🛡️ Windows Security Manager

A powerful CLI and GUI tool for managing Windows security hardening settings.
Enable, disable, audit, and report on Windows Defender, ASR rules, firewall, CIS benchmarks, and more — all from one place.

Getting Started · CLI Reference · Download

---

📋 Table of Contents

• Features
• Quick Start
• Usage Examples
• Security Categories
• Security Profiles
• Build from Source
• Documentation
• Project Structure
• CI/CD
• Contributing
• License

✨ Features

🔒 Security Management Enable/disable individual settings, categories, or all at once Multi-select batch operations 98 settings across 6 categories Scalable provider architecture	📊 Reporting & Compliance Compliance reports with per-setting status Export to JSON, CSV, or styled HTML Live dashboard with compliance bars Auto-refresh after changes
🎯 Profiles & Presets CIS Level 1 — Baseline security Maximum Security — Full hardening Developer Workstation — Balanced protection Dry-run mode to preview changes	🔄 Safety & Operations Backup/restore registry state Dry-run support for enable/disable and profile apply operations Timestamped audit logging Search/filter across all settings
🖥️ WinUI 3 Desktop GUI (NEW) Modern Fluent Design with Windows 11 look & feel Dashboard with compliance gauges per category Settings management with search, filters, and inline enable/disable Report generation and export from the GUI Backup/restore and audit log viewer Unpackaged deployment — no MSIX required

Supported Security Categories

Category	Settings	What's Covered
🦠 Windows Defender	15	Real-time protection, PUA, cloud protection, threat actions
🧱 Attack Surface Reduction	15	All 15 standard ASR rules for exploit prevention
🔥 Firewall	18	Domain, Private, Public profiles with logging
📐 CIS Benchmark	30	SMB, NTLM, RDP, DLL safety, UAC, PowerShell logging
👤 Account Policy	5	Lockout thresholds, guest account, audit policies
🌐 Network Security	15	LLMNR, NetBIOS, WPAD, TLS/SSL configuration

🚀 Quick Start

Download & Run

Download WindowsSecurityManager.exe from the latest release — no install or runtime needed.

Two executables are available:

• WindowsSecurityManager.exe — CLI + interactive terminal mode
• WindowsSecurityManager.Gui.exe — WinUI 3 desktop application (Windows 10 2004+)

# Launch interactive terminal mode (recommended for first use)
WindowsSecurityManager.exe

# Launch the WinUI 3 desktop GUI
WindowsSecurityManager.Gui.exe

# Or use CLI commands directly
WindowsSecurityManager.exe list
WindowsSecurityManager.exe report
WindowsSecurityManager.exe enable --setting DEF-001

Requirements

Requirement	Details
💻 Operating System	Windows 10 (2004+) / Windows 11 or Windows Server 2016+
🔑 Privileges	Administrator (for registry changes)
🖥️ GUI	Windows 10 version 2004 (build 19041) or later

For development: .NET 8.0 SDK or later

💡 Usage Examples

Enable & Disable Settings

# Enable a single setting
WindowsSecurityManager.exe enable --setting DEF-001

# Enable all settings in a category
WindowsSecurityManager.exe enable --category AttackSurfaceReduction

# Enable all security settings
WindowsSecurityManager.exe enable --all

# Preview changes without writing (dry run)
WindowsSecurityManager.exe enable --all --dry-run

# Disable a specific setting
WindowsSecurityManager.exe disable --setting CIS-001

Search & Inspect

# Search settings by keyword
WindowsSecurityManager.exe list --search "SMB"

# View full detail for a setting
WindowsSecurityManager.exe detail DEF-001

Reports & Export

# Generate compliance report
WindowsSecurityManager.exe report

# Export to HTML (styled dashboard)
WindowsSecurityManager.exe report --format Html --output report.html

# Export to JSON or CSV
WindowsSecurityManager.exe report --format Json --output report.json
WindowsSecurityManager.exe report --format Csv --output report.csv

Profiles

# List available profiles
WindowsSecurityManager.exe profile --list

# Preview a profile
WindowsSecurityManager.exe profile --apply "CIS Level 1" --dry-run

# Apply a profile
WindowsSecurityManager.exe profile --apply "CIS Level 1"

Backup & Restore

# Backup current state
WindowsSecurityManager.exe backup --output before-changes.json

# Restore from backup
WindowsSecurityManager.exe restore before-changes.json

🏷️ Security Categories

Category	ID Prefix	Count	Description
Windows Defender	DEF-xxx	15	Core Defender protection settings
Attack Surface Reduction	ASR-xxx	15	ASR rules for exploit prevention
Firewall	FW-xxx	18	Firewall profiles and logging
CIS Benchmark	CIS-xxx	30	General OS hardening settings
Account Policy	ACCT-xxx	5	Account lockout and audit settings
Network Security	NET-xxx	15	Protocol and network hardening

🎯 Security Profiles

Profile	Description	Use Case
CIS Level 1	Baseline security covering Defender, firewall, CIS, accounts, and network	General workstations, offices
Maximum Security	Enables all 98 settings across every category	High-security servers, sensitive systems
Developer Workstation	Core protections without breaking dev tools	Developer laptops, CI/CD machines

See Security Profiles documentation for detailed breakdowns of each profile, and Security Setting Consequences for the per-setting compatibility impact.

🔨 Build from Source

# Build
dotnet build

# Run tests
dotnet test

# Run CLI (development)
dotnet run --project src/WindowsSecurityManager -- --help

# Run GUI (development, Windows only)
dotnet run --project src/WindowsSecurityManager.Gui

# Publish CLI as standalone executable
dotnet publish src/WindowsSecurityManager/WindowsSecurityManager.csproj \
    --configuration Release \
    --runtime win-x64 \
    --self-contained true \
    --output ./publish/cli

# Publish GUI
dotnet publish src/WindowsSecurityManager.Gui/WindowsSecurityManager.Gui.csproj \
    --configuration Release \
    --runtime win-x64 \
    --self-contained true \
    --output ./publish/gui

📚 Documentation

Document	Description
Getting Started	Installation, first steps, and recommended workflows
CLI Reference	Complete command reference with all options and examples
Security Profiles	Detailed guide to built-in security profiles
Security Setting Consequences	Per-setting impact and compatibility notes (read before enabling)
Backup & Restore	How to safely back up and restore security settings
CI/CD Pipeline	How the build and release pipeline works
Extending Settings	How to add your own custom security settings
Architecture	System design, components, and project structure

📁 Project Structure

├── .github/workflows/
│   ├── ci.yml                    # CI: restore, format check, build, test, coverage on push/PR
│   └── release.yml               # CD: build & release CLI + GUI executables on tags
├── docs/                         # 📚 Documentation and how-to guides
├── src/WindowsSecurityManager.Core/
│   ├── Definitions/              # Security setting definitions & profiles
│   ├── Models/                   # Data models
│   └── Services/                 # Core services (registry, manager, exporter, backup, logger)
├── src/WindowsSecurityManager/
│   ├── Commands/                 # CLI command handlers
│   ├── UI/                       # Interactive terminal menu (Spectre.Console)
│   └── Program.cs                # CLI entry point
├── src/WindowsSecurityManager.Gui/
│   ├── ViewModels/               # MVVM ViewModels (CommunityToolkit.Mvvm)
│   ├── Views/                    # WinUI 3 XAML pages
│   ├── App.xaml                  # GUI application entry point
│   └── MainWindow.xaml           # NavigationView shell
├── tests/WindowsSecurityManager.Tests/
│   └── *.cs                      # Unit tests (xUnit + Moq)
└── WindowsSecurityManager.slnx

⚙️ CI/CD

Two GitHub Actions workflows automate quality checks, builds, and releases:

CI (ci.yml) — Every Push & Pull Request

Runs on every push and pull request targeting main. Acts as a quality gate before merging.

Step	Description
Restore	Restores NuGet packages (with caching for speed)
Format check	Verifies code style with dotnet format --verify-no-changes
Build	Compiles in Release configuration
Test + Coverage	Runs all xUnit tests and collects code coverage via Coverlet
Upload coverage	Uploads Cobertura coverage report as a workflow artifact

Release (release.yml) — Tag Push & Manual Dispatch

Builds and publishes the standalone executables.

Trigger	Behavior
Tag push (v*)	Builds, tests, and creates a GitHub Release with CLI .exe attached
Manual dispatch	Builds on demand; CLI and GUI artifacts available from the workflow run

Release pipeline steps: restore → test → publish CLI (single-file, self-contained, win-x64) → publish GUI (self-contained, win-x64) → upload artifacts → create GitHub Release.

Both workflows use NuGet package caching (actions/cache) to speed up dependency restoration.

See CI/CD Pipeline for full details on the pipeline architecture.

🤝 Contributing

1. Fork the repository
2. Create a feature branch
3. Add your settings via ISecuritySettingProvider (guide)
4. Add tests for your changes
5. Submit a pull request

📄 License

This project is licensed under the MIT License.