Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Hi @Andy Ful
i want to know if there are away to export the rules you writes as white listed for firewall hardening to some readable format Text or html format
i am carious about these rules

Not in H_C. But, you can export the SRP Registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths

 

[DDE_Server]

Not in H_C. But, you can export the SRP Registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths

So there is no method to export it in readable format
I want to know the rules (basic windows functionality process and required ports you allowed when you hardcoded these rules however thatnks for your reply
You created the rules by experience or have some documentation about these process ?? I know that the question in the know how however I am interested

 

[Andy Ful]

I mean the internal PDF feature, not external plugins. In Firefox that was isolated, so i guess it's in Chromium-Edge too and even better?

This internal feature can be exploited similarly to a plugin. The PDF document opened by Edge can exploit the Edge process and Edge has access to the Internet.
If you will open the PDF document in PDF Reader (AppContainer), then exploiting the app is far less probable and you can block the Internet access.

 

[Andy Ful]

So there is no method to export it in readable format

On the contrary, it is very readable just like any txt file.
[/QUOTE]
...
You created the rules by experience or have some documentation about these process ??
[/QUOTE]
Both. You can read examples of using SRP rules in H_C documentation:

Hard_Configurator/Documentation/Part 3 - How do Software Restriction Policies work.pdf at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

 

[DDE_Server]

On the contrary, it is very readable just like any txt file.

...
You created the rules by experience or have some documentation about these process ??
[/QUOTE]
Both. You can read examples of using SRP rules in H_C documentation:

Hard_Configurator/Documentation/Part 3 - How do Software Restriction Policies work.pdf at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

[/QUOTE]
Thanks a lot @Andy Ful for your patient to reply my questions i just love to learn. i am learning web development through udemy (hope i complete the whole course)
also is it opensource ?? in which language you wrote it ?

 

[DDE_Server]

sorry i found it on github sure it open source sorry for that dump question

 

[Andy Ful]

...
in which language you wrote it ?

A few years ago H_C was intended to be a simple working GUI, so I chose AutoIt to build it. If I would know that H_C will become as complex as today, then I would choose another language.
But, in this way, I learned AutoIt which was completely new to me.

 

[DDE_Server]

A few years ago H_C was intended to be a simple working GUI, so I chose AutoIt to build it. If I would know that H_C will become as complex as today, then I would choose another language.
But, in this way, I learned AutoIt which was completely new to me.

that the main requirement of any developer to be adaptable to learning never stuck for certain language or framework
my dream to work as a developer however i want to participate with a team
i learned many language and stuck at OOP as i lose motivation i want to build projects with a team and push code and learn version control system
i learned python C,C++ but stuck at the same point
i want to create a tool has good output. i plan to learn algorithm but it will require time. i chose web development to has an output help me step ahead
however this is difficult as i do that beside my main job (Electrical engineer)

 

[ErzCrz]

This internal feature can be exploited similarly to a plugin. The PDF document opened by Edge can exploit the Edge process and Edge has access to the Internet.
If you will open the PDF document in PDF Reader (AppContainer), then exploiting the app is far less probable and you can block the Internet access.

Thanks for this. Downloaded Adobe Acrobat DC Reader. Though tempted by Foxit as well.

 

[Sampei Nihira]

This internal feature can be exploited similarly to a plugin. The PDF document opened by Edge can exploit the Edge process and Edge has access to the Internet.
If you will open the PDF document in PDF Reader (AppContainer), then exploiting the app is far less probable and you can block the Internet access.

If the malicious PDF opens the browser, it still gets internet access.
Two old analyzes of Didier Stevens regarding PDFs:

PDF, Let Me Count the Ways…

In this post, I show how basic features of the PDF language can be used to generate polymorphic variants of (malicious) PDF documents. If you code a PDF parser, write signatures (AV, IDS, …) …

blog.didierstevens.com

Quickpost: /JBIG2Decode Trigger Trio

Sometimes a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 …

blog.didierstevens.com

Although the Shell Extensions problem will be obsolete today I have to admit that it has stayed with me.
I think it is interesting for young MT users to read.

Good night my friend.

 

[ForgottenSeer 85179]

If the malicious PDF opens the browser, it still gets internet access.
Two old analyzes of Didier Stevens regarding PDFs:

PDF, Let Me Count the Ways…

In this post, I show how basic features of the PDF language can be used to generate polymorphic variants of (malicious) PDF documents. If you code a PDF parser, write signatures (AV, IDS, …) …

blog.didierstevens.com

Quickpost: /JBIG2Decode Trigger Trio

Sometimes a piece of malware can execute without even opening the file. As this is the case with the /JBIG2Decode vulnerability in PDF documents, I took the time to produce a short video showing 3 …

blog.didierstevens.com

Although the Shell Extensions problem will be obsolete today I have to admit that it has stayed with me.
I think it is interesting for young MT users to read.

Good night my friend.

These posts are from 2008/ 2009.
Don't think that this work nowadays with restrictions like AppContainer

 

[Andy Ful]

If the malicious PDF opens the browser, it still gets internet access.
...

If the malicious PDF can exploit the reader and run something, then there are several ways to get Internet access. You do not need the web browser for that.
If one does not want to open URLs embedded in the document and the Reader does not alert opening the URLs, then Exploit Protection can be used to block child processes.

 

[DDE_Server]

If the malicious PDF can exploit the reader and run something, then there are several ways to get Internet access. You do not need the web browser for that.

it could abuse legit process for example one of the reader services which request internet access for example update services or crashing reporting services

 

[Andy Ful]

AppContainer can be probably exploited if someone smart has resources and motivation. But, this fruit is very high and there are many fruits hanging low.
This is a strong advantage of apps in AppContainer (for now).

 

[Andy Ful]

it could abuse legit process for example one of the reader services which request internet access for example update services or crashing reporting services

This is possible but would require high privileges. It is much easier to use a simple script to download/execute something malicious with standard rights. Obtaining high privileges by an exploit is not so common.

 

[DDE_Server]

This is possible but would require high privileges. It is much easier to use a simple script to download/execute something malicious with standard rights. Obtaining high privileges by an exploit is not so common.

but if the abused process has administrative privilege woud not that be possible ? almost all software require administrative right during installation and this give their services the same rights (which include firewall modifying rules ) ??

 

[Andy Ful]

but if the abused process has administrative privilege woud not that be possible ? almost all software require administrative right during installation and this give their services the same rights (which include firewall modifying rules ) ??

Usually, the exploit can run something with standard privileges. The process running with standard privileges cannot abuse something running with high privileges, except when another exploit is used to elevate the malicious process. Abusing the services is often used to hide the malicious process which already could do malicious actions.

 

[Andy Ful]

Thanks for this. Downloaded Adobe Acrobat DC Reader. Though tempted by Foxit as well.

I am not sure if Adobe Reader DC (it is not the UWP app in AppContainer) can be safer than Foxit Reader. The first has the Attack Surface much bigger even if you use the AppContainer setting for Adobe Reader DC. Did you try Foxit MobilePDF?

 

[simmerskool]

bummed out as I see many posts I was not alerted to despite having this thread marked to watch...?

 

[oldschool]

bummed out as I see many posts I was not alerted to despite having this thread marked to watch...?

Try "un-watching" and then "watch" again. I've had to do this for members I follow but didn't get notifications.