Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

New blackist from Excubits:
https://excubits.com/content/files/blacklist2.txt

Here is list of changes:
Bouncer (previously Tuersteher Light)

One more sponsor added - mspub.exe, which is Microsoft Publisher installed in MS Office. The sponsor usually opens .pub files. MS Office does not use Protected View for opening those files (when downloaded from the Internet), so they were recently used in a spam campaign.
Necurs Botnet Campaign Targets Banks with Malware .Pub Files
Cisco's Talos Intelligence Group Blog: When A Pony Walks Out Of A Pub
The .pub files can have VBA Macros like other MS Office documents. Macros are blocked in Hard_Configurator via <Documents Anti-Exploit> = ON (Microsoft Excel, Microsoft FrontPage, Microsoft Outlook, Microsoft PowerPoint, Microsoft Publisher, and Microsoft Word) for MS Office XP, MS Office 2003, ... up to MS Office 2016.
Also, the user can add the PUB extension to Designated File Types list, if macros are not blocked.
WD ASR will stop/mitigate most malicious PUB documents, too.

 

[oldschool]

One more sponsor added - mspub.exe, which is Microsoft Publisher installed in MS Office. The sponsor usually opens .pub files. MS Office does not use Protected View for opening those files (when downloaded from the Internet), so they were recently used in a spam campaign....Also, the user can add the PUB extension to Designated File Types list, if macros are not blocked.
WD ASR will stop/mitigate most malicious PUB documents, too.

You really stay on it @Andy Ful. Nice to know that the Default-Deny setup covers so much. Re: PUB docs - yet another reason to employ WD with H_C.

 

[shmu26]

Also, the user can add the PUB extension to Designated File Types list

Done. Good idea.

 

[Malware Man]

This tool does seem very useful, however I don't really find it all that practical for me to use tbh since I am running Windows 10 Pro I can just fire up group policy and find these settings anyways (thanks to my Windows Server classes I've became very familiar where most of the settings are now).

I have my own security settings setup through group policy. I prefer to stick with the built in security provided by Microsoft instead of relying on third party stuff especially since it's all included in my pro license so I might as well take advantage right?

This is though a great tool if you are running Windows 10 Home!

 

[oldschool]

… This is though a great tool if you are running Windows 10 Home!

+1, and if you're less technically inclined!

 

[shmu26]

This tool does seem very useful, however I don't really find it all that practical for me to use tbh since I am running Windows 10 Pro I can just fire up group policy and find these settings anyways (thanks to my Windows Server classes I've became very familiar where most of the settings are now).

I have my own security settings setup through group policy. I prefer to stick with the built in security provided by Microsoft instead of relying on third party stuff especially since it's all included in my pro license so I might as well take advantage right?

This is though a great tool if you are running Windows 10 Home!

I think you will find SRP easier to set up and manage with this tool, even if you do know your way around GPO, because you won't need to reinvent the wheel.

 

[Andy Ful]

...
I have my own security settings setup through group policy.
...

If you manage SRP via GPO, then there are some things commonly overlooked by the users:

1. The proper settings for the shortcuts.
2. Whitelisting Windows folder + some Disallowed rules for subfolders.
3. The proper whitelisting of OneDrive.
4. The proper rules when environment variables are used (some rules may not work properly).

 

[vaccineboy]

Dear Andy,

Will your program prevent standard users from running executables (outside system and program files, such as portable apps)? Basically I wish to block standard users from running portable apps.

Thank you.

 

[Andy Ful]

Dear Andy,

Will your program prevent standard users from running executables (outside system and program files, such as portable apps)? Basically I wish to block standard users from running portable apps.

Thank you.

Yes. You can use the recommended settings for that. The users can safely run portable applications via 'Run As SmartScreen'. In WIndows 10 you can set SmartScreen to not be bypassed by the user. If you do not want to allow running any applications in the Userspace, then you should set <Run As SmartScreen > to OFF.

 

[Andy Ful]

I am still working on the <Documents Anti-Exploit> feature.
In the present form, it is a mix of system-wide and non-system-wide settings, which is too complicated for the simple ON/OFF button. Furthermore, the rest Hard_Configurator ON/OFF settings are system-wide. When the user wants to recover Windows defaults he/she has to use <Restore Windows Defaults> button and additionally log ON to every Administrator account to set <Documents Anti-Exploit> = OFF (also before uninstalling).

MS Office restrictions can be introduced in three ways:

1. System-Wide for all accounts (HKLM Registry Hive) - require Admin Rights.
2. Non-System-Wide Administrator Policies for the current account (HKU\SID Hive) - require Admin Rights.
3. Non-System-Wide for the current account (HKU\SID Hive). Those settings overwrite the present settings configured from within MS Office applications.

The settings introduced via all 3 ways do not overwrite each other.
The first two do not also overwrite the actual MS Office settings, cannot be modified from within MS Office applications and cannot be modified by the malware running as standard user.
All three ways may be useful for the users in different variants.

I have an idea of splitting <Documents Anti-Exploit> feature between two applications to properly manage the above and avoid mentioned issues.

In Hard_Configurator only System-Wide settings (point 1.) will be applied for all accounts (disable/enable VBA interpreter and Adobe Reader XI/DC restrictions). So, there will not be a problem to <Restore Windows Defaults> or uninstall Hard_Configurator. The new option will be added for allowing/blocking the features in the SwitchDefaultDeny application.
After uninstalling Hard_Configurator, SwitchDefaultDeny application will not be uninstalled - the user still will be able to manage MS Office restrictions for any current account.

In SwitchDefaultDeny the new feature will be added: <Document Anti-Exploit for the current account> (see the attachment). This feature is intended (for now) only for MS Office restrictions (Macros in documents, DDE, ActiveX, OLE, PowerPoint Actions, etc.). They will allow four configurable settings: ON1, OFF, ON2, OFF2, and three info-settings: 'Partial', 'Dangerous', '?'.

ON1 - apply MS Office restrictions in HKU\SID Registry Hive (point 3.) and delete restrictions introduced via policy reg tweaks (point 2.). The ON1 settings overwrite the settings initially introduced when using MS Office applications. But, they can be also modified from within MS Office applications. So, this setting can be useful for advanced users and non-happy-clickers.

ON2 - apply MS Office restrictions in HKU\SID Registry Hive via policy reg-tweaks (point 2.). This setting can be useful for protecting happy-clickers or inexperienced users, because the settings are locked by administrator.

OFF2 - delete all MS Office restrictions introduced via policy reg-tweaks, but do not delete the settings initially introduced when using MS Office applications or via ON1.

OFF - delete all MS Office restrictions, so MS Office is set on default settings.

The info settings ('Partial', 'Dangerous', '?') will be displayed when the user applied non-standard settings from within MS Office applications or via an external program.
For protecting the inexperienced user, <Document Anti-Exploit for the current account> should be set to ON2 on the user account, and then disabled for modification in Hard_Configurator.

 

[Vasudev]

Any idea if Edge preloading can be stopped by gpedit.msc on Home editions. I install GP enabler and even PolicyPlus sometimes Edge preloads itself and sometimes it doesn't.

 

[Andy Ful]

Any idea if Edge preloading can be stopped by gpedit.msc on Home editions. I install GP enabler and even PolicyPlus sometimes Edge preloads itself and sometimes it doesn't.

The old reg-tweaks do not work on Windows 10 ver. 1803:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main]
"AllowPrelaunch"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader]
"AllowTabPreloading"=dword:00000000

Also disabling Edge as a background application does not prevent preloading it.
Edge stops preloading itself only when the user chooses another browser as default.

 

[shmu26]

What about adding IQY to Designated File Types list ?
Necurs Spews 780,000 Emails With Weaponized IQY Files

 

[Andy Ful]

What about adding IQY to Designated File Types list ?
Necurs Spews 780,000 Emails With Weaponized IQY Files

Will be added. Furthermore, I will add the restrictions:
[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Excel\Security]
"DataConnectionWarnings"=dword:000000002
...
and similar tweaks for 14.0, 15.0, 16.0 MS Office versions, which prevents loading the code from the website via IQY files.

 

[Andy Ful]

The old reg-tweaks do not work on Windows 10 ver. 1803:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main]
"AllowPrelaunch"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader]
"AllowTabPreloading"=dword:00000000

Also disabling Edge as a background application does not prevent preloading it.
Edge stops preloading itself only when the user chooses another browser as default.

The second rule should work also on Windows 10 ver. 1803, because it is still available via GPO.
It can only prevent preloading the Start and New Tab page.

 

[Vasudev]

The second rule should work also on Windows 10 ver. 1803, because it is still available via GPO.
It can only prevent preloading the Start and New Tab page.

Its working. Thanks!

 

[Andy Ful]

Hard_Configurator + Avast Hardened Mode Aggressive
In one of his posts, @shmu26 suggested whitelisting both .exe and .tmp files in the above configuration. So, I tested if .tmp files are checked while Avast Hardened Mode is enabled. I used the commands:
cmd /k start c:\z\Hard_Configurator(x64).exe
cmd /k start c:\z\Hard_Configurator(x64).tmp
with the newly compiled version of Hard_Configurator executable (the second with changed file extension).
In both cases, the executable was blocked.

In another test, I used Stephen Fewer's reflective_dll.x64.dll with a changed content to avoid whitelisting by Avast:
control.exe c:\z\reflective_dll.x64.dll
control.exe c:\z\reflective_dll.x64.tmp
control.exe c:\z\reflective_dll.x64.cpl
control.exe c:\z\reflective_dll.x64.ocx
control.exe c:\z\reflective_dll.x64.any_extension
All the above commands could run successfully while Avast was set to Hardened Mode Aggressive.

It may be worth to mention, that the WD ASR rule : "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" blocked all cases (.exe, .tmp, .dll, .cpl, .ocx, .any_extension). That rule can be very useful when the exploit tries to compile & execute the malware executable - such malware will be blocked by the mentioned WD ASR rule.

When using the Hard_Configurator settings form the profile: WIndows_10_Avast_Hardened_Mode_Aggressive.hdc
the extended DLL blocking is disabled anyway, so both .exe and .tmp files can be safely whitelisted.

 

[Andy Ful]

It seems that WD ASR rule : "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" can stop reflective DLL injections. I used Stephen Fewer's reflective_dll.x64.dll with a changed content (from the previous post) and his reflective injector inject.x64.exe, with the command line :
cmd /k start c:\z\inject.x64.exe
The above command line could successfully inject the original reflective_dll.x64.dll, but failed to inject the reflective_dll.x64.dll with the changed content (from my previous post).

I noticed that this ASR rule can block the read access to the suspicious executable (DLL in this case), so the DLL cannot be loaded. I did not test this with suspicious .NET DLLs, but blocking the read access should block them too.

When using the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", some folders should be excluded (like in ConfigureDefender), because the freshly compiled native image DLLs can be blocked by this rule!

 

[shmu26]

It seems that WD ASR rule : "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" can stop reflective DLL injections. I used Stephen Fewer's reflective_dll.x64.dll with a changed content (from the previous post) and his reflective injector inject.x64.exe, with the command line :
cmd /k start c:\z\inject.x64.exe
The above command line could successfully inject the original reflective_dll.x64.dll, but failed to inject the reflective_dll.x64.dll with the changed content (from my previous post).

I noticed that this ASR rule can block the read access to the suspicious executable (DLL in this case), so the DLL cannot be loaded. I did not test this with suspicious .NET DLLs, but blocking the read access should block them too.

When using the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria", some folders should be excluded (like in ConfigureDefender), because the freshly compiled native image DLLs can be blocked by this rule!

Good find!

 

[oldschool]

@Andy Ful - Thanks for the update. How is the new "Document Anti-Exploit" feature coming along?