NVT SysHardener: Harden Windows Settings

Daviworld

Level 2
Verified
Feb 19, 2018
60
Wow what a great resource for Window's 10, I have to admit I was pretty sick of manually doing all these edit's on individual Window machines, and was too lazy to make a script. Glad to see someone took the time out to code something awesome, that will save many sysadmin's time in configuration.

While I am fairly comfortable manually doing it, I would mainly use these for client's who aren't too tech savvy, and who work in financials. So, security is important to them, or at least when it come's to their financials lol. Would me setting this up on their machine once be good enough, with a periodic monthly check in on the software, to see if anything need's to be changed. Keep them fairly protected from harming their machine's themselves?

Or, should I continue doing it the manual way?

Best,
Davi
 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,449
Can you use a local account as indicated here?
Windows 10 telemetry - Open up, Sesame
"For instance, Cortana does not work with the local account"

Thanks for the assist, good website too. I was only being half serious in that post as I've read how intertwined Cortana has become unfortunately but this NVT gang seem to be pretty slick, ambitious at a minimum so you never know.;)
 
  • Like
Reactions: oldschool and AtlBo
F

ForgottenSeer 58943

Thread author
How about disabling CPD Services on Windows and disabling their re-initialization? (Connected Devices Platform Service)

sc config CDPUserSvc start= disabled
sc config CDPSvc start= disabled
reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\UserDataSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t REG_DWORD /d "4" /f

They basically assign a UID to each person, then use this to send data to other apps (and to spy). I've found no negative side effects to disabling it in almost a year but all privacy tools seem to miss it.
 

71Hemi

Level 2
Verified
Dec 12, 2015
82
@ForgottenSeer 58943

How about disabling CPD Services on Windows and disabling their re-initialization? (Connected Devices Platform Service)

sc config CDPUserSvc start= disabled
sc config CDPSvc start= disabled
reg add "HKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\UserDataSvc" /v "Start" /t REG_DWORD /d "4" /f
reg add "HKLM\System\CurrentControlSet\Services\UnistoreSvc" /v "Start" /t REG_DWORD /d "4" /f

They basically assign a UID to each person, then use this to send data to other apps (and to spy). I've found no negative side effects to disabling it in almost a year but all privacy tools seem to miss it.

Are these settings Windoze 10 only or will they work on Windoze 7 64bit?
 
  • Like
Reactions: AtlBo
F

ForgottenSeer 58943

Thread author
Also, I'd recommend putting in the option for disabling the security risk known as DNSClient.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache
(set START to 4, then: sc config Dnscache start= disabled)

Maybe even removing the stupid 3DObjects folder on File Explorer. Not a security risk but a huge annoyance.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
Locate and delete
{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
Locate and delete
{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Have added an option to change the PowerShell Execution Policy on current user (unchecked by default):

sush1.png


I've added also possibility to change it to Unrestricted\Bypass\Undefined.

What do you think about it? Better to allow the user to change it with all available options or just have a single checkbox:

Set PowerShell Execution Policy to Restricted for Current User

The "Restricted" is the default option (and more secure), more info here:
Set-ExecutionPolicy (Microsoft.PowerShell.Security)

Will add also 3 new options to disable these other Windows services (unchecked by default):

Turn Off HomeGroup Provider Service
Turn Off Program Compatibility Assistant (PCA) Service
Turn Off Windows Search Service

What do you think?

@Daviworld

You may want to apply SysHardener tweaks once and it should be fine.

In case Windows auto-upgrades to a major version, it may happen that it changes some tweaks made by SysHardener (i.e disabled services).

So you'll need to re-apply SysHardener tweaks.

@blueblackwow65

Yes, with default settings it should be fine and not cause issues.

@Darrin

We'll need to discuss about it (not a priority for now).

@ForgottenSeer 58943

About disabling DNSClient, can add it as disabled by default.

* I've read somewhere that if disabled, it may create issues with some firewall software (don't remember the link).

About UserDataSvc\UnistoreSvc, will check them later.
 
F

ForgottenSeer 58943

Thread author
@ForgottenSeer 58943

About disabling DNSClient, can add it as disabled by default.

* I've read somewhere that if disabled, it may create issues with some firewall software (don't remember the link).

About UserDataSvc\UnistoreSvc, will check them later.

I am unaware of any product requiring DNSClient, especially on Windows 10 because Windows 10 defaults to Multi-Homed DNS (which you should add an option to disable that as well, as this can faciliate DNS hijacking by a quantum sourced DNS lookup injecting itself as a fast response hijacking DNS). SO you are probably safe at the very least, providing the option, but default should work for virtually everyone just fine.
 

71Hemi

Level 2
Verified
Dec 12, 2015
82
There is one product that I know of called Windows Firewall Control made by binisoft that requires DNS Client Service; As per Binisoft site...
Windows Firewall Control
System Requirements

√ Microsoft .NET Framework version 4.5 or a newer version.
√ Compatible with all x86 and x64 versions of Windows 10, 8.1, 8, 7, Server 2016, Server 2012.
√ Windows Firewall service is required to be enabled for Windows Firewall Control to run.
√ DNS Client service is required to be enabled for the notifications to work properly.
 
  • Like
Reactions: AtlBo and askmark
F

ForgottenSeer 58943

Thread author
There is one product that I know of called Windows Firewall Control made by binisoft that requires DNS Client Service; As per Binisoft site...
Windows Firewall Control
System Requirements

√ Microsoft .NET Framework version 4.5 or a newer version.
√ Compatible with all x86 and x64 versions of Windows 10, 8.1, 8, 7, Server 2016, Server 2012.
√ Windows Firewall service is required to be enabled for Windows Firewall Control to run.
√ DNS Client service is required to be enabled for the notifications to work properly.

Required for notifications, so they're sourcing DNSClient for notifications of DNS activity, essentially using it as a text file to push notifications. Not really a proper use of DNSClient, and the first I have heard of it being required. The negatives far outweigh the benefits of DNSClient, it's also an awesome tool to use for malware to spy, steal your website activity and redirect your DNS.
 
  • Like
Reactions: vtqhtr413 and AtlBo

71Hemi

Level 2
Verified
Dec 12, 2015
82
I thought in order for DNSClient to work properly that malware "had" to notify you about spying, stealing your website activity and redirecting your DNS !
 
  • Like
Reactions: AtlBo

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
Released a new version SysHardener v1.2:
Harden Windows Settings with SysHardener | NoVirusThanks

sysh2.png


This is the changelog:

+ Fixed disabling of WinHTTP Web Proxy Auto-Discovery Service
+ Fixed enabling of PowerShell Constrained Language Mode
+ Fixed disabling of PowerShell Script Execution
+ Added button "Windows Features" on "System Tools" tab
+ Added button "Active Connections" on "System Tools" tab
+ Added button "Event Viewer" on "System Tools" tab
+ Added button "DCOMCNFG" on "System Tools" tab
+ New option "Turn Off HomeGroup Provider Service"
+ New option "Turn Off Program Compatibility Assistant Service"
+ New option "Change PowerShell Execution Policy for Current User"
+ New option "Turn Off DNS Client (Dnscache) Service"
+ New option "Turn Off Windows Search Service"
+ New option "Turn Off SMBv1"
+ New option "Turn Off SMBv2\v3"
+ New option "Disable SMB on Port 445 (SMBDeviceEnabled)"
+ New option "Disable NetBIOS over TCP/IP on All Network Interfaces"
+ New option "Turn Off Sidebar and Desktop Gadgets"
+ New option "Disable DCOM (OLE)"
+ New option "Turn Off Server (LanmanServer) Service"
+ New option "Block Oubound Connections for Eventvwr.exe"
+ New option "Block Oubound Connections for MMC.exe"
+ New option "Block Oubound Connections for Wmic.exe"
+ New option "Disable PowerShell v2.0 Engine"
+ New option "Block Outbound Connections for Rundll32.exe"
+ New option "Block Outbound Connections for PresentationHost.exe"
+ Disabled by default some Windows Firewall options
+ Added top-menu (File\Help) to the main window
+ Minor fixes and optimizations
+ Updated help file
 

NoVirusThanks

From NoVirusThanks
Verified
Developer
Well-known
Aug 23, 2012
292
These Windows Firewall rules are disabled (unchecked) by default:

Block Outbound Connections for Bitsadmin.exe
Block Outbound Connections for Csrss.exe
Block Outbound Connections for DeviceDisplayObjectProvider.exe
Block Outbound Connections for Lsass.exe
Block Outbound Connections for PresentationHost.exe
Block Outbound Connections for Regsvr32.exe
Block Outbound Connections for Rundll32.exe
Block Outbound Connections for Wsmprovhost.exe
 
P

plat1098

Thread author
This error in Event Viewer--see below--persists after SysHardener is uninstalled and machine is restarted. This corresponds to the setting syshardenerproxyset.PNG which I believe is enabled by default. Shouldn't this setting revert to its original state when SysHardener is removed?

eventid7001.PNG

Edit: The checkbox for the WinHTTPAutoProxySvc is cleared and machine is restarted but the above error in Event Viewer persists. I searched for methods to get rid of the error and results yielded things like running a batch file but would rather wait for further info. :)
 
Last edited by a moderator:
  • Like
Reactions: upnorth
P

plat1098

Thread author
@upnorth : Windows 10 latest--16299.309. Not installed on my alternate workstation at the moment. The setting in SysHardener seems to be irreversible on here unless you know how to manually re-enable the service or you reset the machine entirely. :unsure:

Edit: Since I can restore from an older image, I'm going to clarify my above issue. Seeing this WinHTTPAutoProxy setting is enabled when SysHardener is first installed, could it instead be default-disabled, with the user choosing to enable it instead? You're stuck with the irreversible setting otherwise, it seems. @NoVirusThanks?
 
Last edited by a moderator:
  • Like
Reactions: upnorth

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Some users have complained that certain things don't work right for them, after applying the recommended settings. So it's hard to say.
 
  • Like
Reactions: upnorth

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top