the Highest level of Security **at Scale** for Businesses, Enterprises and Military scenarios, you can use the following services to create impenetrable devices and environments. > [!IMPORTANT]\ > The following services must be used **in addition** to the measures already talked about in this repository, such as proper Application Control policies and the security measures that the Harden System Security app applies. They are not a replacement for them. > > As an individual user you can still utilize these features and services, they add an additional layer of protection to your security stack. * [Microsoft Defender for Endpoint](https://www.microsoft.com/en-us/security/business/endpoint-security/microsoft-defender-endpoint) - Discover and secure endpoint devices across your multiplatform enterprise. * [Microsoft Security Copilot](https://www.microsoft.com/en-us/security/business/ai-machine-learning/microsoft-copilot-security) - Build a defense [so automated](https://learn.microsoft.com/security-copilot/microsoft-security-copilot) that even your intern becomes a cybersecurity expert. * [Confidential Computing on Azure](https://learn.microsoft.com/azure/confidential-computing/overview-azure-products) - Protect your highly sensitive data while it's in use * [Confidential AI](https://learn.microsoft.com/azure/confidential-computing/confidential-ai) - Train your data Privately and Securely on the most advanced AI Super computers * [Microsoft Entra conditional access](https://www.microsoft.com/en-us/security/business/identity-access/microsoft-entra-conditional-access) - Increase protection without compromising productivity * [Microsoft Sentinel](https://azure.microsoft.com/en-us/products/microsoft-sentinel/) - Scalable, cloud-native solution that provides SIEM, SOAR and more! * [Key Vault](https://azure.microsoft.com/en-us/products/key-vault/) - Safeguard cryptographic keys and other secrets used by cloud apps and services. This [Azure service uses the best products in the world](https://cpl.thalesgroup.com/partners/microsoft) for the job, such as [Thales HSMs](https://cpl.thalesgroup.com/encryption/hardware-security-modules/network-hsms). More info [available here](https://learn.microsoft.com/windows-hardware/manufacture/desktop/secure-boot-key-generation-and-signing-using-hsm--example). * [Microsoft Defender for Cloud](https://azure.microsoft.com/en-us/products/defender-for-cloud) - Protect multicloud and hybrid environments with integrated security from code to cloud * [Microsoft Defender for Cloud Apps]() - Modernize how you secure your apps, protect your data, and elevate your app posture with software as a service (SaaS) security. * [Microsoft Defender for Identity](https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-for-identity) - Protect your on-premises identities with cloud-powered intelligence. * [Passwordless authentication options for Azure Active Directory](https://learn.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless) - Multifactor and Passwordless Authentication, the most secure and convenient way of authentication. * [PIM (PAM)](https://www.microsoft.com/en-us/security/business/security-101/what-is-privileged-access-management-pam) - Privileged Access Management * [PAW](https://learn.microsoft.com/security/privileged-access-workstations/privileged-access-devices) - Privileged Access Workstation * [SAW](https://www.microsoft.com/insidetrack/blog/improving-security-by-protecting-elevated-privilege-accounts-at-microsoft/) - Secure Admin Workstations * [List of all Azure security services for Enterprises, Businesses etc.](https://learn.microsoft.com/azure/security/fundamentals/services-technologies) <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/PNGs/673731848341553152.png" alt="head patting"> Important Considerations * Avoid using any 3rd party security solutions when using Harden System Security app or App Control for Business. 3rd party solutions are weak, incompatible and unnecessary, **they also increase your attack surface**. * Use Virtual machines for any questionable or unsafe software. Use [Windows Sandbox or Hyper-V VM](https://github.com/HotCakeX/Privacy-Anonymity-Compartmentalization). <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/surface.gif" alt="Surface device gif"> [Which Device to Use ?](#-which-device-to-use-) Use Microsoft Surface products for the best device and firmware security. They support [secured-core PC specifications](https://www.microsoft.com/en-us/windows/business/windows-11-secured-core-computers), the manufacturing process and platform is trusted and secure. Make sure to use Surface products that support [Device Firmware Configuration Interface (DFCI)](https://learn.microsoft.com/mem/autopilot/dfci-management) for extra protection and security. Here is a [list of Surface products](https://learn.microsoft.com/surface/surface-manage-dfci-guide#dfci-policy-settings-reference-for-surface-devices) that support it. * [How to use Device Firmware Configuration Interface (DFCI) for Surface Devices with Intune](https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-use-device-firmware-configuration-interface-dfci-for/ba-p/3041293) * Among other features, devices set up with DFCI can be set that boot from USB device(s) is disabled and there is no way to bypass the chip level security directly, not even CMOS clear can bypass it, because it uses non-volatile memory aka flash storage. It sets BIOS cert authentication, and the private key is behind the cloud edge inside Intune and not even Microsoft support can get that key. * The list of Surface products supporting DFCI might not get updated quickly in that doc but fear not, this is an active project and all new surface devices have this built in, the docs team might be just a little laggy. * Microsoft Surface devices use [Project Mu](https://microsoft.github.io/mu/) for the source code of their firmware. * Surface devices can use certificates instead of password for UEFI. They don't have a reset switch like other devices either. You create and install your own certificate using [Surface Management Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=46703). You can build a config package that has the certificate in it and install it to the firmware, then the package can't be removed or changed without the signing cert authorizing the change, aka, cert auth, or you can just use DFCI as previously mentioned and not have to worry because the packages are signed with MS's private key and there is no PKI that you have to self host. * Business class Surface devices have dedicated TPM chips. * Check out [the Device Guard category](https://github.com/HotCakeX/Harden-Windows-Security?tab=readme-ov-file#device-guard) about Secured-Core specifications. * Pluton security chip is **not** a requirement for Secured-Core certification. * Pluton security chip is included in [Qualcomm Snapdragon ARM CPUs](https://www.qualcomm.com/products/mobile/snapdragon/pcs-and-tablets/snapdragon-x-elite), [AMD](https://blogs.windows.com/windowsexperience/2024/04/16/amds-commercial-ai-pc-portfolio-integrates-microsoft-pluton-includes-microsoft-copilot/) and [Intel CPUs](https://www.theverge.com/2024/6/3/24169115/intel-lunar-lake-architecture-platform-feature-reveal). * [Copilot+](https://www.microsoft.com/en-us/windows/copilot-plus-pcs) PCs are among [the most secure consumer grade devices](https://blogs.windows.com/windowsexperience/2024/09/27/update-on-recall-security-and-privacy-architecture/). They are secured-core and incorporate the Pluton security chip. <br> > [!IMPORTANT]\ > <img width="30" src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/blue.gif" alt="Attention gif"> It is important to be aware of [potential hardware backdoors](https://bios-pw.org/) that may compromise the security of your system. Some common OEMs, such as Compaq, Dell, Fujitsu, Hewlett-Packard (HP), Sony, and Samsung, as well as OEMs that use unmodified Insyde H20, or Phoenix firmwares, utilize algorithms based on device serial numbers for password resets. These algorithms allow for master password removal from the firmware, potentially granting unauthorized access to the system. <br> > [!NOTE]\ > <img width="30" src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/Gifs/diamond-7.gif" alt="rotating diamond gif"> When buying 3rd party devices, make sure they have the [Pluton](https://www.microsoft.com/en-us/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/) security chip, it [addresses security needs](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/defending-against-ransomware-with-microsoft-defender-for/ba-p/3243941) like booting an operating system securely **even against firmware threats** and storing sensitive data safely **even against physical attacks**. <br> ### <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/9935-catkeyboard.gif" alt="BYOVD device gif animated"> [Protection against BYOVD (Bring Your Own Vulnerable Driver) attacks](#-protection-against-byovd-bring-your-own-vulnerable-driver-attacks) * Secured core PCs provide the hardware that is capable of protecting against BYOVD attacks. It is your responsibility to turn the features on, those include App Control for Business, ASR (Attack Surface Reduction) rules, Dynamic/static root of trust and [firmware](https://learn.microsoft.com/windows-hardware/drivers/bringup/firmware-attack-surface-reduction) that is extensible for revoking drivers. They are especially useful for drivers not explicitly mentioned in the [Microsoft Recommended Driver Block List](https://learn.microsoft.com/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules), which are the more dynamic side of things. * Use [Strict Kernel-mode App Control policy for complete BYOVD protection](https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDAC-policy-for-BYOVD-Kernel-mode-only-protection) <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/Red%20police%20light.gif" alt="Alert gif for what to do when under attack"> [What to Do When There Is an Attack ?](#-what-to-do-when-there-is-an-attack-) You should have an existing [***Unified Contract***](https://www.microsoft.com/en-us/unifiedsupport/overview) with Microsoft ([formerly](https://www.microsoft.com/en-us/unifiedsupport/premier) known as [Premier Support](https://www.microsoft.com/en-us/premier-support-end-of-sale)). Microsoft offers a wide range of services and teams to help you recover from a cyber attack such as: - GHOST: Global Hunting, Oversight and Strategic Triage - [DART](https://www.microsoft.com/en-us/security/blog/2019/03/25/dart-the-microsoft-cybersecurity-team-we-hope-you-never-meet/) - The Microsoft Detection and Response Team - [CRSP](https://www.microsoft.com/en-us/security/blog/2021/06/09/crsp-the-emergency-team-fighting-cyber-attacks-beside-customers/) - Global Compromise Recovery Security Practice Team - [including Ransomware](https://learn.microsoft.com/azure/security/fundamentals/ransomware-detect-respond#road-to-recovery) After you've got hacked, you should request them by contacting your Customer Success Account Manager and telling them you need the help of one of these teams. <br> > [!TIP]\ > When getting cyber security insurance for your company or organization, make sure to get one that covers the cost of hiring Microsoft's **elite** teams such as **GHOST/DART**, i.e. those Microsoft teams will be in-network for your insurance. <br> ### Color breakdown of security teams in organizations - 🔴 Red - Pen Testers/White Hat Hackers - 🔵 Blue - SOC/Data Science/Telemetry Analysis/SIEM Junkies - 🟢 Green - Fixers, takes input from blue and red and builds the fixes that are needed for identified blind spots (blue) or vulnerability/risk (red) - 🟡 Yellow - Tooling, SWE to build new stuff for all of the above to operate faster and more effectively <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/david%20star.gif" alt="icon for For Penetration testing and benchmarking section"> [For Penetration testing and benchmarking](#-for-penetration-testing-and-benchmarking) How to properly perform a pentest and benchmark a system hardened by this repository and make it as close to a real-world scenario as possible: 1. Use a physical machine if possible, it should have Windows 11 certified hardware, [Standard user account](https://learn.microsoft.com/windows-server/remote/multipoint-services/create-a-standard-user-account). * If you can't use a physical machine, use Hyper-V hypervisor. Your host (aka physical machine) must have Windows 11 certified hardware and meet all the hardware and UEFI security requirements explained in the Readme. VMs however are prone to side channel attacks, so don't use that attack vector in pentests if you want more realistic results. 2. First apply the [Harden System Security app](https://apps.microsoft.com/detail/9p7ggfl7dx57) *(All categories of it)* and then use the [AppControl Manager](https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager) to deploy a suitable [Signed](https://github.com/HotCakeX/Harden-Windows-Security/wiki/The-Strength-of-Signed-App-Control-Policies) App Control policy. <br> > [!IMPORTANT]\ > Always Pay attention to the [Microsoft Security Servicing Criteria for Windows](https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria), specially the Security boundaries. There is no security boundary between Administrator to Kernel. > > Some penetration testers overlook this fact, assuming it is a vulnerability that they can perform administrative tasks such as disabling security features as Administrator. This is an expected behavior. Administrators have the power to control the security of a device and can disable security features at their discretion. This is why you need to use a Standard user account when performing a realistic penetration test. > > Another aspect to consider is the ambiguity in the word "Admin". There are at least two distinct types of Admins: Local Admin and Cloud Admin. For instance, when you are penetration testing a system that leverages enterprise cloud security solution such as Microsoft Defender for Endpoint (MDE), Admin access should be regarded as Cloud Admin since those devices use Microsoft Entra ID and lack Local Admin. In this situation, Cloud Admin can effortlessly disable security features as expected, rendering a pentest using Local Admin access utterly pointless. Conversely, when pentesting a system that only relies on personal security features such as Microsoft Defender, then Admin should be treated as Local Admin. In this case, the Admin can also disable any security feature for the same reasons stated above. > > Of course, Microsoft employs additional security measures such as Protected Process Light (PPL) for Defense in Depth strategies, but they do not alter the facts stated above. **The goal is to always hope for the best, plan for the worst.** <br> ## <img width="40" src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/WhiteGhost.gif" alt="Ghost emoji"> [Any questions or suggestions?](#-any-questions-or-suggestions) Please open a new [issue](https://github.com/HotCakeX/Harden-Windows-Security/issues) or [discussion](https://github.com/HotCakeX/Harden-Windows-Security/discussions) in the repository. <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## Related<a href="#related"></a> <p align="center"><img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/PNG%20and%20JPG/2152165465461.png" alt="An AI generated picture of a cat girl working in a server farm" width="500"></p> <br> <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp" width="25" alt="Azure DevOps Repository (mirror) bullet list item"> [Azure DevOps Repository (mirror)](https://dev.azure.com/SpyNetGirl/_git/Harden-Windows-Security) <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp" width="25" alt="Harden Windows Security website bullet list item"> [Harden Windows Security website](https://hotcakex.github.io/) <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp" width="25" alt="Official global IANA IP block for each country bullet list item"> [Official global IANA IP block for each country](https://hotcakex.github.io/Official-IANA-IP-blocks/) <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp" width="25" alt="Windows Security Blog bullet list item"> [Windows Security Blog](https://spynetgirl.github.io/) <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp" width="25" alt="WinSecureDNSMgr bullet list item"> [WinSecureDNSMgr](https://github.com/HotCakeX/WinSecureDNSMgr) <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/911587042608156732.webp" width="25" alt="Privacy, Anonymity and Compartmentalization bullet list item"> [Privacy, Anonymity and Compartmentalization](https://github.com/HotCakeX/Privacy-Anonymity-Compartmentalization) <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## Trust<a href="#trust"></a> <p align="center"><img src="https://raw.githubusercontent.com/HotCakeX/.github/56885df17213aecaa07453e008972a5b8dc918e5/Pictures/Readme%20Categories/Trust/Trust.svg" alt="Trust The Harden Windows Security GitHub Repository" width="500"></p> This repository uses effective methods that make it easy to verify: - [Artifact attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds) are used to establish provenance for builds. They [guarantee](https://github.com/HotCakeX/Harden-Windows-Security/attestations) that the packages are 100% created from the source code that exist in this repository. - [SBOMs](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exporting-a-software-bill-of-materials-for-your-repository) (Software Bill of Materials) are generated for the entire repository to comply with data protection standards and providing transparency. Together with attestation and isolation they provide [SLSA L3 security level](https://slsa.dev/spec/v1.0/levels) for the build process. - You can open the files in [**Visual Studio Code**](https://code.visualstudio.com) / [**Visual Studio Code Web**](https://vscode.dev) / [**GitHub CodeSpace**](https://github.com/codespaces/new?skip_quickstart=true&machine=standardLinux32gb&repo=569233100&ref=main&geo=EuropeWest), and view them in a nice and easy to read environment, they are well formatted, commented and indented. - Commits and Tags are verified either with my GPG key or SSH key and [Vigilant mode](https://docs.github.com/en/authentication/managing-commit-signature-verification/displaying-verification-statuses-for-all-of-your-commits) is turned on in my GitHub account. - You can fork this repository, verify it until that point in time, then verify any subsequent changes/updates I push to this repository, **at your own pace** (using `Sync fork` and `Compare` options on your fork), and if you are happy with the changes, allow it to be merged with your own copy/fork on your GitHub account. - All of the apps offered in this repository are signed and available in the Microsoft Store. <br> > [!TIP]\ > All files in this repository are zipped and automatically submitted to VirusTotal for scanning. Any available packages in the last release is also directly uploaded for scanning. It is done through a [GitHub Action](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/VirusTotal.yml) that is triggered every time a release is made or a PR is merged. Find the history of the uploaded files in [my VirusTotal profile](https://www.virustotal.com/gui/user/SpyNetGirl). * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/powershell.yml) * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/Repository%20And%20Package%20Scan%20on%20Virus%20Total.yml) * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/CodeQL%20Advanced%20-%20Quality.yml) * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/Sync%20to%20Azure%20DevOps.yaml) * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/Build%20AppControl%20Manager%20MSIX%20Package.yml) * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/dependabot/dependabot-updates) * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/Markdown%20Link%20Validator.yml) * [](https://github.com/HotCakeX/Harden-Windows-Security/actions/workflows/dependency-review.yml) <br> > [!WARNING]\ > For your own security, exercise caution when considering any other 3rd-party tools, programs, or scripts claiming to harden or modify Windows OS in any way. Verify their legitimacy thoroughly before use and after each release. Avoid blind trust in 3rd party Internet sources. Additionally, if they don't adhere to the same high standards as this repository's offerings, they can cause system damage, unknown issues, and bugs. > <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## Support<a href="#support"></a> <p align="center"><img src="https://raw.githubusercontent.com/HotCakeX/.github/9e33c645239ff9eaef2bd232b88a75f5d04de092/Pictures/Readme%20Categories/Support/Support.svg" alt="Support Section - Harden Windows Security Repository" width="500"></p> <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/Heart%20Microsoft.webp" width="28" alt="If you have any questions, requests, suggestions etc"> If you have any questions, requests, suggestions etc. about this GitHub repository and its content, please open [a new discussion](https://github.com/HotCakeX/Harden-Windows-Security/discussions) or [Issue](https://github.com/HotCakeX/Harden-Windows-Security/issues). <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/WebP/Ninja%20cat.webp" width="28" alt="Reporting a vulnerability on this GitHub repository"> [Reporting a vulnerability](https://github.com/HotCakeX/Harden-Windows-Security/security/advisories) on this GitHub repository. <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/Outlook%20small.gif" alt="SpyNetGirl aka HotCakeX Outlook Email Address"> I can also be reached privately at: [email protected] <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## Security Recommendations<a href="#security-recommendations"></a> <p align="center"><img src="https://raw.githubusercontent.com/HotCakeX/.github/f9920187acf754f7bc8c3509030142308dff9ee9/Pictures/Readme%20Categories/Security%20Recommendations/Security%20Recommendations.svg" alt="Windows Security Recommendations - Harden Windows Security GitHub Repository" width="500"></p> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Always download your operating system from [official Microsoft websites](https://www.microsoft.com/en-us/software-download). Right now, Windows 11 is the latest version of Windows, its ISO file can be downloaded from this [official Microsoft server](https://www.microsoft.com/en-us/software-download/windows11). One of the worst things you can do to your own security and privacy is downloading your OS, which is the root of all the active and passive security measures, from a 3rd party website claiming they have the official unmodified files. There are countless bad things that can happen as the result of it such as threat actors embedding malware or backdoors inside the customized OS, or pre-installing customized root CA certificates in your OS so that they can perform TLS termination and view all of your HTTPS and encrypted Internet data in plain clear text, **even if you use VPN.** Having a poisoned and compromised certificate store is the endgame for you, and *that's just the tip of the iceberg.* - Refer to [Wiki](https://github.com/HotCakeX/Harden-Windows-Security/wiki) to see [how to create Bootable USB flash drive with no 3rd party tools](https://github.com/HotCakeX/Harden-Windows-Security/wiki/Create-Bootable-USB-flash-drive-with-no-3rd-party-tools) <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Whenever you want to install a program or app, first use the [Microsoft Store](https://apps.microsoft.com/store/apps) or <a href="https://github.com/microsoft/winget-cli">Winget</a>, if the program or app you are looking for isn't available in there, then download it from its official website. *Somebody created a nice web interface for interacting with Winget CLI <a href="https://winstall.app/">here</a>.* Using Winget or Microsoft store provides many benefits: - Microsoft store UWP apps are secure in nature, digitally signed, in [MSIX format](https://learn.microsoft.com/windows/msix/overview). That means, installing and uninstalling them is guaranteed and there won't be any leftovers after uninstalling. - Microsoft store has Win32 apps too, they are traditional `.exe` installers that we are all familiar with. The store has a library feature that makes it easy to find the apps you previously installed. - Both Microsoft and Winget check the hash of the files by default, if a program or file is tampered, they will warn you and block the installation, whereas when you manually download a program from a website, you will have to manually verify the file hash with the hash shown on the website, if any. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Use Secure DNS; Windows 11 natively supports <a href="https://learn.microsoft.com/windows-server/networking/dns/doh-client-support">DNS over HTTPS</a> and <a href="https://techcommunity.microsoft.com/t5/networking-blog/dns-over-tls-available-to-windows-insiders/ba-p/3565859">DNS over TLS</a>. - Use my [WinSecureDNSMgr module](https://github.com/HotCakeX/WinSecureDNSMgr) to easily configure DNS over HTTPS in Windows <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Only use Microsoft Edge for browser; It has [the Highest-rated protection](https://web.archive.org/web/20230103160041/https://learn.microsoft.com/deployedge/ms-edge-security-for-business#external-threat-protection) against [phishing](https://edgefrecdn.azureedge.net/shared/cms/lrs1c69a1j/public-files/473cac993bd24ae1947bd86e910d4d01.pdf) and [malware](https://edgefrecdn.azureedge.net/shared/cms/lrs1c69a1j/public-files/49958f5a10e748b28f1a235f6aac8d1e.pdf), available by default on Windows OS, has tightly integrated valuable Security features such as <a href="https://learn.microsoft.com/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview">Microsoft Defender Application Guard</a>, <a href="https://learn.microsoft.com/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/">Microsoft Defender SmartScreen</a>, <a href="https://support.microsoft.com/en-us/microsoft-edge/enhance-your-security-on-the-web-with-microsoft-edge-b8199f13-b21b-4a08-a806-daed31a1929d">Hardware Enforced Stack Protection</a>, <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide#arbitrary-code-guard">Arbitrary Code Guard (ACG)</a>, <a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection-reference?view=o365-worldwide#control-flow-guard-cfg">Control Flow Guard (CFG)</a>, <a href="https://learn.microsoft.com/microsoft-edge/web-platform/tracking-prevention">Tracking Prevention</a> and <a href="https://support.microsoft.com/en-us/topic/use-the-microsoft-edge-secure-network-to-protect-your-browsing-885472e2-7847-4d89-befb-c80d3dda6318">Trusted built-in Secure Network feature from Cloudflare</a> just to name a few. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> [Always enable Two-Factor/Multi-Factor Authentication](https://support.microsoft.com/en-us/office/the-keys-to-the-kingdom-securing-your-devices-and-accounts-a925f8ad-af7e-40d8-9ce4-60ea1cac2ba4) on websites, apps and services that you use. Preferably, use [Microsoft Authenticator app](https://support.microsoft.com/en-us/account-billing/download-and-install-the-microsoft-authenticator-app-351498fc-850a-45da-b7b6-27e523b8702a) which has backup and restore feature, so you never lose access to your TOTPs (Time-Based One-Time Passwords) even if you lose your phone. Available for <a href="https://play.google.com/store/apps/details?id=com.azure.authenticator&gl=US">Android</a> and <a href="https://apps.apple.com/us/app/microsoft-authenticator/id983156458">IOS</a>. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Make sure OneDrive backup for important folders (Desktop/Documents/Pictures) is enabled. It is fast, secure and works in any network condition and since it's [x64 (64-bit)](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/onedrive-sync-64-bit-for-windows-now-in-public-preview/ba-p/2260619), it can handle a Lot of small and large files simultaneously. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> When considering the use of a VPN, it is crucial to exercise discernment and only resort to it when absolutely necessary. A VPN can be a vital tool if you reside in a totalitarian, communist, or dictatorial regime, or in a nation where democratic principles are not upheld. However, if you live in a country that does not fall into these categories, it may be wise to reconsider the necessity of using a VPN. Your local ISP (Internet Service Provider) is likely more trustworthy than the ISP associated with a remote VPN server. By using a VPN, you are merely transferring the trust you place in your local ISP to an unknown entity—the ISP utilized by the VPN provider. It is important not to be swayed by the deceptive marketing tactics employed by VPN companies. The true identities, political affiliations, backgrounds, and loyalties of those behind these services often remain shrouded in mystery. In the permissive and open societies of the Western world, it is conceivable that [a VPN service could be established](https://www.techradar.com/news/iran-officials-linked-to-canada-based-free-vpn-provider) by entities with questionable intentions, including [state sponsors of terrorism](https://x.com/lisa_loo_who/status/1567984903312257025) or other hostile actors. Such services could be utilized [to gather intelligence](https://archive.ph/xOVeY), conduct data mining, and track users, posing significant risks to your privacy and security. - There are situations where using VPN can provide security and privacy. For example, when using a public WiFi hotspot or basically any network that you don't have control over. In such cases, use [Cloudflare WARP](https://cloudflarewarp.com/) which [uses WireGuard protocol](https://developers.cloudflare.com/warp-client/get-started/windows), *or as mentioned, use [Secure Network in Edge browser that utilizes the same secure Cloudflare network](https://blog.cloudflare.com/cloudflare-now-powering-microsoft-edge-secure-network/)*. It's free, it's from an American company that [has global radar](https://radar.cloudflare.com/) and lots of insight about countries in the world in real-time, [at least 19.7% of all websites use it (2022)](https://blog.cloudflare.com/application-security/). Safe to say it's one of the **backbones of the Internet.** <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> [Go passwordless](https://support.microsoft.com/en-us/account-billing/how-to-go-passwordless-with-your-microsoft-account-674ce301-3574-4387-a93d-916751764c43) with your [Microsoft account](https://www.microsoft.com/en-us/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/) and use [Windows Hello authentication](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password). In your Microsoft account which has Outlook service, [you can create up to 10 Email aliases](https://support.microsoft.com/en-us/office/add-or-remove-an-email-alias-in-outlook-com-459b1989-356d-40fa-a689-8f285b13f1f2) in addition to the 1 Email address you get when you made your Microsoft account, that means without creating a new account, you can have 11 Email addresses all of which will use the same inbox and account. You can specify which one of those Email aliases can be used to sign into your account, [in the sign in preferences of your Microsoft account settings](https://account.live.com/names/manage). So for example, when going passwordless, if you need you can give one of your Email aliases to others for communication or add it to a public profile of yours, then block sign in using that Email alias so nobody can send you authenticator notifications by entering that Email alias in the sign in page, and use the other 10 aliases that are private to sign into your Microsoft account with peace of mind. You can [create a rule in your Outlook](https://support.microsoft.com/en-us/office/inbox-rules-in-outlook-web-app-edea3d17-00c9-434b-b9b7-26ee8d9f5622) so that all of the Emails sent to your public Email alias will be stored in a different folder, apart from your other inbox emails. All of this can be done using free Microsoft account and [Outlook webapp](https://outlook.live.com/). <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Set a strong password for the UEFI firmware of your device so that it will ask for password before allowing any changes to be made to firmware. You can also configure the password to be required on startup. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Use **NTFS** (which is the default Filesystem in Windows) or **ReFS** (Resilient File System, newer). In addition to all their benefits, they support `Mark Of The Web` (MOTW) or `zone.identifier`. When a file is downloaded to a device running Windows, Mark of the Web is added to the file, identifying its source as being from the internet. [You can read all the information about it in here](https://learn.microsoft.com/deployoffice/security/internet-macros-blocked#mark-of-the-web-and-trusted-documents). If your USB flash drive is formatted as `FAT32`, change it to `NTFS`, because `FAT32` does not keep the `MOTW` of the files. If the file you are downloading is compressed in `.zip` format, make sure you open/extract it using Windows built-in support for `.zip` files because it keeps the MOTW of the files. If the compressed file you downloaded is in other formats such as `.7zip` or `.rar`, make sure you use an archive program that supports keeping the mark of the Web of files after extraction. One of those programs is NanaZip which is a fork of 7zip, available in [Microsoft Store](https://www.microsoft.com/store/productId/9N8G7TSCL18R) and [GitHub](https://github.com/M2Team/NanaZip), compared to 7zip, it has better and modern GUI, and the application is [digitally signed](https://learn.microsoft.com/security/trusted-root/program-requirements). After installation, open it, navigate to `Tools` at the top then select `Options`, set `Propagate zone.id stream` to `Yes`. You can use this [PowerShell command](https://learn.microsoft.com/powershell/module/microsoft.powershell.management/get-content?view=powershell-7.3#-stream) to find all the info about the Zone Identifier of the files you downloaded from the Internet. ```powershell Get-Content <Path-To-File> -stream zone.identifier ``` <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> When using Xbox, make sure you [configure sign-in preference](https://support.xbox.com/en-US/help/account-profile/signin-security/change-signin-preferences) and set it to either `Ask for my PIN` or `Lock it down`. The latter is the most secure one since it will require authentication using Microsoft Authenticator app. `Ask for my PIN` is recommended for the most people because it will only require a PIN to be entered using controller. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> A few reminders about open source programs: - Unless you are a skilled programmer who can understand and verify every line of code in the source, and spends time to personally build the software from the source, and repeats all the aforementioned tasks for each subsequent version, then seeing the source code won't have any effect on you because you aren't able to understand nor verify it. - Do not assume that the entire Open Source community audits and verifies every line of code just because the source code is available, as we've seen in the [XZ utility's backdoor](https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/microsoft-faq-and-guidance-for-xz-utils-backdoor/ba-p/4101961) by state sponsored actors, they can have backdoors implanted in them in broad daylight and nobody might notice it for a long time. - The majority of *open source* programs are unsigned, meaning they don't have a digital signature, their developers haven't bought and used a code signing certificate to sign their program. Among other problems, this might pose a danger to the end-users by making it harder to create trust for those programs in security solutions such as Application Control or App Whitelisting, and makes it hard to authenticate them. [Read Microsoft's Introduction to Code Signing](https://learn.microsoft.com/previous-versions/windows/internet-explorer/ie-developer/platform-apis/ms537361(v=vs.85)). Use [Azure Trusted Signing](https://azure.microsoft.com/en-us/products/trusted-signing) which is [affordable](https://azure.microsoft.com/en-us/pricing/details/trusted-signing/). <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Use Microsoft account (MSA) or Microsoft Entra ID to sign into Windows. Never use local administrators. Real security is achieved when there is no local administrator and identities are managed using Entra ID. You will be able to enforce [Multi-factor unlock](https://learn.microsoft.com/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock), for example use PIN + Fingerprint or PIN + Facial recognition, to unlock your device. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Enable [***Random Hardware Addresses***](https://support.microsoft.com/en-us/windows/how-to-use-random-hardware-addresses-in-windows-ac58de34-35fc-31ff-c650-823fc48eb1bc) In Windows Settings -> Network & Internet -> WIFI. Currently, there is no Group Policy or associated registry key to automatically turn it on, that is why it is mentioned here in the security recommendations section. It has various security and privacy benefits such as your device cannot be uniquely identified by its hardware MAC address and the routers you connect to cannot uniquely identify you. You can set it to change daily in your WIFI network adapter's settings in Windows settings for even more benefits. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> Use [**Passkeys**](https://learn.microsoft.com/en-us/windows/security/identity-protection/passkeys/?tabs=windows%2Cintune). Passkeys provide a more [secure and convenient](https://support.microsoft.com/en-us/account-billing/signing-in-with-a-passkey-09a49a86-ca47-406c-8acc-ed0e3c852c6d) method to logging into websites and applications compared to passwords. Unlike passwords, which users must remember and type, passkeys are stored as secrets on a device and can use a device's unlock mechanism (such as biometrics or a PIN). [Passkeys](https://www.microsoft.com/en-us/windows/tips/passkeys) can be used without the need for [other sign-in challenges](https://support.microsoft.com/en-us/windows/manage-your-passkeys-in-windows-6a70599a-25e1-4461-86be-d67d1023c69f), making the authentication process faster, secure, and more convenient. <br> * <img src="https://raw.githubusercontent.com/HotCakeX/Harden-Windows-Security/main/images/Gifs/RedStar.gif" width="30" alt="Red Star denoting Security Recommendation"> More Security Recommendations coming soon... <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## Resources<a href="#resources"></a> <p align="center"><img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/PNG%20and%20JPG/fdasdsadas.png" alt="A beautiful pink laptop Windows 11, located on the table with coffee on the side" width="650"></p> - [Microsoft.com](https://microsoft.com) - [Force firmware code to be measured and attested by Secure Launch](https://www.microsoft.com/en-us/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/) - [Microsoft Learn](https://learn.microsoft.com/) - Technical Documentation - [Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)](https://learn.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows#secure-launchthe-dynamic-root-of-trust-for-measurement-drtm) - [Quick guide to Windows as a service](https://learn.microsoft.com/windows/deployment/update/waas-quick-start) - [Germany Intelligence Agency - BND](https://www.bsi.bund.de/EN/Service-Navi/Publikationen/publikationen_node.html) - Federal Office for Information Security - [Analysis of Device Guard](https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Studien/SiSyPHuS_Win10/AP7/SiSyPHuS_AP7_node.html) - [Device Guard Differential Analysis](https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/SiSyPHus/E20172000_BSI_Win10_DGABGL_Win10_v_1_0.pdf?__blob=publicationFile&v=3) - [Microsoft Tech Community](https://techcommunity.microsoft.com/) - Official blogs and documentations - [Microsoft Security baselines](https://learn.microsoft.com/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines) - Security baselines from Microsoft - [Microsoft Security Response Center (MSRC) YouTube channel](https://www.youtube.com/@msftsecresponse) - [BlueHat Seattle 2019 || Guarding Against Physical Attacks: The Xbox One Story](https://www.youtube.com/watch?v=quLa6kzzra0) - [Security Update Guide:](https://msrc.microsoft.com/update-guide) The Microsoft Security Response Center (MSRC) investigates all reports of security vulnerabilities affecting Microsoft products and services, and provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected. - [Microsoft Security Response Center Blog](https://msrc-blog.microsoft.com/) - [Microsoft Security Blog](https://www.microsoft.com/en-us/security/blog/) - [Microsoft Podcasts](https://news.microsoft.com/podcasts/) - [Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty) - With bounties worth up to `250,000`$ - [Microsoft Active Protections Program](https://www.microsoft.com/en-us/msrc/mapp) - [Security Update Guide FAQs](https://www.microsoft.com/en-us/msrc/faqs-security-update-guide) - [Microsoft On the Issues](https://blogs.microsoft.com/on-the-issues/) - Assessments, Investigations and Reports of APTs (Advanced Persistent Threats[¹](https://learn.microsoft.com/events/teched-2012/sia303)) and nation-sponsored cyberattack operations globally - [A high level overview paper by Microsoft (in `PDF`)](http://download.microsoft.com/download/8/0/1/801358EC-2A0A-4675-A2E7-96C2E7B93E73/Framework_for_Cybersecurity_Info_Sharing.pdf), framework for cybersecurity information sharing and risk reduction. - [Microsoft Threat Modeling Tool](https://learn.microsoft.com/azure/security/develop/threat-modeling-tool) - for software architects and developers - [Important events to monitor](https://learn.microsoft.com/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor) - [Windows Security portal](https://learn.microsoft.com/windows/security/) - [Security auditing](https://learn.microsoft.com/windows/security/threat-protection/auditing/security-auditing-overview) - [Microsoft SysInternals Sysmon for Windows Event Collection or SIEM](https://learn.microsoft.com/sysinternals/downloads/sysmon) - [Privileged Access Workstations](http://aka.ms/cyberpaw) - [Enhanced Security Administrative Environment (ESAE)](http://aka.ms/ESAE) - [New Zealand 2016 Demystifying the Windows Firewall – Learn how to irritate attackers without crippli](https://youtu.be/InPiE0EOArs) - [Download Windows virtual machines ready for development](https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/) - [UK National Cyber Security Centre Advice & guidance](https://www.ncsc.gov.uk/section/advice-guidance/all-topics) - [Global threat activity](https://www.microsoft.com/en-us/wdsi/threats) - [Microsoft Zero Trust](https://aka.ms/zerotrust) - [Understanding malware & other threats, phrases](https://learn.microsoft.com/microsoft-365/security/intelligence/understanding-malware) - [Malware naming](https://learn.microsoft.com/microsoft-365/security/intelligence/malware-naming) - [Microsoft Digital Defense Report](https://aka.ms/mddr) - [Microsoft Defender for Individuals](https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals) - [Submit a file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission) - [Submit a driver for analysis](https://www.microsoft.com/en-us/wdsi/driversubmission) - [Service health status](https://admin.microsoft.com/servicestatus) - [Microsoft Defender Threat Intelligence](https://ti.defender.microsoft.com/) - [Free community edition vs Premium edition comparison](https://jeffreyappel.nl/how-works-microsoft-defender-threat-intelligence-defender-ti-and-what-is-the-difference-between-free-and-paid/) - [Microsoft Virus Initiative](https://learn.microsoft.com/microsoft-365/security/intelligence/virus-initiative-criteria) - [Digital Detectives @Microsoft](https://news.microsoft.com/stories/cybercrime/) - [Australia's Essential Eight](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-assessment-process-guide) - [NIST 800-53](https://www.nist.gov/privacy-framework/nist-privacy-framework-and-cybersecurity-framework-nist-special-publication-800-53) - [DoD's CMMC (Cybersecurity Maturity Model Certification)](https://learn.microsoft.com/azure/compliance/offerings/offering-cmmc) - [ISO 27001](https://www.iso.org/standard/27001) - [DoD Cyber Stigs (Security Technical Implementation Guides)](https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems) - [NIST SP 800-171 Rev. 2 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations](https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final) - [Clean source principle](https://learn.microsoft.com/security/privileged-access-workstations/privileged-access-success-criteria#clean-source-principle) - [Windows Message Center](https://learn.microsoft.com/windows/release-health/windows-message-center) - [Deprecated features for Windows client](https://learn.microsoft.com/windows/whats-new/deprecated-features) - [Microsoft Cybersecurity Reference Architectures](https://aka.ms/mcra) - [BlueHat IL 2023 - David Weston - Default Security](https://youtu.be/8T6ClX-y2AE?si=aICh_wZIJrMpM6xB) - [Windows Security best practices for integrating and managing security tools](https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-best-practices-for-integrating-and-managing-security-tools/) - [Microsoft Exploitability Index](https://www.microsoft.com/en-us/msrc/exploitability-index) - [The Microsoft Incident Response Ninja Hub](https://aka.ms/MicrosoftIRNinjaHub) - [Understanding the Microsoft Pluton security processor](https://techcommunity.microsoft.com/blog/windows-itpro-blog/understanding-the-microsoft-pluton-security-processor/4370413) - [Important Security Topics from Azure and Security MVPs](https://techcommunity.microsoft.com/blog/mvp-blog/mvp%E2%80%99s-favorite-content-important-security-topics-from-azure-and-security-mvps/4382196) - [Security leadership in the age of constant disruption](https://blogs.windows.com/windowsexperience/2025/08/05/security-leadership-in-the-age-of-constant-disruption/) - [Microsoft Edge security for your business](https://learn.microsoft.com/deployedge/ms-edge-security-for-business) <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## Roadmap<a href="#roadmap"></a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/main/Pictures/PNG%20and%20JPG/Harden%20Windows%20Security%20Repository%20Roadmap.png" alt="The Harden Windows Security Repository Roadmap"> <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="horizontal super thin rainbow RGB line"> <br> ## License<a href="#license"></a> Using [MIT License](https://github.com/HotCakeX/Harden-Windows-Security/blob/main/LICENSE). Free information without any paywall or things of that nature. The only mission of this GitHub repository is to give all Windows users accurate, up to date and correct facts and information about how to stay secure and safe in dangerous environments, and to stay not one, but Many steps, ahead of threat actors. ### Credits * Many of the icons are from [icons8](https://icons8.com/) * Windows, Azure etc. are trademarks of [Microsoft Corporation](https://www.microsoft.com/en-us/legal/intellectualproperty/trademarks/usage/general) <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="Harden-Windows-Security is a PowerShell module"> <br> <p align="center"> <a href="https://github.com/HotCakeX"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/github.svg" alt="GitHub profile and icon"></a> <a href="https://www.last.fm/user/HotCakeX"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/lastfm.png" alt="Lastfm profile and icon"></a> <a href="https://open.spotify.com/user/eypgh60p3zw1duh9lbsbc2mix"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/spotify.svg" alt="Spotify profile and icon"></a> <a href="https://stackexchange.com/users/27823952/spynet"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/stack-exchange.svg" alt="StackExchange profile and icon"></a> <a href="https://steamcommunity.com/id/HotCakeX"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/steam.svg" alt="Steam profile and icon"></a> <a href="https://www.twitch.tv/hot_cakex"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/twitch.svg" alt="Twitch profile and icon"></a> <a href="https://hotcakex.github.io/"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/website-96.png" alt="Website and icon"></a> <a href="https://x.com/CyberCakeX"><img width="30" height="40" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/a99ff15b77daf6246b05e66f2357c900482bead5/Private/Images/Socials/X%20logo.svg" alt="X profile and icon"></a> <a href="https://www.xbox.com/en-US/play/user/HottCakeX"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/xbox.svg" alt="Xbox profile and icon"></a> <a href="https://www.youtube.com/@hotcakex"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/youtube.svg" alt="YouTube profile and icon"></a> <a href="https://www.reddit.com/user/HotCakeXXXXXXXXXXXXX"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/reddit.svg" alt="Reddit profile and icon"></a> <a href="https://socialclub.rockstargames.com/member/----HotCakeX----"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/rockstar-social-club.svg" alt="Rockstar Social Club profile and icon"></a> <a href="https://club.ubisoft.com/en-US/profile/HotCakeX"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/uplay.svg" alt="Uplay profile and icon"></a> <a href="https://techcommunity.microsoft.com/t5/user/viewprofilepage/user-id/310193"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/microsoft.png" alt="Microsoft Tech Community profile and icon"></a> <a href="mailto:[email protected]"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/outlook.svg" alt="OutLook Email address and icon"></a> <a href="https://orcid.org/0009-0000-6616-4938"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/orcid_icon.png" alt="Orcid profile and icon"></a> <a href="https://spynetgirl.medium.com/"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/e0759dbc5b10c7ff9c10d09a49639e40ec780151/Private/Images/Socials/medium.svg" alt="Medium profile and icon"></a> <a href="https://www.facebook.com/VioletCakeX"><img width="30" height="30" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/main/Private/Images/Socials/Facebook.svg" alt="Facebook profile and icon"></a> <a href="https://mvp.microsoft.com/en-US/mvp/profile/4edbca65-7979-4779-b7e4-d182e123259b"><img width="30" height="35" src="https://mvp.microsoft.com/Assets/UserProfile/MVP/Badge.svg" alt="MVP profile and icon"></a> <a href="https://www.credly.com/users/hotcakex/"><img width="35" height="35" src="https://raw.githubusercontent.com/HotCakeX/HotCakeX/b4ae6b295182e6cc73c0a85cb3bfa154f10a89f7/Private/Images/Socials/Credly.svg" alt="Credly profile and icon"></a> </p> <img src="https://github.com/HotCakeX/Harden-Windows-Security/raw/main/images/Gifs/1pxRainbowLine.gif" width= "300000" alt="Harden-Windows-Security is a PowerShell module"> <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> <br> ## Donations <img src="https://raw.githubusercontent.com/HotCakeX/.github/refs/heads/main/Pictures/PNG%20and%20JPG/DonateIcon.png" width="48" alt="DonateIcon"> If you would like to support my work financially, your generosity is greatly appreciated. You can donate using any of the following methods and then let me know via DM on [**X**](https://x.com/CyberCakeX) or <a href="https://discord.com/users/1198196610476294239"> Discord </a> <img src="https://raw.githubusercontent.com/HotCakeX/.github/103188555ea09bb5670a5720faf5e3d92a9bed6d/Pictures/Gifs/discord%20rainbow.gif" width="25"> or Teams/Email via `[email protected]` so I can thank you personally. <img src="https://raw.githubusercontent.com/HotCakeX/.github/aa3901d1efc03871a423552dd32a5f2cea5ba180/Pictures/Gifs/stellakiss.gif" width="45" alt="xo"> Your support helps me continue to create and maintain this project. You can also use donations to request special or extraordinary features. ### Bitcoin * <img src="https://raw.githubusercontent.com/HotCakeX/.github/bcbca9889beba717975643c39b7882e6954407ea/Pictures/PNG%20and%20JPG/Crypto%20Donations%20Icons/bitcoin.svg" width="25" alt="Bitcoin donation Harden Windows Security"> Wallet Address for BTC ``` bc1qa948wr4mg2qkx2us5g8rv5ca75ppyy2ngl8k4e ``` * [Wallet Link](https://link.trustwallet.com/send?coin=0&address=bc1qa948wr4mg2qkx2us5g8rv5ca75ppyy2ngl8k4e) * [Wallet QR Code](https://raw.githubusercontent.com/HotCakeX/.github/f4519dee61ff3c04862d45ea3ea97b7b7db6e5f9/Pictures/PNG%20and%20JPG/Bitcoin%20Donation.png) --- ### Bitcoin Cash * <img src="https://raw.githubusercontent.com/HotCakeX/.github/bcbca9889beba717975643c39b7882e6954407ea/Pictures/PNG%20and%20JPG/Crypto%20Donations%20Icons/bitcoin-cash.svg" width="25" alt="Bitcoin Cash donation Harden Windows Security"> Wallet Address for BCH ``` qrrj03927q90z4wg4nu2e3nf4y3qnun2ku7muv8rvm ``` * [Wallet Link](https://link.trustwallet.com/send?coin=145&address=qrrj03927q90z4wg4nu2e3nf4y3qnun2ku7muv8rvm) * [Wallet QR Code](https://raw.githubusercontent.com/HotCakeX/.github/a2260b835dc08dfa7daf7d34b068120b25f7c199/Pictures/PNG%20and%20JPG/Bitcoin%20Cash%20Donation.png) --- ### Ethereum * <img src="https://raw.githubusercontent.com/HotCakeX/.github/bcbca9889beba717975643c39b7882e6954407ea/Pictures/PNG%20and%20JPG/Crypto%20Donations%20Icons/ethereum.svg" width="30" alt="Ethereum donation Harden Windows Security"> Wallet Address for ETH ``` 0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D ``` * [Wallet Link](https://link.trustwallet.com/send?coin=60&address=0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D) * [Wallet QR Code](https://raw.githubusercontent.com/HotCakeX/.github/ec4ba0e9727cc33229c4537fc1a243025519e1f5/Pictures/PNG%20and%20JPG/Ethereum%20Donation.png) --- ### BSC (Binance Smart Chain - Coin) * <img src="https://raw.githubusercontent.com/HotCakeX/.github/bcbca9889beba717975643c39b7882e6954407ea/Pictures/PNG%20and%20JPG/Crypto%20Donations%20Icons/binance.svg" width="25" alt="Binance Smart Chain donation Harden Windows Security"> Wallet Address for BSC ``` 0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D ``` * [Wallet Link](https://link.trustwallet.com/send?coin=20000714&address=0xF784a3D4F9A7CC5c26d69de41D7dD6480112114D) * [Wallet QR Code](https://raw.githubusercontent.com/HotCakeX/.github/refs/heads/main/Pictures/PNG%20and%20JPG/BNB%20Donation.png) <br> <p align="right"><a href="#readme-top">💡 (back to top)</a></p> ", Assign "at most 3 tags" to the expected json: {"id":"11795","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"