App Review Beginning test of WHH at max settings per Andy Ful + OSArmor + SysHardener + Sysmon in DMZ

[Victor M]

Hi Everyone,

Am now performing a test of MS Windows Security Baseline + WHH at max settings per Andy Ful + OSArmor at all protections=ON. I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.

I would say it is a fair test of the capabilities of MS Windows Sec Baseline and WHH and OSArmor and Windows Defender and Defender firewall as if the laptop was at a coffee shop.

To install the MS Sec Baseline 24H2, download it along with LGPO.zip. Extract and place LGPO.exe into \Downloads\Baseline\Final\Scripts\Tools. Then issue these powershell commands from the Script directory:
set-executionpolicy remotesigned
baseline-localinstall.ps1 -win11nondomainjoined
(When script is finished) set-executionpolicy restricted

Then I made one change to the group policy that the baseline set:
gpedit
> Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender AV > MpEngine > set cloud protection level = zero tolerance

Here are Andy's recommended settings:

https://malwaretips.com/attachments/1741429232573-png.287634/

https://malwaretips.com/attachments/1741429360330-png.287635/

https://malwaretips.com/attachments/1741429560622-png.287637/

https://malwaretips.com/attachments/1741453695897-png.287639/

Additionally:

• ConfigureDefender set to MAX Protection Level
• FirewallHardening set to LOLBins block list

The laptop was previously using Linux and no has no previous infections. Windows 11 was installed while offline using the BypassNRO registry setting. WiFi disabled in BIOS. And it was patched with Mar 2025 Cumulative security patch obtained previously from MS Update Catalog web site. So the machine was totaly offline during install & setup.

Since OSArmor has every protection checked, I had to make some exclusions to run Settings and other things. But the exclusions are all removed prior to being online except for the one for Settings. And OSArmor is password protected.

Andy did suggest to enhance WDAC by using WDAC Wizard; but I wanted to test WHH with it's path based WDAC and SRP settings. OSArmor was deployed to provide some hindrance for the attacker.

Lets see how long it survivies. There used to be lots of attack scans on the net looking for various vulnerabilities and Windows default openings. I was feeling a little naked so added NoVirusThanks SysHardener.max settings. I also setup PIN access for the 2 accounts.

 

[Bot]

Sounds like a thorough test setup! It will be interesting to see how the combination of MS Windows Security Baseline, WHH, and OSArmor performs in a DMZ environment. Please keep us updated on the results and any issues you encounter during the testing process. Good luck!

 

[Andy Ful]

@Victor M,

Thanks for testing.

Applying GPO policies requires attention:

From OP it follows that you possibly applied GPO setting for Defender after applying WHHLight settings. In such a case, most of the SWH settings were inactivated.
The features and settings used in the WHHLight package are adjusted to the non-enterprise environment (mainly for Windows Home). Using GPO on Windows Pro and other tools requires caution.

I do not plan to extend WHHLight for use in the enterprise environment. Some policies from the Security Baseline can invalidate the settings in WHHLight (like PowerShell script blocking, etc.).

Some more information about the testing methodology and attack vectors would be welcome.

Against targeted attacks (probably used in your test) one should use EDR/MDR solutions instead of Microsoft Defender. In such attacks, administrators must use a console that alerts about correlated suspicious actions. So Administrators can decide (with the possible help of AI) which actions should be blocked. Without such features, the efficient protection would be unusable (too many blocks).

My suggestion about using an additional WDAC policy is related to the scenario when the computer was already compromised. The WDAC policy in Audit Mode which allows only Windows native processes, can help to identify non-native drivers and processes. However, this requires extended knowledge of Windows, so I did not include it in WHHLight.

Post updated.

 

[oldschool]

@Victor M I don't follow your logic here because you're combining so many conflicting protections, as @Andy Ful pointed out re: GPO.

you possibly applied GPO setting for Defender after applying WHHLight settings. In such a case, most of the SWH settings were inactivated. ... Using GPO on Windows Pro and other tools requires caution.

Why OSArmor and SysHardener?

 

[Andy Ful]

Hi Everyone,

I am placing the laptop in the DMZ. As you probably know, being in the DMZ means the laptop will only be protected by it's own Windows Defender firewall and the modem+router will allow all access to it bypassing NAT protection.

Such a scenario is kinda similar to lateral movement in the enterprise network when the attacker already compromised the local network and tries to infect the computer.
The WHHLight settings are not adjusted to this scenario. They are adjusted to protect the computer from accidental infections initiated by the user.
In other words, WHHLight is a well-trained boxer who can fight in the ring but would need additional training/skills/accessories to fight in the skating ring.
It would be possible to apply another set of WDAC policies and increase the resilience in the compromised environment, but this is beyond the scope of WHHLight.

The laptop in DMZ is exposed to tenths of hacker attacks in a short time. I do not know the usable security solution that could be efficient in the scenario from the OP. Even the known EDR/MDR solutions are not especially effective. That is why the Zero Trust security model is now recommended in the enterprise environment.

 

[Victor M]

WHHLight settings are not adjusted to this scenario.

OK I stopped the test.

@Andy Ful No Andy, I applied the MS Security Baseline as the first thing.
But Andy, isn't this test the same as taking your laptop to an internet cafe ? Maybe you can make a WHH version that is suitable for use in internet cafes? ( not a home bound desktop )

@oldschool This is not really a test aimed at testing WHH or anything in particular. I just want to setup a laptop using Free Tools, that has some semblance of security for use in StarBucks.

I know that there are sometimes hackers at cafes. But that's life, and I want to make full use of my laptop's portability. I currently have Qubes on my main laptop which seems to have ok security I think. But I want to use Windows like every joe blow.

Whatever works is good. I selected these free tools for testing mainly because they are easy to setup, it just requires ~30 mins. My hardened setup requires 4-5 hrs of setup and configuring + the cost of paid tools. So I am looking for alternatives.

 

[Andy Ful]

OK I stopped the test.

Please do not do it. Only such extreme environments can say something interesting about WHHLight MAX settings. In a standard environment, it can be hardly bypassed.

@Andy Ful No Andy, I applied the MS Security Baseline as the first thing.

You also used GPO to set Cloud Protection Level.

But Andy, isn't this test the same as taking your laptop to an internet cafe ?

Yes, if there are 100 experienced hackers in the cafe.

Maybe you can make a WHH version that is suitable for use in internet cafes? ( not a home bound desktop )

This can depend on what the attackers could do in your test. It is an interesting thread let's continue with more details.

 

[oldschool]

You might consider one hardening package using @SpyNetGirl 's

Added GUI (Graphical UI) For the Harden Windows Security Module/Script

Hey everyone! few days ago I added a GUI to the Harden Windows Security module and script, now you can use them easier. There is no dependency or any new file to download, you can even run the GUI directly from GitHub as before. Here is a demo video GitHub repository with all the info...

malwaretips.com

 

[Vitali Ortzi]

You might consider one hardening package using @SpyNetGirl 's

Added GUI (Graphical UI) For the Harden Windows Security Module/Script

Hey everyone! few days ago I added a GUI to the Harden Windows Security module and script, now you can use them easier. There is no dependency or any new file to download, you can even run the GUI directly from GitHub as before. Here is a demo video GitHub repository with all the info...

malwaretips.com

Yes that's what you are supposed to use in enterprise like environment like here as Andy tools is more home use optimized and may lack some extra measures an enterprise environment will have to harden too

 

[Victor M]

Andy made me nervous when he said WHH is not for this scenario.

So I am adding SysInternals Sysmon with kill exe settings. It kills all exe on drop.

 

[Andy Ful]

@Victor M,

You must be sure what was compromised. Without NAT support, the first suspect is your network device.
How did you create the testing environment (laptop in the DMZ)?
Is your network device exposed to attacks/exploits from the outside of your testing environment?

Other important questions:

• What indicators of compromise did you notice?
• Were the settings of WHHLight + tools, changed or disabled?

 

[Andy Ful]

Andy made me nervous when he said WHH is not for this scenario.

So I am adding SysInternals Sysmon with kill exe settings. It kills all exe on drop.

When I wrote that WHHLight is not optimal for this scenario, I had in mind network device exploits, abusing opened ports, DNS poisoning, MITM attacks, firewall exploits, abusing vulnerable protocols or system processes, etc. Hackers often use methods that avoid dropping EXE files. Furthermore, the execution of dropped EXE would be blocked by WHHLight.
Let's find out more about what was compromised in your testing environment. Inspecting the Sysmon Logs and WHHLight tools Logs could help.

 

[Victor M]

Results are in ! HACKED.

\Windows\system32\notepad is not accessible. can't be run when double clicked. When clicking on a txt, it says cannot find the txt.
Explorer seems to have 2 versions, one with tabs, another one without. So the notepad problem may be an replaced/misconfigured explorer.
Defender firewall log is deleted. Should be at \windows\system32\logfiles\firewall. nothing there.
Defender firewall logging setting changed, Deny Logging is no longer specified as Yes

So I installed notepad++ copy to windows\system32, renamed it notepad.exe, still couldnt run. So I thnk it is because of the replaced Explorer.
@Andy Ful . Where are the WHH log files stored ? So I can use notepad++ to view them?

Andy, I PM'd you the full sysmon events evtx.

 

[Andy Ful]

The WHHLight tools Logs (no installed Hard_Configurator):

EXE/DLL and MSI Logs use the same file which is each time replaced by the new content:
%LocalAppdata%\Temp\WDAC_BlockedEvents.log

PowerShell and SRP Logs use the same file which is each time replaced by the new content::
%LocalAppdata%\Temp\SWH_BlockedEvents.log

FirewallHardening Log
c:\Windows\Temp\??????????????????\0\Firewall.log

ConfigureDefender:
c:\Windows\Temp\??????????????????\0\Defender.log

If H_C is installed:
c:\Windows\Hard_Configurator\Temp\FirewallHardening\0\Firewall.log

 

[Andy Ful]

Are WHHLight + ConfigureDefender + FirewallHardening settings changed?

 

[Victor M]

in WHH the middle slider fir SmartScreen was turned ON. I had it to off before.

Configure Defender: Admin SmartScreen for Explorer: reduced to Warn

Can't tell if Firewall Hardening was changed because I did not copy down your LoL Bin settings beforehand.

 

[Andy Ful]

Can't tell if Firewall Hardening was changed because I did not copy down your LoL Bin settings beforehand.

You can count the number of entries.
What about the FirewallHardening Log?
Did you see any alerts when running WHHLight?

 

[rashmi]

Configure Defender: Admin SmartScreen for Explorer: reduced to Warn

I have the same on my system; I believe turning ON WDAC in WHHLight switches the SmartScreen for Explorer setting in ConfigureDefender to Warn.

 

[Andy Ful]

I have the same on my system; I believe turning ON WDAC in WHHLight switches the SmartScreen for Explorer setting in ConfigureDefender to Warn.

Yes, you are right.

 

[Victor M]

Hi Andy,

167 items in FirewallHardening

I forgot to turn on Logging for Firewall Control, I only tried to log Defender firewall, and the log was gone.