PSSecurityUtils

0.2.0

Public/Enable-IEHardening.ps1

                                function Enable-IEHardening {

    <#

    .SYNOPSIS

        Sets registry keys that harden Internet Explorer against exception handler attacks.

    .DESCRIPTION

        Creates the FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING feature control registry

        key for both 64-bit and 32-bit (Wow6432Node) hives and sets iexplore.exe to 1,

        preventing attackers from exploiting safe exception handlers in Internet Explorer.

        Changes take effect on the next launch of Internet Explorer.

    .INPUTS

        None. Parameters must be supplied directly.

    .OUTPUTS

        None.

    .PARAMETER ComputerName

        The target computer. Defaults to the local machine.

    .EXAMPLE

        Enable-IEHardening

        Applies the IE hardening registry keys on the local machine.

    .EXAMPLE

        Enable-IEHardening -ComputerName 'Workstation01' -WhatIf

        Previews the registry changes on Workstation01 without applying them.

    .NOTES

        Requires Administrator privileges.

        Remote operations require WinRM to be configured on the target machine.

    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'Medium')]

    [OutputType([void])]

    param (

        [Parameter(Mandatory = $false)]

        [string]$ComputerName = $env:COMPUTERNAME

    )

    $isLocal = ($ComputerName -ieq $env:COMPUTERNAME) -or

               ($ComputerName -ieq 'localhost') -or

               ($ComputerName -eq '127.0.0.1')

    $featureName = 'FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING'

    $key64 = "HKLM:\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\$featureName"

    $key32 = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\$featureName"

    if ($PSCmdlet.ShouldProcess($ComputerName, "Set $featureName = 1 for iexplore.exe (64-bit and 32-bit)")) {

        $work = {

            param($k64, $k32)

            New-Item -Path $k64 -Force | Out-Null

            New-ItemProperty -Path $k64 -Name 'iexplore.exe' -Value 1 -PropertyType DWord -Force | Out-Null

            New-Item -Path $k32 -Force | Out-Null

            New-ItemProperty -Path $k32 -Name 'iexplore.exe' -Value 1 -PropertyType DWord -Force | Out-Null

        }

        if ($isLocal) {

            & $work $key64 $key32

        } else {

            Invoke-Command -ComputerName $ComputerName -ScriptBlock $work -ArgumentList $key64, $key32

        }

        Write-Verbose "IE hardening registry keys applied on '$ComputerName'."

    }

}