Back to Downloads

AtlantHarden

v2.0.0WindowsFree
579Hardening Settings
354DISA STIG Controls
17Security Categories
3Quick Profiles
19ASR Rules
100%Free

Windows ships insecure by default: legacy SMBv1, cleartext credentials cached in memory, PowerShell with no logging, browsers that ignore enterprise policy, Office that runs macros from the internet. Fixing it by hand means hundreds of registry keys and Group Policy changes, one wrong value away from a system that will not boot.

Download Free (63.4 MB)Windows - x64 architecture - No account needed
AtlantHarden screenshot 1
AtlantHarden screenshot 2
AtlantHarden screenshot 3
AtlantHarden screenshot 4

Overview

But most hardening tools overcorrect. Blindly applying a full DISA STIG to a personal or power-user machine wrecks it: it disables your password manager, kills InPrivate, turns on Controlled Folder Access that blocks your own apps, and demands a BitLocker PIN on every boot, all for compliance checkboxes that add little real security.

AtlantHarden v2.0 is built around a smarter idea: stop how malware and attackers actually get in and run, and skip the friction that does not stop them. Comprehensive when you want it with the Maximum profile, sensible by default with Recommended. Every change is backed up automatically and fully reversible.

Features

599 hardening settings across registry, PowerShell, firewall, file associations, audit policy, and ASR rules
354 DISA STIG controls across Windows 11 (V2R7), Edge (V2R5), Chrome (V2R11), Firefox (V6R7), and Office 365 ProPlus (V3R5)
34 ACSC Essential Eight settings (July 2024) with live compliance scoring
3 one-click profiles: Basic (95 settings), Recommended (325), and Maximum (599), each fully reviewable before apply
Recommended profile is gaming and performance safe and leaves your password manager, InPrivate, and history working
19 Attack Surface Reduction rules blocking Office macros, ransomware, credential theft, and script droppers
LOLBin firewall rules blocking certutil, mshta, wscript, regsvr32, and wmic from the network
File association neutralization opening dangerous script types (.js, .vbs, .hta, .scr) as text
Browser hardening across Edge, Chrome, and Firefox simultaneously
PowerShell logging triad: script block + module + transcription
Registers itself as allowed for ASR and Controlled Folder Access so it never locks you out
Full backup with automatic pre-change snapshot, .reg export, and System Restore integration
Silent deployment via CLI for enterprise fleets, plus configuration import and export
One-click HTML security report with STIG and ACSC compliance metrics

Why Harden Windows 11?

Windows Defender is only partially enabled out of the box - 8 critical settings are left off
Attack Surface Reduction rules that block ransomware and credential theft are disabled by default
SMB signing, LDAP signing, and NTLMv2 enforcement are not configured - network attacks work out of the box
PowerShell logging is off - attackers run scripts with zero visibility
TLS 1.0 and 1.1 are still enabled - downgrade attacks work
Dangerous file extensions (.bat, .vbs, .ps1) execute on double-click

Choose Your Security Level

Basic (95 settings)

The highest-impact, effectively zero-friction core: ASR, Defender, SmartScreen, credential-theft protection. If you do nothing else, do this.

Recommended (318 settings)

The smart default. Stops real malware and exploitation while staying gaming and performance safe - it leaves your password manager, InPrivate, and history working.

Maximum (579 settings)

Everything, including the strict DISA STIG lockdowns. Full compliance for high-security and audited environments that want the friction.

Built-in Compliance Tracking

354 DISA STIG Controls

Across five products - Windows 11 (V2R7), Edge (V2R5), Chrome (V2R11), Firefox (V6R7), and Office 365 ProPlus (V3R5). Each setting tagged with its STIG ID, Vulnerability ID, and CCIs for direct cross-reference.

  • Live compliance percentage on dashboard
  • Per-setting STIG identification
  • HTML report export with full breakdown

ACSC Essential Eight

34 settings aligned to the Australian Cyber Security Centre's hardening guide. Priority levels match the ACSC classification.

  • Live ACSC compliance score
  • Essential Eight requirement tracking
  • Application control and macro security

What AtlantHarden Protects Against

19 Attack Surface Reduction Rules

Block Office macro abuse, ransomware behavior, credential theft from LSASS, obfuscated scripts, email executables, WMI abuse

LOLBin Firewall Rules

Block certutil, mshta, wmic, regsvr32 and other living-off-the-land binaries from making network connections

File Association Neutralization

Dangerous extensions (.bat, .cmd, .ps1, .reg, .vbs, .scr) open as text instead of executing

Browser Hardening (3 Engines)

Edge, Chrome, and Firefox hardened simultaneously - site isolation, TLS enforcement, PUA blocking, SmartScreen

Credential Protection

LSASS hardening, WDigest disabled, credential caching controls, Mimikatz defense

PowerShell Visibility

Script block logging + module logging + transcription. Full visibility into every command executed

Silent Deployment for IT Teams

AtlantHarden.exe --config policy.json --apply --silent

Create your gold image policy once in the GUI, export it, deploy across your entire fleet. Exit code 0 = success, 1 = error.

Every Change is Reversible

Automatic backups before every apply. Registry-level precision stores the exact original value. One-click restore. Windows System Restore Point integration. Up to 20 backups stored locally.

Backup format: .reg (double-click Windows restore) + JSON. Self-protection registers the app as allowed for ASR and Controlled Folder Access so it never locks itself out.

Download AtlantHarden

63.4 MB - Windows - Free - No account required

Download Now

System Requirements

  • Windows 10 (1709 or later) or Windows 11
  • x64 architecture
  • Administrator privileges
  • Self-contained, no .NET runtime install required

Release Notes

v2.0.02026-06-25
  • Expanded to 599 hardening settings (up from 193) across 17 categories
  • 354 DISA STIG controls across five products: Windows 11 V2R7, Edge V2R5, Chrome V2R11, Firefox V6R7, and Office 365 ProPlus V3R5, each tagged with STIG ID, Vulnerability ID, and CCIs
  • Per-product STIG compliance dashboard with CAT I/II/III filtering and bulk select
  • Reworked profiles: Basic (95), Recommended (325), and Maximum (599), replacing the previous four-profile model
  • Recommended profile redesigned to stop real malware and exploitation while staying gaming and performance safe and leaving usability features intact
  • Self-protection: registers as an allowed app for ASR and Controlled Folder Access so it can always be relaunched to revert changes
  • Self-contained executable, no .NET runtime install required
  • STIG catalog now sourced from an auditable, regenerable PowerSTIG-based catalog refreshed quarterly
v1.1.02026-03-15
  • 193+ hardening settings across 17 categories
  • DISA STIG V2R3 compliance framework with per-setting tracking
  • ACSC Essential Eight (July 2024) compliance framework
  • 4 quick profiles: Basic, Recommended, Maximum, Gaming
  • Silent deployment with --config, --apply, --silent flags
  • HTML security report generation
  • Configuration import/export
Important: AtlantHarden modifies Windows security settings at the registry level. Always create a System Restore Point before your first run. Enabling Maximum profile will significantly change system behavior - review high-risk settings individually.