Q&A Simple Windows Hardening

SeriousHoax

Level 39
Verified
Mar 16, 2019
2,828
23,305
I am thinking about skipping FullEventLog in H_C, and using the idea of separate logs for SRP, PowerShell, Defender, and FirewallHardening. In most cases, the advanced users can recognize what sort of block has happened and can choose the right log to see the details. Next, it is easier to inspect the log witch is focused on the specific class of events. Only rarely, the user will be forced to use two or more logs to solve the problem with blocked processes.
Thanks for the detailed explanation. I also prefer SWH's separate logs over HC's all in one logs. So I'm looking forward to the next release :)
 

Archentrope

Level 1
Oct 10, 2020
19
157
I did not publish any update of SWH - version 6.0.0.0 can be probably related (by mistake) to H_C.
In October I will publish SWH beta 1.01.0 (with Windows 11 support).
Hi,

Thank you very much for making the software I really like it.

I would like to ask if using the default settings in SWH or HC (including the other components packed) will have any impact on the system performance?

Also, Windows 11 will be officially pushed early next month (probably Oct 5), HC already has a beta version that supports Windows 11 (I don't know when the stable version will come out), but SWH doesn't have a version that supports Windows 11 yet. You mentioned that SWH beta 1.01.0 will be released in October, and will it be released before the official launch of Windows 11? So that we can use SWH on the first day.

Thanks.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,287
42,901
...
I would like to ask if using the default settings in SWH or HC (including the other components packed) will have any impact on the system performance?
...
H_C or SWH has no visible impact on the system performance. But, this requires in some cases the proper whitelisting of UserSpace applications and adjusting the H_C (SWH) settings. On simple system/software configurations, the default settings can hardly cause any problem.
The complex system/software configuration usually requires more adjustments and application whitelisting.
If the H_C Basic_Settings or SWH default settings require frequent adjustments, then it is a sign for skipping H_C (SWH) for something else or using a simpler system/software configuration.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,287
42,901
SWH 1.0.1.0 Beta2:
https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SWH_beta2.exe

SWH manual (updated):
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf

The changelog - SWH ver. 1.0.1.0 beta2:

1. Added support for Windows 11.
2. Added SLK and ELF file extensions to the default protected extensions (can be added via Settings >> Protected SRP Extensions >> <Restore Defaults> ).
3. Added the option * SRP Policy Scope * that can also apply the SRP restrictions to high privileged processes. It can be recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows 10 versions or vulnerable software.


* SRP Policy Scope *

1633350105572.png


The option * SRP Policy Scope * can apply the SRP restrictions to high privileged processes. Normally, this option is set to Standard, so the restrictions are applied to processes with standard rights and skipped for processes with higher privileges. This is a default SRP setting that does not disrupt administrative processes running from UserSpace.

The advanced users can set SRP to apply restrictions to standard and higher privileged processes. This can be done with * SRP Policy Scope * set to High. It is recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows versions or vulnerable software.

When the High setting is applied, the < Software Restriction Policies> button changes its color to red.

1633350289678.png
 
Last edited:

Azerty123

New Member
Verified
Mar 29, 2021
7
17
could you add these lolbins to the FirewallHardening.

hackers can use them to download malware from the internet

source: LOLBAS

C:\Windows\System32\xwizard.exe

C:\Windows\SysWOW64\xwizard.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

C:\Windows\System32\findstr.exe

C:\Windows\SysWOW64\findstr.exe

c:\windows\system32\desktopimgdownldr.exe

C:\Windows\System32\certreq.exe

C:\Windows\SysWOW64\certreq.exe

C:\Windows\System32\bitsadmin.exe

C:\Windows\SysWOW64\bitsadmin.exe

C:\Windows\System32\wsl.exe

c:\windows\system32\pktmon.exe
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,287
42,901
could you add these lolbins to the FirewallHardening.

hackers can use them to download malware from the internet

source: LOLBAS

Bitsadmin.exe cannot be blocked by a Firewall (one should block svchost.exe).
It is probable that I will add most of these LOLBins. But it will take a few months to check how blocking them can impact the system.(y)
Of course, anyone can add these LOLBins manually to the Blocklist without waiting for the new version of FirewallHardening.:)
 

dabluez98

Level 3
Oct 2, 2018
140
288
Dear @Andy Ful,

I got two errors after running SWH__beta4.exe

First I got this error:

Second time I got this error:

What concerns me is that options were applied without even my permission. Furthermore, I have no idea what settings were applied/which registry options were changed - is there any way you can help me undo any changes? Because all I did was execute the program. Nothing more.

Please note that once before I downloaded an earlier version if I Remember correctly - but I just opened it, took a simple look, and being afraid to make any changes, I closed it. And then I deleted it, because I wanted to wait for proper backup before doing anything.

My biggest fear is that I made a number of modifications to my system, such as disabling a number of services in my case which I felt were not necessary, and based on SWH second error message, I am afraid if those were undone.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,287
42,901
...
What concerns me is that options were applied without even my permission. Furthermore, I have no idea what settings were applied/which registry options were changed - is there any way you can help me undo any changes? Because all I did was execute the program. Nothing more.
All you need is explained in the SWH help files.
You can use <Menu> <Restore Windows Defaults> to remove SWH restrictions.
For additional information you can look at the manuals:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf
https://github.com/AndyFul/Hard_Con.../Documentation/Hard_Configurator - Manual.pdf

Be safe.(y)
 
Last edited:

dabluez98

Level 3
Oct 2, 2018
140
288
Thanks, yes for sure i realize that. I suppose you intentionally made it so everything is automatically switched on when user opens software?

I also suppose that if basic recommended settings are applied automatically then I should be ok - at least i can test and if anything is broken i can revert to defaults?

And two last questions:

1) based on manual, other than remote registry service, it seems that SWH does not impact any other service? I know it also disabled SMB but that is not a service I suppose.

2) Since SWH has changed SRP restrictions to high privilage, that on it's own doesn't necessarily make me more vulnerable were I to go back to windows defaults using SWH? Furthermore, does that (reverting to windows defaults) also change my SRP restrictions to whatever they were beforehands.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,287
42,901
Thanks, yes for sure i realize that. I suppose you intentionally made it so everything is automatically switched on when user opens software?

Yes. The user can next apply some other (non-default) restrictions, remove some restrictions, or restore Windows defaults.

I also suppose that if basic recommended settings are applied automatically then I should be ok - at least i can test and if anything is broken i can revert to defaults?

Yes.

And two last questions:

1) based on manual, other than remote registry service, it seems that SWH does not impact any other service? I know it also disabled SMB but that is not a service I suppose.

It uses 2 services. They are disabled via the reg keys:
HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10!Start HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb20!Start

2) Since SWH has changed SRP restrictions to high privilage, that on it's own doesn't necessarily make me more vulnerable were I to go back to windows defaults using SWH? Furthermore, does that also change my SRP restrictions to whatever they were beforehands.

After using <Menu> <Restore Windows Defaults> to remove SWH restrictions, all SRP restrictions are removed. Default Windows settings do not introduce SRP.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,287
42,901
One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
The blocks are logged via Event Id=10, Security-Mitigations (Kernel Mode/User Mode).
Microsoft prepared a nice article for inspecting Exploit Protection events:

event-viewer.gif


 
Last edited:

Azerty123

New Member
Verified
Mar 29, 2021
7
17
One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
The blocks are logged via Event Id=10, Security-Mitigations (Kernel Mode/User Mode).
Microsoft prepared a nice article for inspecting Exploit Protection events:

event-viewer.gif


thank you blocking via Exploit Protection did work.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,287
42,901
This method can be used for most of LOLBins. They will be blocked also with high privileges, so it is important to inspect the Windows Event Log as was explained in my previous post.:)

It is good to remember that in most cases the LOLBins are triggered via scripting methods. So, in the home environment, one can use SRP as well to block scripting, shortcuts, and files with active content. In this case, blocking LOLBins is not necessary.
 
Last edited:
Top