Updates Hard_Configurator - Windows Hardening Configurator

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,271

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,714
Last edited:

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,271
Credential Guard (mentioned in your post) should work on Windows 10 Pro with the proper hardware:
This is sadly not true:
DG_Readiness_Tool.ps1 reports Credential-Guard is enabled and running but i does not work as expacted · Issue #7901 · MicrosoftDocs/windows-itpro-docs (github.com)
But this feature is not related to H_C protection. The ASR rule which can be applied by H_C (ConfigureDefender) works on Windows Home, Pro, etc.
Alright! Thanks
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,714
I checked the DG_Readiness_Tool.ps1 on my Windows Pro. It says :
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT
2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

So, finally the issues with wrong information was corrected.
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,271
I checked the DG_Readiness_Tool.ps1 on my Windows Pro. It says :
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT
2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

So, finally the issues with wrong information was corrected.
Yes because the tool output is wrong.
See latest PR change: Only applies to Enterprise addition by joinimran · Pull Request #8869 · MicrosoftDocs/windows-itpro-docs (github.com)
 

SecurityNightmares

Level 33
Verified
Jan 9, 2020
2,271
In FirewallHardening log i got these entries:
1609287336160.png

The IP is from Microsoft and listed as "Microsoft Routing, Peering, and DNS"

1609287461933.png


"compattelrunner.exe" is also for telemetry so it may be problematic if blocked.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,714
In FirewallHardening log i got these entries:
View attachment 252161

The IP is from Microsoft and listed as "Microsoft Routing, Peering, and DNS"



"compattelrunner.exe" is also for telemetry so it may be problematic if blocked.
These blocked entries can be useful for Microsoft but are not needed for the particular user. If one wants to help Microsoft via the Application Experience, then these connections can be allowed. Blocking the outbound connections of rundll32.exe has an advantage for the users' security. Blocking connections of compattelrunner.exe is related only to users' privacy. For example:
What Is Compattelrunner.Exe in Windows 10 (And Can It Be Disabled) (helpdeskgeek.com)

If one has performance issues related to compattelrunner.exe , then the Microsoft Compatibility Appraiser task can be disabled via Task Scheduler.
 
Last edited:

Azure

Level 26
Verified
Content Creator
Oct 23, 2014
1,537

Marana

Level 1
Jan 21, 2018
32
Why H_C blocks shortcuts in UserSpace?

From the article about Microsoft Threat Protection:

" Attack sprawl illustrated

The level of sophistication of today’s threats, including nation-state level attacks and human operated ransomware, highlight why coordinated defense is critical in ensuring that organizations are protected.

To illustrate how Microsoft Threat Protection protects against such sophisticated attacks, we asked our security research team to simulate an end-to-end attack chain across multiple domains, based on techniques we observed in actual investigations.

Their attack starts with a spear-phishing email targeting a specific user. The email contains a link that, when clicked, leads to the download of a malicious .lnk file that stages the Meterpreter payload."

Microsoft team created a sophisticated malware, based on techniques observed in actual investigations, to show how it could be fought by Microsoft Threat Protection. Here is the full infection chain (correlated attack on 3 computers):

View attachment 244934

As can be seen, if the spear-phishing email to Polly will succeed by downloading the archive, then the infection chain on his/her computer is started by running the malicious shortcut (*.LNK file). If the shortcut will be blocked, then nothing will happen to her.
The attack on Mike's computer is improbable in the home environment, because the attacker has to know the credentials before infecting the computer (but is typical in enterprises). Anyway, it can be stopped by FirewallHardening (mshta.exe connections are disabled). Furthermore, the Windows remote features in the H_C settings are also blocked.
The attack on Marco's computer will fail because the malicious document cannot use VBA interpreter in the H_C settings (macros, etc.) to run the backdoor embedded in the MS Office document.

So, similar sophisticated attacks can be easily blocked with H_C settings in the home environment. But in enterprises, the H_C settings are not practical so the shortcuts will be allowed, the VBA interpreter will be allowed, and the remote features will be allowed. That is why something like Microsoft Threat Protection is required in enterprises and something like H_C will be useless there (but still very efficient in the home environment).(y)
I just want to check if I have a blind spot here...

If I have SRP enabled with default deny setup, is there any added value whatsoever (security wise) in keeping .LNK files in the Designated File Types list?

On the other hand, if I'm not running a default deny setup and have LNK included in DFT list, but whitelisted .LNK files on my desktop, is there anything to prevent a malicious download simply to replace e.g. "Microsoft Edge.LNK" on my desktop with malicious content, only to wait till I launch my browser for the next time?

Sorry if I'm asking too obvious questions here. Somehow I just got a weird feeling that maybe I have missed something obvious that I should have understood...

I have run SSRP for years - and for the last year H_C with default deny setup and I have sometimes wondered how anyone would be willing to use something else - if still using some kind of SRP. Well, of course some protection is better than no protection, but still... :)
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,714
I just want to check if I have a blind spot here...

If I have SRP enabled with default deny setup, is there any added value whatsoever (security wise) in keeping .LNK files in the Designated File Types list?
Allowing shortcuts in UserSpace opens the command-line access which would be an important loophole in your security. The malicious shortcuts can use LOLBins to run the malware (also filelessly) from the remote servers or malicious code embedded in innocent files (photos, plain text files, etc.). It is even possible that the shortcut's command line will extract & execute the encrypted code embedded somewhere in the shortcut's body. So, keeping .LNK files in the Designated File Types list is highly recommended.
On the other hand, if I'm not running a default deny setup and have LNK included in DFT list, but whitelisted .LNK files on my desktop, is there anything to prevent a malicious download simply to replace e.g. "Microsoft Edge.LNK" on my desktop with malicious content, only to wait till I launch my browser for the next time?
If you do not have SRP default-deny setup, then the files on DFT list are not blocked by default in UserSpace! You have to apply custom Disallowed rules for that! Using Unrestricted and Disallowed rules to block the concrete files is not easy, and usually, the users do not know how to do it in the right way.
If you use default-deny configured by H_C (Recommended Settings, Strict Recommended Settings, etc.), then you will be prevented from running the malicious code. So, the file modifications on the Desktop will not happen.
The exception is turning off the protection by the user or exploiting the system/software. On Windows 10 with well updated Windows and well updated software, you have excellent anti-exploit protection by default. If you use vulnerable applications then you can use <Block Sponsors> or FirewallHardening to block/restrict LOLBins.(y)
 
Last edited:

Marana

Level 1
Jan 21, 2018
32
@Andy Ful Thank you for sheding some light to my blind spot! :) (after reviewing your excellent H_C and SRP documentation I realized that I also used the term "default deny" in somewhat vague way in my question, but that's another story...)

But anyway, just to check if I got it correctly this time: When running a default deny setup (e.g. H_C "Disallowed" + "All files"), and having .LNK in the DFT list but "%USERPROFILE%\Desktop\*.lnk" whitelisted, I guess that a malicious drive-by download of "Microsoft Edge.LNK" replacing the original link on my desktop would naturally still be possible... and if I have not taken care of LOLBAS protection and would not be blocking uncontrolled outgoing firewall traffic, I could still have my system compromised - or am I still missing something obvious...?
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,714
@Andy Ful ...

But anyway, just to check if I got it correctly this time: When running a default deny setup (e.g. H_C "Disallowed" + "All files"), and having .LNK in the DFT list but "%USERPROFILE%\Desktop\*.lnk" whitelisted, I guess that a malicious drive-by download of "Microsoft Edge.LNK" replacing the original link on my desktop would naturally still be possible...
Yes, it is possible. But, very improbable in the home environment.
Replacing the shortcut on the desktop is not an attack method, but obtaining the persistence of an already successful attack (via another method). So first, the malware has to break the H_C settings in another way.
This method of obtaining persistence was seen in the wild (very rarely). But, the initial malware was a macro-weaponized document that could be easily stopped by H_C settings. For example:
Malicious Macro Hijacks Desktop Shortcuts (trendmicro.com)
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,714
Thinking about security in the home environment should not be similar to the Enterprise case. Both have very different attack surface. In Enterprises, one has to assume that the breach in the network is highly possible - the answer is the "Zero Trust" security framework. Worrying about malware persistence by modifying shortcuts on the Desktop would be very rational in this case.
In Small & Medium Business, the old hardening & whitelisting approach is still very efficient.
In the home environment, the standard approach based on good AV + secured web browsing is OK for most users. The chances to be infected are similar to being badly injured in a traffic accident, which can also depend on the users' skills and caution. If one needs more security, then additional protection has to be applied. Any of these solutions has its pros and cons. The stronger the protection, the less usable it will be. Also on Windows 10, the fewer 3rd party real-time solutions, the more stable & unproblematic will be daily work with the computer.
 
Last edited:
Top