New Update Simple Windows Hardening

[Andy Ful]

Post updated in July 2023.

SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2)​

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip

SWH ver. 2.0.0.1 - August 2022 (no support for Windows 11 ver. 22H2)​

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SimpleWindowsHardening_2001.zip

Windows 11 ver. 22H2 (fresh installation) turns off by default Software Restriction Policies. So, SimpleWindowsHardening ver. 2.0.0.1 (and prior) cannot use the SWH options related to SRP. This issue is corrected in version 2.1.1.1. It can also work with enabled Smart App Control.

Microsoft documentation for Software Restriction Policies (July 2021):

Software Restriction Policies Technical Overview

Learn about software restriction policies, when and how to use the feature, and what changes have been implemented in past releases.

learn.microsoft.com

This documentation was made for Windows Server (2012-2022), but SRP works the same on Windows 7, 8, 8.1, 10, and 11. From Windows 11, one has to pay attention to AppLocker policies.

Overview
Simple Windows Hardening (SWH) works on Windows Home and Pro editions. It is a portable application that allows configuring Windows built-in features to support antivirus and prevent fileless malware. SWH is adjusted to the home environment. After the initial configuration, it can be closed and all protection comes from the Windows built-in features.

SWH is based on Software Restriction Policies (SRP) and some useful Windows Policies. Users on Windows 11 should bear in mind that Microsoft stopped the development of SRP a few years ago. One cannot exclude the possibility that some problems related to SRP may arise in the future on Windows 11. It is also possible that Microsoft will remove SRP on Windows 12. SWH is tested via the Windows Insider program, so any possible problem is recognized in advance and reported on the Dev. Website.

The security setup is adjusted to keep usability and prevent fileless malware in the home environment. So, the EXE and MSI files are not restricted in SWH, except when executed from archives and email clients. But non-executable files like scripts, shortcuts, and other files with unsafe extensions are restricted. Such a setup can be very efficient because nowadays, many initial vectors of attack are performed via non-executable files.

The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.

The restrictions made by SWH can be switched OFF/ON by using two switches on the right of the green buttons: <Software Restriction Policies> and <Windows Hardening>. In the OFF position, the restrictions are remembered and next removed - Windows default settings are applied for previously restricted features. When switching ON, the remembered settings are restored. Furthermore, in the ON position, the configurable settings can be changed by the user from the Settings menu.

# THE EXE / MSI 0-DAY MALWARE

The SWH application does not apply restrictions to EXE and MSI files, because these files are often used to install/update applications. Nowadays, many antivirus solutions have very good detection of such files, as compared to the detection of scripts. But still, the antivirus proactive features can have a problem with 0-day malware. In the home environment, the main delivery vectors of 0-day malware are spam emails and flash drives (USB drives).

The user has to be very careful when running EXE/MSI files originating from:

• Internet web links embedded in the emails.
• Attachments embedded in the emails.
• Flash drives (USB drives) shared with other people.

When using SWH restrictions, the user can consider the RunBySmartScreen tool. It allows checking any EXE/MSI file against the Microsoft SmartScreen Application Reputation service in the cloud. Many such files are accepted by SmartScreen, and this is the best way to avoid the 0-day malware. If the EXE/MSI file is not recognized by SmartScreen as safe or malicious, then the simplest method is to wait a minimum one day before running the unsafe file. After one day most of the malicious links are dead and most of the 0-day malware samples are properly detected by a good antivirus.
RunBySmartscreen is available as a part of Hard_Confugurator Hardening Tools (together with ConfigureDefender and FirewallHardening): ConfigureDefender/H_C_HardeningTools at master · AndyFul/ConfigureDefender


# QUICK CONFIGURATION

1. Run SWH - the restrictions are automatically configured.
2. Log OFF the account or reboot is required, depending on what restrictions were applied in SWH.
3. If MS Office (or Adobe Acrobat Reader) is installed, then it is recommendable to apply additional hardening by using the DocumentsAntiExploit tool. More info can be found in the "DocumentsAntiExploit tool - Manual".

Please keep updating your system/software. Use SWH on the default settings for some time, until you will be accustomed to it. Most users will probably not see any difference, but rarely a legal script or file with an unsafe extension will be blocked by SWH settings. You can use blue buttons <View Blocked Events> and <Manage the Whitelist> to recognize and whitelist the blocked files. Please be careful, if you are not certain that the blocked file is safe, then wait one day or two before whitelisting it.



# RECOMMENDED SETTINGS

The above settings are installed by default. They are recommended if MS Office and Adobe Acrobat Reader are not installed.
If MS Office and Adobe Acrobat Reader DC are installed then additional hardening is recommended via the DocumentsAntiExploit tool.

1. Recommended settings for Microsoft Defender with ConfigureDefender HIGH Protection Level:
   
   
   
   
   
   
2. Otherwise:
   
   
   

# SOFTWARE INCOMPATIBILITIES

Windows built-in SRP cannot work with AppLocker (introduced via GPO or MDM WMI Bridge). In such a case, SimpleWindowsHardening shows an alert. Furthermore, the options related to SRP are Switched OFF and removed from the Settings menu.

From the year 2022, AppLocker (GPO) policies can work on Windows 10/11 Home and Pro. AppLocker is activated by default on Windows 11 ver. 22H2 or later (also on Windows Home), so SRP is disabled in the default configuration.

SimpleWindowsHardening ver. 2.1.1.1 can enable SRP on Windows 11, and SRP can also work with enabled Smart App Control (SAC).

Windows built-in SRP is incompatible with Child Account activated on Windows 10+ via Microsoft Family Safety. Child Account adds some AppLocker rules (via MDM), so SRP cannot work. Unfortunately, after removing Child Account, the AppLocker Policy files are not removed (unpleasant bug)! These policy files have to be removed manually to recover the SRP functionality.

SimpleWindowsHardening settings are not compatible with SRP introduced via Group Policies Object (GPO) available in Windows Pro, Education, and Enterprise editions. The GPO refresh feature will overwrite the SimpleWindowsHardening settings. So, before installing SimpleWindowsHardening, SRP has to be removed from GPO.

SimpleWindowsHardening will also conflict with any software which uses SRP, but such applications are rare (CryptoPrevent, SBGuard, AskAdmin, Ultra Virus Killer). Before installing SimpleWindowsHardening it will be necessary to uninstall the conflicting application.

SWH uses Windows built-in features. Some of them can be removed or added by Microsoft in the future major Windows upgrades. Please use the updated SWH version. The old versions can rarely produce some issues.


SWH vs. ATTACKS IN THE WILD (examples of how SWH works):
In most cases, SWH blocks the attacks at the delivery stage, before the final payload could be dropped/executed.
Nobelium: Q&A - Simple Windows Hardening
Zloader: Q&A - Simple Windows Hardening
Log4Shell: Q&A - Simple Windows Hardening
GootLoader: Q&A - Simple Windows Hardening
Emotet: Q&A - Simple Windows Hardening
Warzone and AgentTesla: Q&A - Simple Windows Hardening
AsyncRAT: Q&A - Simple Windows Hardening
Shuckworm RATS: Q&A - Simple Windows Hardening
Muddywater: Q&A - Simple Windows Hardening
SolarMarker: Q&A - Simple Windows Hardening
BazarLoader: Q&A - Simple Windows Hardening
PPAM attack: Q&A - Simple Windows Hardening
HTML ---> ISO ---> scripts: Q&A - Simple Windows Hardening
Hermetic Wiper: Q&A - Simple Windows Hardening
Asylum Ambuscade spear-phishing: Q&A - Simple Windows Hardening
Quakbot: Q&A - Simple Windows Hardening
Vidar infostealer: Q&A - Simple Windows Hardening (RunBySmartscreen)
Emotet: Q&A - Simple Windows Hardening
IceID (Cobalt Strike, Quantum ransomware): Q&A - Simple Windows Hardening
Fileless RAT (CHM file): Q&A - Simple Windows Hardening
SocGholish: Q&A - Simple Windows Hardening
TA551 phishing campaigns: Q&A - Simple Windows Hardening
GuLoader: Q&A - Simple Windows Hardening (RunBySmartscreen)
Follina exploit: Q&A - Simple Windows Hardening
AstraLocker 2.0: Q&A - Simple Windows Hardening
Raspberry Robin worm: Q&A - Simple Windows Hardening
Magniber (CPL variant): Q&A - Simple Windows Hardening
Batloader (MSI PowerShellScriptInline custom action): Question - Simple Windows Hardening

 

[Gandalf_The_Grey]

Hello Andy,

I get the following error when launching SimpleWindowsHardening.exe:

After clicking OK the tool works as expected.

Is it an idea to bundle this tool with H_C_HardeningTools ?

I'm now using ConfigureDefender + RunBySmartscreen + SimpleWindowsHardening.

 

[Back3]

Same problem: cannot locate skin folder...

 

[Andy Ful]

Hello Andy,

I get the following error when launching SimpleWindowsHardening.exe:
View attachment 243779
After clicking OK the tool works as expected.

Is it an idea to bundle this tool with H_C_HardeningTools ?

I'm now using ConfigureDefender + RunBySmartscreen + SimpleWindowsHardening.

Ha, ha. It is an innocent artefact from the H_C code - just ignore it. I will kill this message box in the next version.
Simple Windows Hardening will be a part of H_C_HardeningTools, so it can be used together with RunBySmartScreen, FirewallHardening (for Windows Firewall), DocumentsAntiExploit (for MS Office or Adobe Reader XI/DC), and ConfigureDefender (if one uses WD).
The GUI should be acceptable also with font rescaling up to 150%, even if the rescaling does not work properly.

 

[jetman]

I tried Hard Configurator once but was a little worried about the concequences of changing some settings, as I didn't understand them all.

This simplified version might suit me better and I shall give it a try.

How does it compare with the No Virus Thanks SysHardner utility ? Do they both do the same thing ?

 

[Andy Ful]

I tried Hard Configurator once but was a little worried about the concequences of changing some settings, as I didn't understand them all.

This simplified version might suit me better and I shall give it a try.

How does it compare with the No Virus Thanks SysHardner utility ? Do they both do the same thing ?

• SysHardener shares a similar idea (reducing the attack surface), but uses other methods that do not support whitelisting.
• SWH allows us to see what has been silently blocked (<View Blocked Events>).
• SWH is more restrictive (smaller attack surface), but allows whitelisting (<Manage the Whitelist>).
• SWH displays the current restrictions (important if one has more than one computer).
• Changing or turning OFF/ON the settings in SysHardener requires rebooting. In SWH one can change or switch OFF/ON the settings in a second - no need to reboot or Log OFF the user account (only changes to SMB protocols require rebooting).

Generally, one can use SysHardener on default settings as a basic hardening. On many computers, it will work as a "set and forget" setup.
If one wants something stronger, then SysHardener has to be tweaked and this will often block something. The user can have a problem because SysHardener does not show if something has been blocked and what has been blocked. Furthermore, one blocked legal script can force the user to skip some important SysHardener features and weaken the overall security.
In the case above, one can use Simple Windows Hardening for stronger and more configurable protection.

 

[HarborFront]

@Andy Ful

Your quote

SWH is incompatible with SRP introduced via Group Policies Object (GPO) available in Windows Pro, Education, and Enterprise editions. GPO refresh feature will overwrite the SWH settings related to SRP. So, before installing SWH, the SRP has to be removed from GPO.

Unquote

So what and where to find the SRPs in GPO to disable in order not to conflict with SWH?

BTW, this SWH doesn't comes with FirewallHardening (for Windows Firewall), right?

Thanks

 

[ForgottenSeer 85179]

So what and where to find the SRPs in GPO to disable in order not to conflict with SWH?

From Windows start menu, open:
secpol.msc

Then go to software restriction policy's on left side. If you don't config any, the right side is empty.

 

[Gandalf_The_Grey]

@Andy Ful
BTW, this SWH doesn't comes with FirewallHardening (for Windows Firewall), right?

No, it's Simple Windows Hardening. FirewallHardening can be used separately or just use Hard_Configurator if you want all the options to play with.

 

[Andy Ful]

...
So what and where to find the SRPs in GPO to disable in order not to conflict with SWH?
...

If you could run SWH without alerts about tampering SRP by another application, then you do not need to worry.

Edit.
Now I can see that the info about tampering has to be corrected (Hard_Configurator ---> Simple Windows Hardening.)
After correction, it will look as follows:

 

[Digmor Crusher]

Running well here with CD, brilliant as usual sir.

 

[Tutman]

SWH is incompatible with SRP introduced via Group Policies Object (GPO) available in Windows Pro, Education, and Enterprise editions. GPO refresh feature will overwrite the SWH settings related to SRP. So, before installing SWH, the SRP has to be removed from GPO.

How does one remove the Software Restriction Policies from the GPO?

 

[Andy Ful]

How does one remove the Software Restriction Policies from the GPO?

gpedit.msc >> Computer Configuration >> Windows Settings >> Security Settings >> Software Restriction Policies

If software restriction policies have already been created for a Group Policy Object (GPO), the New Software Restriction Policies command does not appear on the Action menu. To delete the software restriction policies that are applied to a GPO, in the console tree, right-click Software Restriction Policies, and then click Delete Software Restriction Policies.

Administer Software Restriction Policies

Learn how to administer application control policies using Software Restriction Policies (SRP) beginning with Windows Server 2008 and Windows Vista.

docs.microsoft.com

You can also use secpol.msc >> Security Settings >> Software Restriction Policies
and follow the above instructions.

 

[Tutman]

Thanks much!

 

[Andy Ful]

Thanks, guys for the input. I will try to push the new version next week. Please report any issues.

 

[Andy Ful]

Simple Windows Hardening manual:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf

 

[oldschool]

Simple Windows Hardening manual:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf

Another beautiful @Andy Ful creation! Thanks for all you do.

 

[jerzy601]

another great soft Andy.
thanks for the great input, I really admire you.
best regards.

 

[Lenny_Fox]

@Andy Ful GREAT, APPLAUSE

Although I understand and know how to handle Group Policies, this is so much easier. THANKS

Typo (PowerShell scropts should be scripts)

 

[Andy Ful]

@Andy Ful GREAT, APPLAUSE

Although I understand and know how to handle Group Policies, this is so much easier. THANKS

Typo (PowerShell scropts should be scripts)


View attachment 243817

Ha, ha. My poor old eyes.

Edit.
Typo corrected.