Documents Anti-Exploit tool

[Andy Ful]

"Documents Anti-Exploit" tool is available on Hard_Configurator GitHub webpage:

• For 64-bit Windows: AndyFul/Hard_Configurator
• For 32-bit Windows :AndyFul/Hard_Configurator

"Documents Anti-Exploit" tool can be used to harden MS Office and Adobe Acrobat Reader XI/DC applications. It is focused on the current account from which was started. So, the user can apply the different restrictions on the different accounts.

In MS Office, the below settings are applied (valid up to MS Office 2016):

1. Disabled Macros in MS Office XP and MS Office 2003+ (Word, Excel, PowerPoint, Access, Publisher, and Outlook).
2. Disabled Access to Visual Basic Object Model (VBOM) in MS Office 2007+ (Access, Excel, PowerPoint, and Word).
3. Disabled DDE in Word 2007+ (requires Windows Updates pushed in January 2018, see Microsoft Security Advisory ADV170021).
4. Disabled auto-update for any linked fields (including DDE and OLE) in Word 2007+, Excel 2007+, Outlook 2007+, OneNote 2013+.
5. Disabled ActiveX in MS Office 2007+.
6. Disabled OLE in MS Office 2007+ (Word, Excel, PowerPoint).
7. Disabled ‘Run Programs’ option for action buttons in PowerPoint 2007+.
8. Disabled automatic download of linked images in PowerPoint 2007+.
9. Disabled Trust Bar notifications in MS Office 2007+.
10. The restrictions can be also applied as policies, so they cannot be changed by the malware which is running with medium rights (or lower). Those restrictions cannot be also changed via the settings panel in MS Office applications.

In Adobe Acrobat Reader XI/DC, the below settings are applied:

1. The dangerous features in Adobe Acrobat Reader DC (version from the year 2018 at least) on Windows 8.1/10 can be blocked with the ‘Yellow Message Bar’, and if allowed by the user, then silently mitigated in AppContainer.
2. The dangerous features in Adobe Acrobat Reader XI (all Windows versions) and Adobe Acrobat Reader DC (Windows 8 and prior versions) can be blocked with the ‘Yellow Message Bar’ (the user can allow them).
3. The restrictions apply for the current account and overwrite native settings in Adobe Acrobat Reader XI/DC.
4. The user can apply different restrictions on different accounts.

'Documents Anti-Exploit' tool is portable, but before removing from the computer, the user should apply the settings: <MSOffice>=OFF and <AdobeAcrobatReader>=OFF, on his/her accounts to recover default values of changed settings. If not, then a few settings can be locked (non-configurable) in MS Office applications.

 

[bribon77]

Serves for W7?

 

[Eddie Morra]

Good work, this will save people time when they need to enable/disable on-the-go.

 

[bribon77]

Serves for W7?

I just run it on W7 it seems that it works.

 

[Andy Ful]

Serves for W7?

Yes.

 

[ForgottenSeer 72227]

Good job another great tool!:emoji_clap:

Sorry if this is a dumb question and sorry if I missed the answer somewhere, what is the difference between ON 1 and ON 2?

 

[DeepWeb]

It would be nice if Microsoft had these features disabled by default until people want to enable them. But you guys already know what I think of that company.

 

[Andy Ful]

Good job another great tool!:emoji_clap:

Sorry if this is a dumb question and sorry if I missed the answer somewhere, what is the difference between ON 1 and ON 2?

You can get the helpful information when pressing the green buttons <MS Office> or <Adobe Acrobat Reader>. ON1 and ON2 settings relate to MS Office.

ON1 - restrictions can be modified inside MS Office applications. If you change some security settings inside MS Office and next run DocumentsAntiExploit, then it will show 'Partial' instead of ON1.
ON2 - restrictions are applied as policies; cannot be modified inside MS Office applications and by malware running with medium rights (or lower).
OFF2 - restrictions applied by policies are removed; the previously set non-policy restrictions are applied.

The ON2 setting does not overwrite the non-policy restrictions made in MS Office applications - you can see ON2 settings in MS Office but the non-policy restrictions survive in the Registry. So, inside MS Office you can set the favorite non-policy restrictions R1 and quickly switch between R1 and ON2 by using DocumentAntiExploit OFF2 and ON2 settings.

 

[ForgottenSeer 72227]

You can get the helpful information when pressing the green buttons <MS Office> or <Adobe Acrobat Reader>. ON1 and ON2 settings relate to MS Office.

ON1 - restrictions can be modified inside MS Office applications. If you change some security settings inside MS Office and next run DocumentsAntiExploit, then it will show 'Partial' instead of ON1.
ON2 - restrictions are applied as policies; cannot be modified inside MS Office applications and by malware running with medium rights (or lower).
OFF2 - restrictions applied by policies are removed; the previously set non-policy restrictions are applied.

The ON2 setting does not overwrite the non-policy restrictions made in MS Office applications - you can see ON2 settings in MS Office but the non-policy restrictions survive in the Registry. So, inside MS Office you can set the favorite non-policy restrictions R1 and quickly switch between R1 and ON2 by using DocumentAntiExploit OFF2 and ON2 settings.

Thanks for the clarification

 

[shmu26]

You need to run it in each and every user account for which you want to change settings, correct?

 

[Andy Ful]

You need to run it in each and every user account for which you want to change settings, correct?

Yes.

 

[shmu26]

It's a great tool. Once you set On2 for MS Office, for a certain user, you don't have to worry any more about him getting tricked into enabling macros.

 

[Andy Ful]

It's a great tool. Once you set On2 for MS Office, for a certain user, you don't have to worry any more about him getting tricked into enabling macros.

How it works with your template in Word as compared to VBAOFF feature in Hard_Configurator?

 

[shmu26]

How it works with your template in Word as compared to VBAOFF feature in Hard_Configurator?

No problems at all with Documents Anti-Exploit tool

 

[Andy Ful]

No problems at all with Documents Anti-Exploit tool

The VBAOFF + WD ASR setup is more restrictive.

 

[Burrito]

...

Andy Ful is a great asset to MT.

Thank you.

 

[shmu26]

Andy Ful is a great asset to MT.

Thank you.

+1

 

[ichito]

DAE?...it's nice idea Is it compatibile with Vista also?...Hard Configurator was...as I remember...only partialy, but was

 

[Andy Ful]

DAE?...it's nice idea Is it compatibile with Vista also?...Hard Configurator was...as I remember...only partialy, but was

Both H_C and DAE are compatible with Windows Vista. In H_C one can load the predefined settings for Windows 7. Some tweaks in H_C are not supported in Windows Vista - they are shown as gray out (disabled). All MS Office tweaks should work well on Vista - the latest tweak for DDE is available for fully updated Windows Vista.

 

[Andy Ful]

I did not mention one simple advice. MS Office and Adobe Acrobat Reader are great products. They have many automation features which can be useful to Enterprise Administrators, but also many hidden vulnerabilities that can be exploited by the malc0ders. Using MS Office or Adobe Acrobat Reader is like going to the shop (around the corner) in the race car to buy a banana.
The best solution for the home user would be uninstalling both MS Office and Adobe Acrobat Reader.
It is always simpler to use something without vulnerable features, than using the product with disabled vulnerable features.
So, please use "Document Anti-Exploit tool" only when you have to use MS Office or Adobe Acrobat Reader.:emoji_pray: