A powerful CLI and GUI tool for managing Windows security hardening settings.
Enable, disable, audit, and report on Windows Defender, ASR rules, firewall, CIS benchmarks, and more — all from one place.
- Features
- Quick Start
- Usage Examples
- Security Categories
- Security Profiles
- Build from Source
- Documentation
- Project Structure
- CI/CD
- Contributing
- License
|
🔒 Security Management
|
📊 Reporting & Compliance
|
|
🎯 Profiles & Presets
|
🔄 Safety & Operations
|
|
🖥️ WinUI 3 Desktop GUI (NEW)
|
|
| Category | Settings | What's Covered |
|---|---|---|
| 🦠 Windows Defender | 15 | Real-time protection, PUA, cloud protection, threat actions |
| 🧱 Attack Surface Reduction | 15 | All 15 standard ASR rules for exploit prevention |
| 🔥 Firewall | 18 | Domain, Private, Public profiles with logging |
| 📐 CIS Benchmark | 30 | SMB, NTLM, RDP, DLL safety, UAC, PowerShell logging |
| 👤 Account Policy | 5 | Lockout thresholds, guest account, audit policies |
| 🌐 Network Security | 15 | LLMNR, NetBIOS, WPAD, TLS/SSL configuration |
Download WindowsSecurityManager.exe from the latest release — no install or runtime needed.
Two executables are available:
WindowsSecurityManager.exe— CLI + interactive terminal modeWindowsSecurityManager.Gui.exe— WinUI 3 desktop application (Windows 10 2004+)
# Launch interactive terminal mode (recommended for first use)
WindowsSecurityManager.exe
# Launch the WinUI 3 desktop GUI
WindowsSecurityManager.Gui.exe
# Or use CLI commands directly
WindowsSecurityManager.exe list
WindowsSecurityManager.exe report
WindowsSecurityManager.exe enable --setting DEF-001| Requirement | Details |
|---|---|
| 💻 Operating System | Windows 10 (2004+) / Windows 11 or Windows Server 2016+ |
| 🔑 Privileges | Administrator (for registry changes) |
| 🖥️ GUI | Windows 10 version 2004 (build 19041) or later |
For development: .NET 8.0 SDK or later
# Enable a single setting
WindowsSecurityManager.exe enable --setting DEF-001
# Enable all settings in a category
WindowsSecurityManager.exe enable --category AttackSurfaceReduction
# Enable all security settings
WindowsSecurityManager.exe enable --all
# Preview changes without writing (dry run)
WindowsSecurityManager.exe enable --all --dry-run
# Disable a specific setting
WindowsSecurityManager.exe disable --setting CIS-001# Search settings by keyword
WindowsSecurityManager.exe list --search "SMB"
# View full detail for a setting
WindowsSecurityManager.exe detail DEF-001# Generate compliance report
WindowsSecurityManager.exe report
# Export to HTML (styled dashboard)
WindowsSecurityManager.exe report --format Html --output report.html
# Export to JSON or CSV
WindowsSecurityManager.exe report --format Json --output report.json
WindowsSecurityManager.exe report --format Csv --output report.csv# List available profiles
WindowsSecurityManager.exe profile --list
# Preview a profile
WindowsSecurityManager.exe profile --apply "CIS Level 1" --dry-run
# Apply a profile
WindowsSecurityManager.exe profile --apply "CIS Level 1"# Backup current state
WindowsSecurityManager.exe backup --output before-changes.json
# Restore from backup
WindowsSecurityManager.exe restore before-changes.json| Category | ID Prefix | Count | Description |
|---|---|---|---|
| Windows Defender | DEF-xxx |
15 | Core Defender protection settings |
| Attack Surface Reduction | ASR-xxx |
15 | ASR rules for exploit prevention |
| Firewall | FW-xxx |
18 | Firewall profiles and logging |
| CIS Benchmark | CIS-xxx |
30 | General OS hardening settings |
| Account Policy | ACCT-xxx |
5 | Account lockout and audit settings |
| Network Security | NET-xxx |
15 | Protocol and network hardening |
| Profile | Description | Use Case |
|---|---|---|
| CIS Level 1 | Baseline security covering Defender, firewall, CIS, accounts, and network | General workstations, offices |
| Maximum Security | Enables all 98 settings across every category | High-security servers, sensitive systems |
| Developer Workstation | Core protections without breaking dev tools | Developer laptops, CI/CD machines |
See Security Profiles documentation for detailed breakdowns of each profile, and Security Setting Consequences for the per-setting compatibility impact.
# Build
dotnet build
# Run tests
dotnet test
# Run CLI (development)
dotnet run --project src/WindowsSecurityManager -- --help
# Run GUI (development, Windows only)
dotnet run --project src/WindowsSecurityManager.Gui
# Publish CLI as standalone executable
dotnet publish src/WindowsSecurityManager/WindowsSecurityManager.csproj \
--configuration Release \
--runtime win-x64 \
--self-contained true \
--output ./publish/cli
# Publish GUI
dotnet publish src/WindowsSecurityManager.Gui/WindowsSecurityManager.Gui.csproj \
--configuration Release \
--runtime win-x64 \
--self-contained true \
--output ./publish/gui| Document | Description |
|---|---|
| Getting Started | Installation, first steps, and recommended workflows |
| CLI Reference | Complete command reference with all options and examples |
| Security Profiles | Detailed guide to built-in security profiles |
| Security Setting Consequences | Per-setting impact and compatibility notes (read before enabling) |
| Backup & Restore | How to safely back up and restore security settings |
| CI/CD Pipeline | How the build and release pipeline works |
| Extending Settings | How to add your own custom security settings |
| Architecture | System design, components, and project structure |
├── .github/workflows/
│ ├── ci.yml # CI: restore, format check, build, test, coverage on push/PR
│ └── release.yml # CD: build & release CLI + GUI executables on tags
├── docs/ # 📚 Documentation and how-to guides
├── src/WindowsSecurityManager.Core/
│ ├── Definitions/ # Security setting definitions & profiles
│ ├── Models/ # Data models
│ └── Services/ # Core services (registry, manager, exporter, backup, logger)
├── src/WindowsSecurityManager/
│ ├── Commands/ # CLI command handlers
│ ├── UI/ # Interactive terminal menu (Spectre.Console)
│ └── Program.cs # CLI entry point
├── src/WindowsSecurityManager.Gui/
│ ├── ViewModels/ # MVVM ViewModels (CommunityToolkit.Mvvm)
│ ├── Views/ # WinUI 3 XAML pages
│ ├── App.xaml # GUI application entry point
│ └── MainWindow.xaml # NavigationView shell
├── tests/WindowsSecurityManager.Tests/
│ └── *.cs # Unit tests (xUnit + Moq)
└── WindowsSecurityManager.slnx
Two GitHub Actions workflows automate quality checks, builds, and releases:
Runs on every push and pull request targeting main. Acts as a quality gate before merging.
| Step | Description |
|---|---|
| Restore | Restores NuGet packages (with caching for speed) |
| Format check | Verifies code style with dotnet format --verify-no-changes |
| Build | Compiles in Release configuration |
| Test + Coverage | Runs all xUnit tests and collects code coverage via Coverlet |
| Upload coverage | Uploads Cobertura coverage report as a workflow artifact |
Builds and publishes the standalone executables.
| Trigger | Behavior |
|---|---|
Tag push (v*) |
Builds, tests, and creates a GitHub Release with CLI .exe attached |
| Manual dispatch | Builds on demand; CLI and GUI artifacts available from the workflow run |
Release pipeline steps: restore → test → publish CLI (single-file, self-contained, win-x64) → publish GUI (self-contained, win-x64) → upload artifacts → create GitHub Release.
Both workflows use NuGet package caching (actions/cache) to speed up dependency restoration.
See CI/CD Pipeline for full details on the pipeline architecture.
- Fork the repository
- Create a feature branch
- Add your settings via
ISecuritySettingProvider(guide) - Add tests for your changes
- Submit a pull request
This project is licensed under the MIT License.
