Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 7,472
Post updated in October 2022.
The current build of Windows 11 ver. 22H2 (clean installation) is not fully compatible with SWH. The SRP settings in SWH will work well if Windows has been upgraded from Windows 10 or updated from version 21H2 (or from the prior version). Unfortunately, SRP does not currently work on clean installations of Windows 11 ver. 22H2. See my post:
Question - Simple Windows Hardening
Simple Windows Hardening (a simplified version of Hard_Configurator):
Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator
The installer is accepted by SmartScreen and whitelisted by Microsoft, Avast, Bitdefender, and Symantec.
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.
Microsoft documentation for Software Restriction Policies (July 2021):
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This documentation was made for Windows Server (2012, 2016, 2019, and 2022), but SRP works the same on Windows 7, 8, 8.1, and 10.
Software Restriction Policies can be applied alongside Applocker policies:
Simple Windows Hardening (SWH) works on Windows 10 and higher versions (Home and Pro editions). It is a portable application that allows configuring Windows built-in features to support antivirus and prevent fileless malware. This security is based on Software Restriction Policies (SRP) and some useful Windows Policies. SWH is adjusted to the home environment. After the initial configuration, it can be closed and all protection comes from the Windows built-in features.
The security setup is adjusted to keep usability and prevent fileless malware in the home environment. So, the EXE and MSI files are not restricted in SWH, except when executed from archives and email clients. But non-executable files like scripts, shortcuts, and other files with unsafe extensions are restricted. Such a setup can be very efficient because nowadays, many initial vectors of attack are performed via non-executable files.
SWH application is a simplified version of Hard_Configurator. Generally, it will apply the Hard_Configurator Windows_10_Basic_Recommended_Settings (without Forced SmartScreen). These settings can be modified (in a limited way) in SWH, because sometimes on some computers they should be allowed for usability.
The restrictions made by SWH can be switched OFF/ON by using two switches on the right of the green buttons: <Software Restriction Policies> and <Windows Hardening>. In the OFF position, the restrictions are remembered and next removed - Windows default settings are applied for previously restricted features. When switching ON, the remembered settings are restored. Furthermore, in the ON position the configurable settings can be changed by the user from the Settings menu.
# THE EXE / MSI 0-DAY MALWARE
The SWH application does not apply restrictions to EXE and MSI files, because these files are often used to install/update applications. Nowadays, many antivirus solutions have very good detection of such files, as compared to the detection of scripts. But still, the antivirus proactive features can have a problem with 0-day malware. In the home environment, the main delivery vectors of 0-day malware are spam emails and flash drives (USB drives).
The user has to be very careful when running EXE/MSI files originating from:
RunBySmartscreen is available as a part of Hard_Confugurator Hardening Tools (together with ConfigureDefender and FirewallHardening): ConfigureDefender/H_C_HardeningTools at master · AndyFul/ConfigureDefender
SWH supports especially well Antivirus solutions with enabled reputation file lookup:
1. Microsoft Defender (ASR prevalence rule / ConfigureDefender).
2. Norton 360 (Download Insight).
3. Avast (Hardened Mode).
4. Comodo (Autosandbox).
In these cases, one can skip the RunBySmartscreen tool.
# QUICK CONFIGURATION
# RECOMMENDED SETTINGS
The above settings are installed by default. They are recommended if MS Office and Adobe Acrobat Reader are not installed.
If MS Office and Adobe Acrobat Reader DC are installed then additional hardening is recommended via the DocumentsAntiExploit tool.
# SOFTWARE INCOMPATIBILITIES
Windows built-in SRP is incompatible with Child Account activated on Windows 10 via Microsoft Family Safety. Such an account disables most SRP restrictions. This issue is persistent even after removing the Child Account. To recover SRP functionality, Windows has to be refreshed or reset. SWH uses Windows built-in features. Some of them can be removed or added by Microsoft in the future major Windows upgrades. Please use the updated SWH version. The old versions can rarely produce some issues.
SWH is incompatible with SRP introduced via Group Policies Object (GPO) available in Windows Pro, Education, and Enterprise editions. GPO refresh feature will overwrite the SWH settings related to SRP. So, before installing SWH, the SRP has to be removed from GPO.
SWH will also conflict with any software which uses SRP, but such applications are rare (CryptoPrevent, SBGuard, AskAdmin, Ultra Virus Killer). Before installing SWH it will be necessary to uninstall the conflicting application or it will be detected and SWH will replace the SRP settings with predefined settings.
SWH vs. ATTACKS IN THE WILD (examples of how SWH works):
In most cases, SWH blocks the attacks at the delivery stage, before the final payload could be dropped/executed.
Nobelium: Q&A - Simple Windows Hardening
Zloader: Q&A - Simple Windows Hardening
Log4Shell: Q&A - Simple Windows Hardening
GootLoader: Q&A - Simple Windows Hardening
Emotet: Q&A - Simple Windows Hardening
Warzone and AgentTesla: Q&A - Simple Windows Hardening
AsyncRAT: Q&A - Simple Windows Hardening
Shuckworm RATS: Q&A - Simple Windows Hardening
Muddywater: Q&A - Simple Windows Hardening
SolarMarker: Q&A - Simple Windows Hardening
BazarLoader: Q&A - Simple Windows Hardening
PPAM attack: Q&A - Simple Windows Hardening
HTML ---> ISO ---> scripts: Q&A - Simple Windows Hardening
Hermetic Wiper: Q&A - Simple Windows Hardening
Asylum Ambuscade spear-phishing: Q&A - Simple Windows Hardening
Quakbot: Q&A - Simple Windows Hardening
Vidar infostealer: Q&A - Simple Windows Hardening (RunBySmartscreen)
Emotet: Q&A - Simple Windows Hardening
IceID (Cobalt Strike, Quantum ransomware): Q&A - Simple Windows Hardening
Fileless RAT (CHM file): Q&A - Simple Windows Hardening
SocGholish: Q&A - Simple Windows Hardening
TA551 phishing campaigns: Q&A - Simple Windows Hardening
GuLoader: Q&A - Simple Windows Hardening (RunBySmartscreen)
Follina exploit: Q&A - Simple Windows Hardening
AstraLocker 2.0: Q&A - Simple Windows Hardening
Raspberry Robin worm: Q&A - Simple Windows Hardening
Magniber (CPL variant): Q&A - Simple Windows Hardening
Batloader (MSI PowerShellScriptInline custom action): Question - Simple Windows Hardening
The current build of Windows 11 ver. 22H2 (clean installation) is not fully compatible with SWH. The SRP settings in SWH will work well if Windows has been upgraded from Windows 10 or updated from version 21H2 (or from the prior version). Unfortunately, SRP does not currently work on clean installations of Windows 11 ver. 22H2. See my post:
Question - Simple Windows Hardening
Simple Windows Hardening (a simplified version of Hard_Configurator):
Hard_Configurator/Simple Windows Hardening at master · AndyFul/Hard_Configurator
The installer is accepted by SmartScreen and whitelisted by Microsoft, Avast, Bitdefender, and Symantec.
The more sophisticated attack, the fewer chances that AV can detect it, but the greater chances that SWH can prevent it.
Microsoft documentation for Software Restriction Policies (July 2021):
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This documentation was made for Windows Server (2012, 2016, 2019, and 2022), but SRP works the same on Windows 7, 8, 8.1, and 10.
Software Restriction Policies can be applied alongside Applocker policies:
Use Software Restriction Policies and AppLocker policies (Windows)
This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment.
learn.microsoft.com
Simple Windows Hardening (SWH) works on Windows 10 and higher versions (Home and Pro editions). It is a portable application that allows configuring Windows built-in features to support antivirus and prevent fileless malware. This security is based on Software Restriction Policies (SRP) and some useful Windows Policies. SWH is adjusted to the home environment. After the initial configuration, it can be closed and all protection comes from the Windows built-in features.
The security setup is adjusted to keep usability and prevent fileless malware in the home environment. So, the EXE and MSI files are not restricted in SWH, except when executed from archives and email clients. But non-executable files like scripts, shortcuts, and other files with unsafe extensions are restricted. Such a setup can be very efficient because nowadays, many initial vectors of attack are performed via non-executable files.
SWH application is a simplified version of Hard_Configurator. Generally, it will apply the Hard_Configurator Windows_10_Basic_Recommended_Settings (without Forced SmartScreen). These settings can be modified (in a limited way) in SWH, because sometimes on some computers they should be allowed for usability.
The restrictions made by SWH can be switched OFF/ON by using two switches on the right of the green buttons: <Software Restriction Policies> and <Windows Hardening>. In the OFF position, the restrictions are remembered and next removed - Windows default settings are applied for previously restricted features. When switching ON, the remembered settings are restored. Furthermore, in the ON position the configurable settings can be changed by the user from the Settings menu.
# THE EXE / MSI 0-DAY MALWARE
The SWH application does not apply restrictions to EXE and MSI files, because these files are often used to install/update applications. Nowadays, many antivirus solutions have very good detection of such files, as compared to the detection of scripts. But still, the antivirus proactive features can have a problem with 0-day malware. In the home environment, the main delivery vectors of 0-day malware are spam emails and flash drives (USB drives).
The user has to be very careful when running EXE/MSI files originating from:
- Internet web links embedded in the emails.
- Attachments embedded in the emails.
- Flash drives (USB drives) shared with other people.
RunBySmartscreen is available as a part of Hard_Confugurator Hardening Tools (together with ConfigureDefender and FirewallHardening): ConfigureDefender/H_C_HardeningTools at master · AndyFul/ConfigureDefender
SWH supports especially well Antivirus solutions with enabled reputation file lookup:
1. Microsoft Defender (ASR prevalence rule / ConfigureDefender).
2. Norton 360 (Download Insight).
3. Avast (Hardened Mode).
4. Comodo (Autosandbox).
In these cases, one can skip the RunBySmartscreen tool.
# QUICK CONFIGURATION
- Run SWH - the restrictions are automatically configured.
- Log OFF the account or reboot is required, depending on what restrictions were applied in SWH.
- If MS Office (or Adobe Acrobat Reader) is installed, then it is recommendable to apply additional hardening by using the DocumentsAntiExploit tool. More info can be found in the "DocumentsAntiExploit tool - Manual".
# RECOMMENDED SETTINGS
The above settings are installed by default. They are recommended if MS Office and Adobe Acrobat Reader are not installed.
If MS Office and Adobe Acrobat Reader DC are installed then additional hardening is recommended via the DocumentsAntiExploit tool.
- Recommended settings for Microsoft Defender with ConfigureDefender HIGH Protection Level:
- Otherwise:
# SOFTWARE INCOMPATIBILITIES
Windows built-in SRP is incompatible with Child Account activated on Windows 10 via Microsoft Family Safety. Such an account disables most SRP restrictions. This issue is persistent even after removing the Child Account. To recover SRP functionality, Windows has to be refreshed or reset. SWH uses Windows built-in features. Some of them can be removed or added by Microsoft in the future major Windows upgrades. Please use the updated SWH version. The old versions can rarely produce some issues.
SWH is incompatible with SRP introduced via Group Policies Object (GPO) available in Windows Pro, Education, and Enterprise editions. GPO refresh feature will overwrite the SWH settings related to SRP. So, before installing SWH, the SRP has to be removed from GPO.
SWH will also conflict with any software which uses SRP, but such applications are rare (CryptoPrevent, SBGuard, AskAdmin, Ultra Virus Killer). Before installing SWH it will be necessary to uninstall the conflicting application or it will be detected and SWH will replace the SRP settings with predefined settings.
SWH vs. ATTACKS IN THE WILD (examples of how SWH works):
In most cases, SWH blocks the attacks at the delivery stage, before the final payload could be dropped/executed.
Nobelium: Q&A - Simple Windows Hardening
Zloader: Q&A - Simple Windows Hardening
Log4Shell: Q&A - Simple Windows Hardening
GootLoader: Q&A - Simple Windows Hardening
Emotet: Q&A - Simple Windows Hardening
Warzone and AgentTesla: Q&A - Simple Windows Hardening
AsyncRAT: Q&A - Simple Windows Hardening
Shuckworm RATS: Q&A - Simple Windows Hardening
Muddywater: Q&A - Simple Windows Hardening
SolarMarker: Q&A - Simple Windows Hardening
BazarLoader: Q&A - Simple Windows Hardening
PPAM attack: Q&A - Simple Windows Hardening
HTML ---> ISO ---> scripts: Q&A - Simple Windows Hardening
Hermetic Wiper: Q&A - Simple Windows Hardening
Asylum Ambuscade spear-phishing: Q&A - Simple Windows Hardening
Quakbot: Q&A - Simple Windows Hardening
Vidar infostealer: Q&A - Simple Windows Hardening (RunBySmartscreen)
Emotet: Q&A - Simple Windows Hardening
IceID (Cobalt Strike, Quantum ransomware): Q&A - Simple Windows Hardening
Fileless RAT (CHM file): Q&A - Simple Windows Hardening
SocGholish: Q&A - Simple Windows Hardening
TA551 phishing campaigns: Q&A - Simple Windows Hardening
GuLoader: Q&A - Simple Windows Hardening (RunBySmartscreen)
Follina exploit: Q&A - Simple Windows Hardening
AstraLocker 2.0: Q&A - Simple Windows Hardening
Raspberry Robin worm: Q&A - Simple Windows Hardening
Magniber (CPL variant): Q&A - Simple Windows Hardening
Batloader (MSI PowerShellScriptInline custom action): Question - Simple Windows Hardening
Attachments
Last edited:
