Harden Windows Security | Only with official documented methods | Always up to date

ThorFinn

New Member
Feb 16, 2023
3
Hi SpyNetGirl
I am trying to apply Harden Windows 11 safely, securely and without breaking anything settings on a Microsoft surface Windows 11 Enterprise, Microsoft Security Baselines and Security Baselines X runs fine, but Windows Security aka Defender gives an error.
 

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Hi SpyNetGirl
I am trying to apply Harden Windows 11 safely, securely and without breaking anything settings on a Microsoft surface Windows 11 Enterprise, Microsoft Security Baselines and Security Baselines X runs fine, but Windows Security aka Defender gives an error.

If you think there is an error, open a new issue at Github so I can properly check it.
 

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
I tried this and SAC blocked Windows Security. Ouch!

Any screenshots?

Any other details? OS version?

Did you fully update the OS and download all the updates, specially for Windows Defender definitions?

I use it on multiple machines and VMs, that has never happened to me.

Did this happen on a clean Windows installation or you had other configurations in place, what about 3rd party software or AV solutions?

Show the exact Event Viewer log for it.

Try the same thing again in on a CLEAN OS, whether on physical hardware or virtual machine, fully update the OS and Windows Defender as MSFT suggests, and then turn on Smart App Control.

Also, Smart App Control doesn't automatically turn on by itself if it detects it will block a lot of user's programs.

in my script, using Smart App Control is optional in Windows Defender category, I turn it on for myself because none of the programs I use are unsigned or shady so it doesn't cause problem for me.
 
Last edited:

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Smart App Control is not ready for production, but you know... Microsoft needs the guinea pigs to supply it data so it can make Smart App Control ready for production.

SAC will end up another half-baked project that gets side-lined.

I think you need to read about Smart App Control and find out what it really is. It's nothing new, not half baked and none of the things you mentioned.

it's a customized version of Windows Defender Application Control that exist since Windows 10. WDAC is and has been under active development, meaning new features are being added to it often. the latest feature is called Smart App Control and it's just a custom policy of WDAC. You can find all of these info in Microsoft's learn websites I linked to on my Github.

it IS ready for use in production and enterprises, that's exactly where WDAC is being used.
 
F

ForgottenSeer 98186

I think you need to read about Smart App Control and find out what it really is.
I know what SAC is, lol.

I am a Microsoft native security proponent and I've been around long enough at the enterprise and government level to know how Microsoft handles projects. It's handling of WDAC is the same as AppLocker, Group Policy, PowerShell Desired State Configuration and a myriad of other of its security solutions.

As far as WDAC development, it has been static for years. It is not a project that is getting any active development. It gets sporadic updates. SAC is just a sideshow of a sideshow.

Updating Microsoft Learn pages is not development, and neither is the supplying of a myriad of deployment and administration scripts and utilities development either. It is exactly this sort of "sprawl" that makes WDAC a manageability problem for sysadmins and security professionals. You can all it "development" if you wish but that is not what it is. The project is not addressing the fundamental issue with WDAC - which is tedious deployment, administration and usability. That is why companies are sticking with Group Policy, AppLocker and Software Restriction Policies.

The SAC initiative is Microsoft's desire to deliver a security solution similar to Windows S mode, but allowing home users to safely "use stuff." SAC is another one of Microsoft's vanity projects on behalf of home users.

The permanently "ON" or "OFF" modes are the exact kind of functionality that will dissuade the vast majority of users - who actually know what SAC is and care - to embrace it. A permanent "ON" mode appeals only to a tiny minority of security geeks.

It is all well-meaning, but it is more of the Microsoft same-same, which is poor execution and implementation.

not half baked and none of the things you mentioned.
SAC is being managed by Microsoft the same way it handled AppLocker, Group Policy, and PowerShell Desired State Configuration. Microsoft will take it to a certain point and then just silently stop, as it has done with most all of its security projects. So yeah, it is already in the "half-baked" Microsoft class of things.

The requirement that a user must perform a clean-install is a non-starter. How many home users do you think are actually going to do that? The fact that no one can create an allow exception - how many home users, amongst those few people who figure out what SAC is, are going to use SAC when it blocks their favorite game DLLs and they cannot allow them?

it IS ready for use in production and enterprises, that's exactly where WDAC is being used.
Yes. It is used in enterprise - by a very few enterprises that is. Due to many issues, WDAC is not widely used to the extent that Microsoft openly addresses this fact in its learn pages. I work daily with companies and government agencies that are mandated by law to have robust security - and none of them use WDAC. When the subject of WDAC is broached, the sysadmins scurry for the shadows.

If SAC were ready for production, then it would not require an evaluation mode. If it were ready for production, then it would not be blocking Microsoft's own processes and DLLs. If SAC were ready for production, then it would not need the extended telemetry that Microsoft forces as a requirement.

What is Microsoft doing exactly with SAC at this time? It is collecting data via Intelligent Security Graph and building lists of processes, DLLs and other files to be rated and allowed. So it is using all the home users as guinea pigs. That's what.
 
Last edited by a moderator:
  • Like
Reactions: cryogent and Azure

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,673
Any screenshots?
No. Already clean installed.
Any other details? OS version?
w11 latest stable build at the time.
Did you fully update the OS and download all the updates, specially for Windows Defender definitions?
Uncertain. I may have enabled it before all updates had been done. Just not sure about this.
Did this happen on a clean Windows installation
Refreshed Windows and removed everything
what about 3rd party software or AV solutions?
None. Only Windows Security.
none of the programs I use are unsigned or shady
Same here.
 
F

ForgottenSeer 98186

Same here.
1676740705742.png


 

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
No. Already clean installed.

w11 latest stable build at the time.

Uncertain. I may have enabled it before all updates had been done. Just not sure about this.

Refreshed Windows and removed everything

None. Only Windows Security.

Same here.

That doesn't provide any details and definitely can't reproduce it. so can't do anything without any screenshot and event log data.
 

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
I know what SAC is, lol.

I am a Microsoft native security proponent and I've been around long enough at the enterprise and government level to know how Microsoft handles projects. It's handling of WDAC is the same as AppLocker, Group Policy, PowerShell Desired State Configuration and a myriad of other of its security solutions.

As far as WDAC development, it has been static for years. It is not a project that is getting any active development. It gets sporadic updates. SAC is just a sideshow of a sideshow.

Updating Microsoft Learn pages is not development, and neither is the supplying of a myriad of deployment and administration scripts and utilities development either. It is exactly this sort of "sprawl" that makes WDAC a manageability problem for sysadmins and security professionals. You can all it "development" if you wish but that is not what it is. The project is not addressing the fundamental issue with WDAC - which is tedious deployment, administration and usability. That is why companies are sticking with Group Policy, AppLocker and Software Restriction Policies.

The SAC initiative is Microsoft's desire to deliver a security solution similar to Windows S mode, but allowing home users to safely "use stuff." SAC is another one of Microsoft's vanity projects on behalf of home users.

The permanently "ON" or "OFF" modes are the exact kind of functionality that will dissuade the vast majority of users - who actually know what SAC is and care - to embrace it. A permanent "ON" mode appeals only to a tiny minority of security geeks.

It is all well-meaning, but it is more of the Microsoft same-same, which is poor execution and implementation.


SAC is being managed by Microsoft the same way it handled AppLocker, Group Policy, and PowerShell Desired State Configuration. Microsoft will take it to a certain point and then just silently stop, as it has done with most all of its security projects. So yeah, it is already in the "half-baked" Microsoft class of things.

The requirement that a user must perform a clean-install is a non-starter. How many home users do you think are actually going to do that? The fact that no one can create an allow exception - how many home users, amongst those few people who figure out what SAC is, are going to use SAC when it blocks their favorite game DLLs and they cannot allow them?


Yes. It is used in enterprise - by a very few enterprises that is. Due to many issues, WDAC is not widely used to the extent that Microsoft openly addresses this fact in its learn pages. I work daily with companies and government agencies that are mandated by law to have robust security - and none of them use WDAC. When the subject of WDAC is broached, the sysadmins scurry for the shadows.

If SAC were ready for production, then it would not require an evaluation mode. If it were ready for production, then it would not be blocking Microsoft's own processes and DLLs. If SAC were ready for production, then it would not need the extended telemetry that Microsoft forces as a requirement.

What is Microsoft doing exactly with SAC at this time? It is collecting data via Intelligent Security Graph and building lists of processes, DLLs and other files to be rated and allowed. So it is using all the home users as guinea pigs. That's what.

That's all only your opinion, and I don't really comment on opinions. I've been keeping an eye on the WDAC and it's been getting new features.

You can learn more about a Signed WDAC policy on the new wiki page I wrote.

 
  • Like
  • Applause
Reactions: Nevi and kylprq

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,664
Removing the default vulnerable PS5 and installing PS7 would be my next step. If only MS would have made it easier. :rolleyes:
Code:
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2 /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2Root /Quiet /NoRestart

taskkill /im PowerShell.exe /f
taskkill /im PowerShell_ISE.exe /f
takeown /s %computername% /u %username% /f "%ProgramFiles%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%ProgramFiles(x86)%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles(x86)%\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\System32\WindowsPowerShell" /r /d y
icacls "%WinDir%\System32\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\System32\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\SysWOW64\WindowsPowerShell" /r /d y
icacls "%WinDir%\SysWOW64\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\SysWOW64\WindowsPowerShell" /s /q

winget install PowerShell --source msstore --accept-package-agreements --accept-source-agreements
 
F

ForgottenSeer 98186

That's all only your opinion, and I don't really comment on opinions.
Nah. It's not opinion. Even Microsoft openly states that it has a WDAC adoption problem. The open discussions across the web about WDAC over the years are not opinion-based, they are fact. WDAC does have a serious usability issue - and no matter what you argue - sysadmins' experiences should be the primary driver of Microsoft's projects, but they are not. If you just do not want to discuss those issues, then that is fine - but don't mischaracterize them as "opinions" in an effort to delegitimize the facts and inconvenient truths about WDAC.

Are you even a sysadmin? Do you work in enterprise or a government agency and administer tens of thousands of endpoints? Have you ever tried to deploy WDAC on 10,000 endpoints in an infrastructure environment that includes everything from Windows 7 to 11 and Server 2012 through 2022, including all the enterprise software that has unsigned executables and DLLs? OR is your opinion all based upon Microsoft's latest-and-greatest running in your home Hyper-V lab?

I've been keeping an eye on the WDAC and it's been getting new features.
Really? And what new features would those be? I am asking because a legitimate question.

The WDAC features list has not changed since 2022 . Prior to that, WDAC features were unchanged from the introduction of WDAC on Windows 10 in 2016 up until 2022. There have been a few WDAC or associated bug fixes over the years, but other than that WDAC was not developed to the extent that the SANS Institute dropped it from their Windows Hardening courses in 2018.

 

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Removing the default vulnerable PS5 and installing PS7 would be my next step. If only MS would have made it easier. :rolleyes:
Code:
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2 /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2Root /Quiet /NoRestart

taskkill /im PowerShell.exe /f
taskkill /im PowerShell_ISE.exe /f
takeown /s %computername% /u %username% /f "%ProgramFiles%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%ProgramFiles(x86)%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles(x86)%\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\System32\WindowsPowerShell" /r /d y
icacls "%WinDir%\System32\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\System32\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\SysWOW64\WindowsPowerShell" /r /d y
icacls "%WinDir%\SysWOW64\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\SysWOW64\WindowsPowerShell" /s /q

winget install PowerShell --source msstore --accept-package-agreements --accept-source-agreements

This is actually funny haha, people told me I shouldn't set the requirement for script to PS7 because it would increase attack surface simply because of having to install non-default software, but now you are saying it's vulnerable and PS7 is better.

Confusing ;D

Could you talk about some of the vulnerabilities you are referring to in PS5.1 in latest Windows 11?
 
  • Wow
Reactions: kylprq
F

ForgottenSeer 98186

Removing the default vulnerable PS5 and installing PS7 would be my next step. If only MS would have made it easier. :rolleyes:
Code:
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2 /Quiet /NoRestart
Dism /Online /Disable-Feature /FeatureName:MicrosoftWindowsPowerShellV2Root /Quiet /NoRestart

taskkill /im PowerShell.exe /f
taskkill /im PowerShell_ISE.exe /f
takeown /s %computername% /u %username% /f "%ProgramFiles%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%ProgramFiles(x86)%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles(x86)%\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\System32\WindowsPowerShell" /r /d y
icacls "%WinDir%\System32\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\System32\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\SysWOW64\WindowsPowerShell" /r /d y
icacls "%WinDir%\SysWOW64\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\SysWOW64\WindowsPowerShell" /s /q

winget install PowerShell --source msstore --accept-package-agreements --accept-source-agreements
PowerShell 7 is more susceptible to vulnerabilities as it is much-newer-to-market running on-top of .NET 6. In 2022 and 2021 there were remote code execution vulnerabilities that were discovered, but not exploited in-the-wild. Those vulnerabilities were the reason for the hubub updates from 7.1 to 7.2 and then 7.2 to 7.3.

Windows PowerShell 5 has not had any serious vulnerabilities reported in the past years. The dwell-and-stale time of version 5 has allowed it to be scrutinized more with corresponding security fixes.
 
Last edited by a moderator:
  • +Reputation
  • Like
Reactions: gonza and oldschool

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Looks really interesting. I normally go down the Hard_Configurator/configuredefender route but with fresh 22H2 incompatibility with SRP, I've not got around to implementing that fully. Will have a look at this, thanks @SpyNetGirl :)

Nah. It's not opinion. Even Microsoft openly states that it has a WDAC adoption problem. The open discussions across the web about WDAC over the years are not opinion-based, they are fact. WDAC does have a serious usability issue - and no matter what you argue - sysadmins' experiences should be the primary driver of Microsoft's projects, but they are not. If you just do not want to discuss those issues, then that is fine - but don't mischaracterize them as "opinions" in an effort to delegitimize the facts and inconvenient truths about WDAC.

Are you even a sysadmin? Do you work in enterprise or a government agency and administer tens of thousands of endpoints? Have you ever tried to deploy WDAC on 10,000 endpoints in an infrastructure environment that includes everything from Windows 7 to 11 and Server 2012 through 2022, including all the enterprise software that has unsigned executables and DLLs? OR is your opinion all based upon Microsoft's latest-and-greatest running in your home Hyper-V lab?


Really? And what new features would those be? I am asking because a legitimate question.

The WDAC features list has not changed since 2022 . Prior to that, WDAC features were unchanged from the introduction of WDAC on Windows 10 in 2016 up until 2022. There have been a few WDAC or associated bug fixes over the years, but other than that WDAC was not developed to the extent that the SANS Institute dropped it from their Windows Hardening courses in 2018.


Again just opinions. I don't know why you keep asking me for replies to them.

Here are the facts: Windows 7. it's officially dead. Windows 10, officially dead in 2 years. end of life dates available on MSFT website. since Windows 11 was released, Windows 10 has been in maintenance mode only. another fact is, WDAC works very well on up to date OS and yes I can deploy it successfully to any number of PCs that have up to date OS and maintain them. whether 10k or 10 billion.

Don't care about sans or any 3rd party stuff, fact is, they all have their own politics, opinions and biases. there are lots of guides on the Internet that are outdated and only talk about old obsolete stuff, people who follow them get into trouble. that's why I keep mine always up to date and if you read the latest wiki I wrote, you'll get more info, specially you'll know how easy it is to deploy it and what the benefits are.


And by the way, like I already mentioned, WDAC has got many new features, constantly, and I know what they are because I test and use them. but it's out of the scope of this topic so either do your own research or open a Github discussion to continue it. don't want to go off topic any more and I'd appreciate if you don't either.


You say there are usability issues? Microsoft docs provide all the details necessary to implement and understand the whole thing. that's my only source, but they are high level documents and one needs prior understanding of certain things before being able to consume those documents. that's why I'm writing comprehensive wiki posts to explain it from 0 to 100. I'm nearly done finishing up on the WDAC policy itself too. first I wrote about signed version of it because that's the most interesting part. you could point those posts you find on the Internet having problem to my wiki pages.
 
Last edited:
  • Hundred Points
Reactions: kylprq

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Looks really interesting. I normally go down the Hard_Configurator/configuredefender route but with fresh 22H2 incompatibility with SRP, I've not got around to implementing that fully. Will have a look at this, thanks @SpyNetGirl :)

You're welcome, please pay attention to this note:

Software Restriction Policies were deprecated beginning with Windows 10 build 1803 and also applies to Windows Server 2019 and above. You should use Windows Defender Application Control (WDAC) or AppLocker to control what software runs.


WDAC or Windows Defender Application Control, specially the Signed version, provides unbeatable security. one of the many benefits of it over SRP and AppLocker is that it keeps the device secure at all times, including before/during/after boot process.
 
F

ForgottenSeer 98186

Again just opinions.
Nah. Not opinions. They are facts. So you are saying that Microsoft's own official support pages are "opinion"?

lol

Here are the facts: Windows 7. it's officially dead. Windows 10, officially dead in 2 years. end of life dates available on MSFT website. since Windows 11 was released, Windows 10 has been in maintenance mode only.
Here are the real-world facts. In enterprise, Windows 7, 8.1 and 10 & Server 2012, 2014, and 2016 are still deployed - and Microsoft is supporting them. It will provide extended support for Windows 10 for a fee just like it did with 7. Not only that, nearly 40% of the world's home users are still running Windows 10 and won't be upgrading to 11 anytime soon. So it doesn't matter what dates you quote from Microsoft. These are irrefutable facts.

WDAC works very well on up to date OS
Yes, it does. Nobody is questioning its protection efficacy. It does however suffer from multiple usability issues that even Microsoft has officially acknowledged.

It is really weird that you are saying things about WDAC that Microsoft itself claims to be otherwise. Is everything that Microsoft does perfect in your eyes?

yes I can deploy it successfully to any number of PCs that have up to date OS and maintain them. whether 10k or 10 billion.
That is not what I asked you. The question that you were asked is:

"Have you ever tried to deploy WDAC on 10,000 endpoints in an infrastructure environment that includes everything from Windows 7 to 11 and Server 2012 through 2022, including all the enterprise software that has unsigned executables and DLLs? OR is your opinion all based upon Microsoft's latest-and-greatest running in your home Hyper-V lab?"

Since you wiggled out of that question by not answering it, we'll take that as a "No."

and yes I can deploy it successfully to any number of PCs that have up to date OS and maintain them. whether 10k or 10 billion.
How will you do the pre-deployment audit to gather system infos across all the network segments? What do you plan to do about all the completely legit third party software (that you call "shady") and create the correct WDAC policies?

And exactly what distribution method would you use - MCM, SCCM, (MDM) InTune, Group Policy, ePO? How is the deployment going to scale? What time frame? How are you going to handle errors? Would you instead use OpenSSH and PSSession to execute a WDAC deployment script from a .csv source endpoint file?

Or you plan on deploying WDAC only to Windows 11 Server 2022 boxes, with only Microsoft signed and Store apps? (Yes. This is what you meant. lol)

Don't care about sans or any 3rd party stuff, fact is, they all have their own politics, opinions and biases.
lol, do you even know what SANS is? Do you even know who are the teaching staff there? lol, some are Microsoft employees or subcontractors. That's who. Plus Microsoft and SANS work closely together. For you to even suggest that SANS would drop teaching WDAC because of politics, opinions or biases is absurd.


And by the way, like I already mentioned, WDAC has got many new features, constantly, and I know what they are because I test and use them. but it's out of the scope of this topic so either do your own research or open a Github discussion to continue it. don't want to go off topic any more and I'd appreciate if you don't either.
No. It's not out of the scope of this topic. If it is as you claim, then it would take you less than a few minutes to provide this list of "many new features." You know, Microsoft is conscientious about keeping the industry informed via its devblog and other team sites, and yet there is narry a mention of new WDAC features. There's no mention of new WDAC features on the TechCommunity. So where is it that you are getting the inside on newly implemented features in WDAC?

My question about new features was legit as I, and others here, genuinely are interested in learning about these new WDAC features.

that's why I keep mine always up to date and if you read the latest wiki I wrote, you'll get more info, specially you'll know how easy it is to deploy it and what the benefits are.
You do realize that juat about every single one of your GitHub pages is a wall of text, right? That you have to do all that explaining on Microsoft's behalf is proof positive of poor Microsoft usability.

lol, I've done enterprise deployments and it isn't easy. It is easy in a nice, clean simplistic heterogeneous home lab Hyper-V environment.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top