Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

@Andy Ful

Came across something interesting when I was converting a word document to PDF and later deleting the PDF.

• Trying to convert an existing word document to PDF using Microsoft Word 2013 would not go through.
  • The word document was under a protected folder and the PDF was going to be saved under the same directory.
  • Protection history lists WINWORD.EXE as the app/process.
  • I allowed the process via Protection history.
  • An entry in ConfigureDefender CFA exclusions is now listed: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
• Later when trying to delete the PDF document, the deletion was blocked.
  • Protection history lists explorer.exe as the app/process.
  • I allowed the process via Protection history.
  • An entry in ConfigureDefender CFA exclusions list is now listed: C:\Windows\explorer.exe

My questions are:

• What caused CFA to trigger these blocks in H_C 5.1.1.1/.2?
  • I did the same actions as above on Friday and they weren't blocked. I can't remember if this was before or after I updated to version 5.1.1.1/.2.
• Do the explorer.exe and winword.exe CFA exclusions pose a security risk?

I have attached my current configuration to this post for reference. I think the only modifications I made compared to my 5.0.0.0 configuration was:

• Enabled Harden Archivers
• Enabled Harden Email Clients
• Enabled Allow MSI (which turns Update Mode to OFF)

Did this issue persist after a reboot (adding CFA exclusions may require a reboot)?
Can you delete files in that protected folder directly from the Explorer?
Please, look at the H_C Log (<Tools><Blocked Events / Security Logs>) if any process was blocked at the time of file conversion.

Deleting anything in CFA protected folders from the Explorer should not be related to any H_C setting profile (also yours). But anyway, other processes can be involved, when the deletion is made by MS Office applications. You can check it by loading All_OFF.hdc profile - it will remove all H_C settings, except ConfigureDefender and FirewallHardening.

 

[Andy Ful]

I needed utilities such as Command Prompt to be run as admin in order to make scripts be able to work (obviously), but I didnt want to turn off the SRP or enable Run As Admin in the context menu.

You probably chose to hide this entry when applying Recommended Settings.

You can still use the Recommended Settings with <Hide 'Run As Administrator'> = OFF.
Then you can use the standard Windows method to run elevated CMD and PowerShell.

You can also use <Hide 'Run As Administrator'> = ON and <More SRP ...><Update Mode> = OFF, to use "Install By SmartScreen" instead.

The first method is more convenient for installing/updating applications.

 

[EndangeredPootis]

You can use the Recommended Settings when keeping "Run as administrator visible". You probably chose to hide this entry when applying Recommended Settings.

View attachment 243260

View attachment 243261

You can still use the Recommended Settings with <Hide 'Run As Administrator'> = OFF.
Then you can use the standard Windows method to run elevated CMD and PowerShell.

You can also use <Hide 'Run As Administrator'> = ON and <More SRP ...><Update Mode> = OFF, to use "Install By SmartScreen" instead.

The first method is more convenient for installing/updating applications.

I was fully aware of that, but I didnt want Run As Admin and Run By Smartscreen to both be in the context menu.

 

[Andy Ful]

Simple Windows Hardening (simplified version of Hard_Configurator):

New Update - Simple Windows Hardening

Post updated in September 2024. SWH works with Windows 10 and 11 (all versions including 24H2) SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver...

malwaretips.com

 

[SeriousHoax]

Hi, Andy maybe it's worth adding "bitsadmin.exe" into recommended firewall hardening also?

Scripted Web Delivery (S) - Cobalt Strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates...

www.cobaltstrike.com

Also, bitsadmin is deprecated since Windows 7 so shouldn't cause any issue.

BITSADMIN is deprecated in Windows 7 and 2008 R2, it is superceeded by the new PowerShell BITS cmdlets

 

[Andy Ful]

Hi, Andy maybe it's worth adding "bitsadmin.exe" into recommended firewall hardening also?
View attachment 243859

Scripted Web Delivery (S) - Cobalt Strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates...

www.cobaltstrike.com

Also, bitsadmin is deprecated since Windows 7 so shouldn't cause any issue.

No. The executable bitsadmin.exe uses BITS for downloading, so the firewall only sees svchost.exe connecting to the Internet. In the same way, you cannot block PowerShell when it uses BITSTransfer cmdlet (other PowerShell methods can be blocked).
You have to block the execution of bitsadmin.exe by SRP or other methods.

 

[SeriousHoax]

No. The executable bitsadmin.exe uses BITS for downloading, so the firewall only sees svchost.exe connecting to the Internet. In the same way, you cannot block PowerShell when it uses BITSTransfer cmdlet (other PowerShell methods can be blocked).
You have to block the execution of bitsadmin.exe by SRP or other methods.

Ok I see. Btw, I see that there's two bitsadmin in HC block sponsor section. bitsadmin * and bitsadmin.exe. What is the first one?

 

[Andy Ful]

Ok I see. Btw, I see that there's two bitsadmin in HC block sponsor section. bitsadmin * and bitsadmin.exe. What is the first one?

The list of blocked sponsors was initially taken from the Bouncer blacklist. I never researched the bitsadmin* entry, but it may be related to bitsadmin.exe.mui or something else that uses BITS.

 

[Cortex]

Thanks for this software, been having a play with it this morning, much appreciated. My youngest daughter getting married in six days so need a distraction as running away at this point isn't an option?

 

[Andy Ful]

Thanks for this software, been having a play with it this morning, much appreciated. My youngest daughter getting married in six days so need a distraction as running away at this point isn't an option?

It would not be the first time of running away, but usually, this happens to the bride.

 

[plat]

Andy Ful: out of curiosity, does Firewall Hardening effectively block any outbound calls from Microsoft Store? I looked at the Outbound rules section of Windows Firewall and the Store is allowed. But I'm not sure what this "Allow" rule entitles the Store to do exactly.

I'd like to block the Store from doing anything but then I'm concerned that I can't update any apps there--which is the preference to do so manually and not have it run in the background.

Yes, there was someone at another forum expressing concern about Skype installing itself without the owner's knowledge/permission. So this prompted my question.

 

[oldschool]

out of curiosity, does Firewall Hardening effectively block any outbound calls from Microsoft Store?

No. The included default rules are for commonly abused processes, sponsors, etc. You may create any new rules you like but if you block the M$ Store you won't have access to it at all, AFAIK.

 

[South Park]

Andy Ful: out of curiosity, does Firewall Hardening effectively block any outbound calls from Microsoft Store? I looked at the Outbound rules section of Windows Firewall and the Store is allowed. But I'm not sure what this "Allow" rule entitles the Store to do exactly.

I'd like to block the Store from doing anything but then I'm concerned that I can't update any apps there--which is the preference to do so manually and not have it run in the background.

Yes, there was someone at another forum expressing concern about Skype installing itself without the owner's knowledge/permission. So this prompted my question.

Oddly enough, after I added the .reg file to prevent unexpected app installs, I manually went to update my Store apps. It seemed to hiccup on the installation but eventually completed. Probably a coincidence, but with Microsoft, who knows?

 

[Andy Ful]

Andy Ful: out of curiosity, does Firewall Hardening effectively block any outbound calls from Microsoft Store? I looked at the Outbound rules section of Windows Firewall and the Store is allowed. But I'm not sure what this "Allow" rule entitles the Store to do exactly.
...

Probably not.

 

[Andy Ful]

Short info about legacy SRP.

Some important Hard_Configurator features rely for now on Windows build-in SRP and this will be so until it will be useful. The SRP is now a legacy Windows feature - it means that Microsoft will not add the new features to it. The legacy features related to security are usually supported by Microsoft for a long time. I have seen many good 3rd party software dying in the meanwhile. It is possible that SRP dies with Windows 10 after several years. If there will be any problem with SRP, then I will make changes in Hard_Configurator several months before. It is also probable that I will drop SRP earlier for another Windows feature, like WD Application Control (WDAC). I could do it now, but WDAC is not so convenient yet as compared to SRP and the WDAC setup on Windows Home would be too restrictive for many home users (whitelisting problem). We will see how WDAC will evolve.

So, until Hard_Configurator development is actively supported by me (with SRP or without), there is no need to worry.

 

[brigantes]

Hi, Andy maybe it's worth adding "bitsadmin.exe" into recommended firewall hardening also?
View attachment 243859

Scripted Web Delivery (S) - Cobalt Strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Cobalt Strike exploits network vulnerabilities, launches spear phishing campaigns, hosts web drive-by attacks, and generates...

www.cobaltstrike.com

Also, bitsadmin is deprecated since Windows 7 so shouldn't cause any issue.

Bitsadmin does not do the actual downloading. The process that does it is SYSTEM, so creating a firewall rule for Bitsadmin will block nothing.

 

[brigantes]

Short info about legacy SRP.

Some important Hard_Configurator features rely for now on Windows build-in SRP and this will be so until it will be useful. The SRP is now a legacy Windows feature - it means that Microsoft will not add the new features to it. The legacy features related to security are usually supported by Microsoft for a long time. I have seen many good 3rd party software dying in the meanwhile. It is possible that SRP dies with Windows 10 after several years. If there will be any problem with SRP, then I will make changes in Hard_Configurator several months before. It is also probable that I will drop SRP earlier for another Windows feature, like WD Application Control (WDAC). I could do it now, but WDAC is not so convenient yet as compared to SRP and the WDAC setup on Windows Home would be too restrictive for many home users (whitelisting problem). We will see how WDAC will evolve.

So, until Hard_Configurator development is actively supported by me (with SRP or without), there is no need to worry.

SRP shall not be going anywhere anytime soon. Microsoft has no intention of getting rid of AppLocker, which completely incorporates the older SRP. Given the fact that enterprises spend millions upon millions of dollars for InTune management and have become extremely dependent upon distributing GPO via an Active Directory Domain Controller, SRP/AppLocker will not be phased out in this decade.

Now we can sit here and debate this to death, but the lines between "SRP" and "WDAC" are blurred. There are many places to look online to compare SRP, AppLocker and WDAC. There is no need to cover that long topic here.

As is usual, Microsoft piles in a bunch of overly complex and questionable features in WDAC.

 

[Digmor Crusher]

Andy, other than you needing to program everything differently would there be any difference in HC protections levels using SRP over WDAC?

 

[Andy Ful]

Andy, other than you needing to program everything differently would there be any difference in HC protections levels using SRP over WDAC?

In the home environment on Windows 10 with well updated system / software and good AV, the practical difference between SRP and WDAC is not important. The attack area is not big (as compared to enterprises) and SRP is more suitable to make it smaller without breaking something - it is simply more useful for home users.

In enterprises, there is a big difference between SRP and WDAC protection. The attack area is much bigger as compared to the home environment. Generally speaking, WDAC is much more resistant to the malware on already infected computers, and when the attack is performed from the enterprise network.

Edit.
By the way (in relation to another thread), I do not use a piss-back defense, but rather piss-reflect or hedgehog (more efficient). The attacker must face only his own product.
Like any hedgehog, I do not keep negative emotions too long and do not have many enemies.

 

[brigantes]

The admin author gives Microsoft's very reason for implementing SRP back in 2002. SRP is soooo amazing that it is the most robust protection to this very day on Windows with Microsoft working on new iterations.

Our Blog | ActZero

Cybersecurity is complex, evolving, and an absolute necessity for every enterprise - regardless of size or industry. Here you will find resources that can simplify, educate, and keep you on top of this rapidly changing technology, and how ActZero can assist in solving the challenges.

www.intelligonetworks.com

" Right now is usually when I get the most push back on the strategy. You see, vendors of security software have for years positioned their products as “Smart Enough” to catch this behavior. Don’t worry which ones either—they are all guilty of it. Email Anti-Spam, Anti-Virus, Firewalls, you name it. Put “Next-Gen” in front of the name and they’ll go on about how many times their solution stopped such behaviors. They conveniently leave out that no matter who they are or the technique they use they don’t work 100% of the time. So, let’s talk about the times they don’t: because that’s when the software restriction policy is going to save you. "