App Review Beginning test of WHH at max settings per Andy Ful + OSArmor at max settings in DMZ

[Victor M]

Hi Everyone,

Am now performing a test of MS Windows Security Baseline + WHH at max settings per Andy Ful + OSArmor at all protections=ON. I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.

I would say it is a fair test of the capabilities of MS Windows Sec Baseline and WHH and OSArmor and Windows Defender and Defender firewall as if the laptop was at a coffee shop.

To install the MS Sec Baseline 24H2, download it along with LGPO.zip. Extract and place LGPO.exe into \Downloads\Baseline\Final\Scripts\Tools. Then issue these powershell commands from the Script directory:
set-executionpolicy remotesigned
baseline-localinstall.ps1 -win11nondomainjoined
(When script is finished) set-executionpolicy restricted

Then I made one change to the group policy that the baseline set:
gpedit
> Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender AV > MpEngine > set cloud protection level = zero tolerance


Here are Andy's recommended settings:

https://malwaretips.com/attachments/1741429232573-png.287634/

https://malwaretips.com/attachments/1741429360330-png.287635/

https://malwaretips.com/attachments/1741429560622-png.287637/

https://malwaretips.com/attachments/1741453695897-png.287639/

Additionally:

• ConfigureDefender set to MAX Protection Level
• FirewallHardening set to LOLBins block list

The laptop was previously using Linux and no has no previous infections. Windows 11 was installed while offline using the BypassNRO registry setting. WiFi disabled in BIOS. And it was patched with Mar 2025 Cumulative security patch obtained previously from MS Update Catalog web site. So the machine was totaly offline during install & setup.

Since OSArmor has every protection checked, I had to make some exclusions to run Settings and other things. But the exclusions are all removed prior to being online except for the one for Settings. And OSArmor is password protected.

Andy did suggest to enhance WDAC by using WDAC Wizard; but I wanted to test WHH with it's path based WDAC and SRP settings. OSArmor was deployed to provide some hindrance for the attacker.

Lets see how long it survivies. There used to be lots of attack scans on the net looking for various vulnerabilities and Windows default openings. I was feeling a little naked so added NoVirusThanks SysHardener.max settings. I also setup PIN access for the 2 accounts.

 

[Bot]

Sounds like a thorough test setup! It will be interesting to see how the combination of MS Windows Security Baseline, WHH, and OSArmor performs in a DMZ environment. Please keep us updated on the results and any issues you encounter during the testing process. Good luck!

 

[Andy Ful]

@Victor M,

Thanks for testing.

Applying GPO policies requires attention:

From OP it follows that you possibly applied GPO setting for Defender after applying WHHLight settings. In such a case, most of the SWH settings were inactivated.
The features and settings used in the WHHLight package are adjusted to the non-enterprise environment (mainly for Windows Home). Using GPO on Windows Pro and other tools requires caution.

I do not plan to extend WHHLight for use in the enterprise environment. Some policies from the Security Baseline can invalidate the settings in WHHLight (like PowerShell script blocking, etc.).

Some more information about the testing methodology and attack vectors would be welcome.

Against targeted attacks (probably used in your test) one should use EDR/MDR solutions instead of Microsoft Defender. In such attacks, administrators must use a console that alerts about correlated suspicious actions. So Administrators can decide (with the possible help of AI) which actions should be blocked. Without such features, the efficient protection would be unusable (too many blocks).

My suggestion about using an additional WDAC policy is related to the scenario when the computer was already compromised. The WDAC policy in Audit Mode which allows only Windows native processes, can help to identify non-native drivers and processes. However, this requires extended knowledge of Windows, so I did not include it in WHHLight.

Post updated.

 

[oldschool]

@Victor M I don't follow your logic here because you're combining so many conflicting protections, as @Andy Ful pointed out re: GPO.

you possibly applied GPO setting for Defender after applying WHHLight settings. In such a case, most of the SWH settings were inactivated. ... Using GPO on Windows Pro and other tools requires caution.

Why OSArmor and SysHardener?

 

[Andy Ful]

Hi Everyone,

I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.

Such a scenario is kinda similar to lateral movement in the enterprise network when the attacker already compromised the local network and tries to infect the computer.
The WHHLight settings are not adjusted to this scenario. They are adjusted to protect the computer from accidental infections initiated by the user.
In other words, WHHLight is a well-trained boxer who can fight in the ring but would need additional training/skills/accessories to fight in the skating ring.
It would be possible to apply another set of WDAC policies and increase the resilience in the compromised environment, but this is beyond the scope of WHHLight.

The laptop in DMZ is exposed to tenths of hacker attacks in a short time. I do not know the usable security solution that could be efficient in the scenario from the OP. Even the known EDR/MDR solutions are not especially effective. That is why the Zero Trust security model is now recommended in the enterprise environment.

 

[Victor M]

WHHLight settings are not adjusted to this scenario.

OK I stopped the test.

@Andy Ful No Andy, I applied the MS Security Baseline as the first thing.
But Andy, isn't this test the same as taking your laptop to an internet cafe ? Maybe you can make a WHH version that is suitable for use in internet cafes? ( not a home bound desktop )

@oldschool This is not really a test aimed at testing WHH or anything in particular. I just want to setup a laptop using Free Tools, that has some semblance of security for use in StarBucks.

I know that there are sometimes hackers at cafes. But that's life, and I want to make full use of my laptop's portability. I currently have Qubes on my main laptop which seems to have ok security I think. But I want to use Windows like every joe blow.

Whatever works is good. I selected these free tools for testing mainly because they are easy to setup, it just requires ~30 mins. My hardened setup requires 4-5 hrs of setup and configuring + the cost of paid tools. So I am looking for alternatives.

 

[Andy Ful]

OK I stopped the test.

Please do not do it. Only such extreme environments can say something interesting about WHHLight MAX settings. In a standard environment, it can be hardly bypassed.

@Andy Ful No Andy, I applied the MS Security Baseline as the first thing.

You also used GPO to set Cloud Protection Level.

But Andy, isn't this test the same as taking your laptop to an internet cafe ?

Yes, if there are 100 experienced hackers in the cafe.

Maybe you can make a WHH version that is suitable for use in internet cafes? ( not a home bound desktop )

This can depend on what the attackers could do in your test. It is an interesting thread let's continue with more details.