Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite Hardentools in a more suitable language? #38

Open
botherder opened this issue Oct 21, 2017 · 4 comments
Open

Rewrite Hardentools in a more suitable language? #38

botherder opened this issue Oct 21, 2017 · 4 comments
Labels
to discuss

Comments

@botherder
Copy link
Contributor

As pointed out in #31, there are limitations due to the use of Golang. It might be worth considering rewriting Hardentools with a more suitable language. Some suggested PowerShell (although, that would be a sad irony).

Let's discuss here what we all think is the best way forward.
@ccoenen
Copy link

ccoenen commented Oct 21, 2017

Wouldn't it make more sense to improve Golang's elevation instead of rewriting (and leaving go behind)?

Are there other problems besides requesting elevated rights?

@Velocet
Copy link

Velocet commented Nov 2, 2017

Maybe it's good to make a list with Pros/Cons in the first post to keep it "facts based":

  • 👍 Pros

    • Better UI / Development Tools (VScode / Visual Studio 2017 Community)
      • Development Tools are cross platform
    • Elevated Rights Management ;)
    • UI is better separated from Code
    • PowerShell (PoSh): Better for Administrators since it's possible to change the app/code on the Workstation without the need of any compiler
      • PoSh runs everywhere from Windows 7 up to 10 and is standard on 8 and 10
      • Use of inline C# to use every exposed function from a .dll
      • PoSh is cross platform but not the GUI (see Add ability to harden standard accounts #31 (comment))
      • Could be deployed as PoSh script or a simple .exe file

  • 👎 Cons

    • Rewrite needed: How big is the effort?

I really don't think that PoSh is such an irony. The problem with PoSh is how .NET is implemented in Windows and this makes it nearly impossible to stop PoSh exploits and still maintain a working system. What could be done in this case is to use EventLogs and trigger a message that a suspicious activity was detected. But thats another topic ...

@juju4
Copy link

juju4 commented Nov 19, 2017

My suggestion would be to move to an orchestration tool (ansible, salt, puppet and the like) and just make a good and accessible user interface with sane defaults, rollback option and good explanations

shameless plug on my own hardening role: https://github.com/juju4/ansible-harden-windows
or https://github.com/dev-sec

@botherder
Copy link
Contributor Author

I'm not sure that would give much benefit for our use case. We're not shooting for corporate networks but rather at-risk individuals, so I'm not convinced ansible-like stuff would be much beneficial.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
to discuss
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ccoenen @botherder @juju4 @Velocet