Yeah, the exact thing I tried to do. And somehow it worked this time, I don't know why though. I guess I did it wrong at first. Thanks
Last edited:
Hard_Configurator - Windows Hardening Configurator
- Thread starter Andy Ful
- Start date
@Andy Ful
Does LSASS protection work in non-enterprise?
Because i found that:
but the article is from October 1, 2015
Does LSASS protection work in non-enterprise?
Because i found that:
Virtual Secure Mode (VSM) in Windows 10 Enterprise | Windows OS Hub (woshub.com)
but the article is from October 1, 2015
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Credential Guard (mentioned in your post) should work on Windows 10 Pro with the proper hardware:
Is Credential Guard supported on W10 Pro · Issue #4025 · MicrosoftDocs/windows-itpro-docs · GitHub
But this feature is not related to H_C protection. The ASR rule which can be applied by H_C (ConfigureDefender) works on Windows Home, Pro, etc.
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
I checked the DG_Readiness_Tool.ps1 on my Windows Pro. It says :
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT
2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################
So, finally the issues with wrong information was corrected.
Yes because the tool output is wrong.
See latest PR change: Only applies to Enterprise addition by joinimran · Pull Request #8869 · MicrosoftDocs/windows-itpro-docs (github.com)
In FirewallHardening log i got these entries:
The IP is from Microsoft and listed as "Microsoft Routing, Peering, and DNS"
"compattelrunner.exe" is also for telemetry so it may be problematic if blocked.
The IP is from Microsoft and listed as "Microsoft Routing, Peering, and DNS"
"compattelrunner.exe" is also for telemetry so it may be problematic if blocked.
- Jan 27, 2018
- 1,400
When I was using Firewall Hardening I was getting the same blocks, numerous times a day, didn't see to break or hurt anything.
- Mar 16, 2019
- 3,862
It's not a problem if it's blocked. I even have mine disabled from Task Scheduler.
And, rundll32.exe is present in the recommended firewall rule.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
These blocked entries can be useful for Microsoft but are not needed for the particular user. If one wants to help Microsoft via the Application Experience, then these connections can be allowed. Blocking the outbound connections of rundll32.exe has an advantage for the users' security. Blocking connections of compattelrunner.exe is related only to users' privacy. For example:
What Is Compattelrunner.Exe in Windows 10 (And Can It Be Disabled) (helpdeskgeek.com)
If one has performance issues related to compattelrunner.exe , then the Microsoft Compatibility Appraiser task can be disabled via Task Scheduler.
Last edited:
Someone asked
"is it a safe practice to whitelist (by path) the entire root folder of a portable app?"
www.wilderssecurity.com
"is it a safe practice to whitelist (by path) the entire root folder of a portable app?"
Hard_Configurator - GUI to Manage Software Restriction Policies and harden Windows Home OS
@Buddel I am not by any means a security geek or expert but OS armor is protected by kernel level driver, while H_C would sit in ring 3 where software...
www.wilderssecurity.com
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Yes, in the home environment. This could make difference only in targeted attacks on businesses, institutions, etc. Of course, this can be done safely only for trusted applications.
Last edited:
Hi guys. After reinstalling Windows 10, for the first time I have problems installing Hard_configurator. I get "this app cannot run on your PC". Tried the general installer, then the 64 bit one - same result. Your help will be appreciated.
P.S. Sorry, turned out I hadn't downloaded the installer properly.
P.S. Sorry, turned out I hadn't downloaded the installer properly.
Last edited:
- Jan 21, 2018
- 48
I just want to check if I have a blind spot here...Why H_C blocks shortcuts in UserSpace?
From the article about Microsoft Threat Protection:
Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics - Microsoft Security
Through deep correlation logic, Microsoft Threat Protection automatically finds links between related signals across domains. It connects related existing alerts and generates additional alerts where suspicious events that could otherwise be missed can be detected.www.microsoft.com
" Attack sprawl illustrated
The level of sophistication of today’s threats, including nation-state level attacks and human operated ransomware, highlight why coordinated defense is critical in ensuring that organizations are protected.
To illustrate how Microsoft Threat Protection protects against such sophisticated attacks, we asked our security research team to simulate an end-to-end attack chain across multiple domains, based on techniques we observed in actual investigations.
Their attack starts with a spear-phishing email targeting a specific user. The email contains a link that, when clicked, leads to the download of a malicious .lnk file that stages the Meterpreter payload."
Microsoft team created a sophisticated malware, based on techniques observed in actual investigations, to show how it could be fought by Microsoft Threat Protection. Here is the full infection chain (correlated attack on 3 computers):
View attachment 244934
As can be seen, if the spear-phishing email to Polly will succeed by downloading the archive, then the infection chain on his/her computer is started by running the malicious shortcut (*.LNK file). If the shortcut will be blocked, then nothing will happen to her.
The attack on Mike's computer is improbable in the home environment, because the attacker has to know the credentials before infecting the computer (but is typical in enterprises). Anyway, it can be stopped by FirewallHardening (mshta.exe connections are disabled). Furthermore, the Windows remote features in the H_C settings are also blocked.
The attack on Marco's computer will fail because the malicious document cannot use VBA interpreter in the H_C settings (macros, etc.) to run the backdoor embedded in the MS Office document.
So, similar sophisticated attacks can be easily blocked with H_C settings in the home environment. But in enterprises, the H_C settings are not practical so the shortcuts will be allowed, the VBA interpreter will be allowed, and the remote features will be allowed. That is why something like Microsoft Threat Protection is required in enterprises and something like H_C will be useless there (but still very efficient in the home environment).
If I have SRP enabled with default deny setup, is there any added value whatsoever (security wise) in keeping .LNK files in the Designated File Types list?
On the other hand, if I'm not running a default deny setup and have LNK included in DFT list, but whitelisted .LNK files on my desktop, is there anything to prevent a malicious download simply to replace e.g. "Microsoft Edge.LNK" on my desktop with malicious content, only to wait till I launch my browser for the next time?
Sorry if I'm asking too obvious questions here. Somehow I just got a weird feeling that maybe I have missed something obvious that I should have understood...
I have run SSRP for years - and for the last year H_C with default deny setup and I have sometimes wondered how anyone would be willing to use something else - if still using some kind of SRP. Well, of course some protection is better than no protection, but still...
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Allowing shortcuts in UserSpace opens the command-line access which would be an important loophole in your security. The malicious shortcuts can use LOLBins to run the malware (also filelessly) from the remote servers or malicious code embedded in innocent files (photos, plain text files, etc.). It is even possible that the shortcut's command line will extract & execute the encrypted code embedded somewhere in the shortcut's body. So, keeping .LNK files in the Designated File Types list is highly recommended.
If you do not have SRP default-deny setup, then the files on DFT list are not blocked by default in UserSpace! You have to apply custom Disallowed rules for that! Using Unrestricted and Disallowed rules to block the concrete files is not easy, and usually, the users do not know how to do it in the right way.
If you use default-deny configured by H_C (Recommended Settings, Strict Recommended Settings, etc.), then you will be prevented from running the malicious code. So, the file modifications on the Desktop will not happen.
The exception is turning off the protection by the user or exploiting the system/software. On Windows 10 with well updated Windows and well updated software, you have excellent anti-exploit protection by default. If you use vulnerable applications then you can use <Block Sponsors> or FirewallHardening to block/restrict LOLBins.
Last edited:
- Jan 21, 2018
- 48
@Andy Ful Thank you for sheding some light to my blind spot! (after reviewing your excellent H_C and SRP documentation I realized that I also used the term "default deny" in somewhat vague way in my question, but that's another story...)
But anyway, just to check if I got it correctly this time: When running a default deny setup (e.g. H_C "Disallowed" + "All files"), and having .LNK in the DFT list but "%USERPROFILE%\Desktop\*.lnk" whitelisted, I guess that a malicious drive-by download of "Microsoft Edge.LNK" replacing the original link on my desktop would naturally still be possible... and if I have not taken care of LOLBAS protection and would not be blocking uncontrolled outgoing firewall traffic, I could still have my system compromised - or am I still missing something obvious...?
(after reviewing your excellent H_C and SRP documentation I realized that I also used the term "default deny" in somewhat vague way in my question, but that's another story...)But anyway, just to check if I got it correctly this time: When running a default deny setup (e.g. H_C "Disallowed" + "All files"), and having .LNK in the DFT list but "%USERPROFILE%\Desktop\*.lnk" whitelisted, I guess that a malicious drive-by download of "Microsoft Edge.LNK" replacing the original link on my desktop would naturally still be possible... and if I have not taken care of LOLBAS protection and would not be blocking uncontrolled outgoing firewall traffic, I could still have my system compromised - or am I still missing something obvious...?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Yes, it is possible. But, very improbable in the home environment.
Replacing the shortcut on the desktop is not an attack method, but obtaining the persistence of an already successful attack (via another method). So first, the malware has to break the H_C settings in another way.
This method of obtaining persistence was seen in the wild (very rarely). But, the initial malware was a macro-weaponized document that could be easily stopped by H_C settings. For example:
Malicious Macro Hijacks Desktop Shortcuts (trendmicro.com)
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
Thinking about security in the home environment should not be similar to the Enterprise case. Both have very different attack surface. In Enterprises, one has to assume that the breach in the network is highly possible - the answer is the "Zero Trust" security framework. Worrying about malware persistence by modifying shortcuts on the Desktop would be very rational in this case.
In Small & Medium Business, the old hardening & whitelisting approach is still very efficient.
In the home environment, the standard approach based on good AV + secured web browsing is OK for most users. The chances to be infected are similar to being badly injured in a traffic accident, which can also depend on the users' skills and caution. If one needs more security, then additional protection has to be applied. Any of these solutions has its pros and cons. The stronger the protection, the less usable it will be. Also on Windows 10, the fewer 3rd party real-time solutions, the more stable & unproblematic will be daily work with the computer.
In Small & Medium Business, the old hardening & whitelisting approach is still very efficient.
In the home environment, the standard approach based on good AV + secured web browsing is OK for most users. The chances to be infected are similar to being badly injured in a traffic accident, which can also depend on the users' skills and caution. If one needs more security, then additional protection has to be applied. Any of these solutions has its pros and cons. The stronger the protection, the less usable it will be. Also on Windows 10, the fewer 3rd party real-time solutions, the more stable & unproblematic will be daily work with the computer.
Last edited:
- Feb 25, 2017
- 2,585
Are there any plans of creating a standalone Firewall Hardening tool just like Simple Windows Hardening?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,481
It is already done. All standalone versions are available on GitHub:
Similar threads
-
- Sticky
