New Update Simple Windows Hardening

[ForgottenSeer 92963]

One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.

I have blocked mshtma.exe in Windows Exploit Protection (by simply enabling all protections) and enabled Code Integrity Guard for LOLbins/sponsors (without any incidents or problems since using Windows 10). LolBins with label 'binaries' hardened using Code Integrity Guard: LOLBAS

Since you made these great SRP programs, I stopped tweaking SRP in my Windows Pro and also did not bother to read about latest LOLbins misuge in staged attacks.
But BTSadmin rings a bell: Is BTSAdmin not used for Windows updates anymore?

 

[The_King]

could you add these lolbins to the FirewallHardening.

hackers can use them to download malware from the internet

source: LOLBAS

Lolbins are relatively new to me, I heard the term used here and there on MT.

My question is should the exe files in the list you posted be blocked from accessing the internet through firewall rules?

 

[Azerty123]

My question is should the exe files in the list you posted be blocked from accessing the internet through firewall rules?

yes they can be blocked via the firewall rules apart from Bitsadmin which you have use windows defender exploit protection.

 

[The_King]

yes they can be blocked via the firewall rules apart from Bitsadmin which you have use windows defender exploit protection.

Is this setting correct for blocking Bitsadmin?

 

[Azerty123]

Is this setting correct for blocking Bitsadmin?
View attachment 261418

yes it is correct

 

[ForgottenSeer 92963]

Blocking all LOLBins has never caused a breakage that cannot be fixed, if needed. Millions block LOLBins daily and the world has never had an IT meltdown. If anyone hadn't noticed, the LOLBin list is quite manageable as it changes slowly.

Thanks for your answer. I had a futile discussion to add block rules for sponsors also in SWH with @Andy Ful , but he declined in fear it might break/complicate things for ordinary user. Maybe you could give it another try to convince him to block sponsors in SWH

 

[Andy Ful]

SWH is a simple application for home users that should require only minimal adjustments. I am trying to avoid unnecessary options. SWH is intended to prevent fileless attacks. It can already prevent attacks with LOLBins, without blocking LOLBins.

Let's make an experiment. If someone can find a few malware used in widespread attacks that use LOLBins and cannot be prevented by SWH + FirewallHardening, then I will consider adding the option <Block LOLBins> to SWH.

 

[ForgottenSeer 92963]

@Andy Ful

I am challenging you, not criticizing you

At the moment I have exported the Firewall Hardening rules from Hard_Configirator to a regfile (see attached files) .

Two questions
1. Are these the FW hardening rules you mentioned above (need I add more)?
2. Could you make the FW hardening a seperate module (it is part of H_C not SWH)?

EDIT thanks @SeriousHoax

 

[SeriousHoax]

2. Could you make the FW hardening a seperate module?

Actually, Firewall Hardening is already a separate module along with some others and can be used independently.

https://github.com/AndyFul/ConfigureDefender/raw/master/H_C_HardeningTools.zip

 

[Andy Ful]

SWH is a part of modular security. Other modules (separate tools) are available as standalone applications included in the H_C_HardeningTools (ConfigureDefender, FirewallHardening, DocumentsAntiExploit, RunBySmartscreen).

https://github.com/AndyFul/ConfigureDefender/raw/master/H_C_HardeningTools.zip

The necessity of using other modules can depend on the AV, installed software, home environment, user's safe habits, and desired security level. For example, if one uses MS Office in daily work then it is recommended to use Defender with ConfigureDefender, or with DocumentsAntiExploit tool. If one uses Norton 360 as an AV, then SWH will be probably enough. Many users will be happy just with SWH + ConfigureDefender.

If the user is cautious, then (with some basic knowledge and a few safe habits) a good AV + RunBySmartscreen will be enough. For happy clickers or children protection, I would recommend using Hard_Configurator instead of SWH (and hardening tools). Hard_Configurator is also a good application to learn about Windows security and safe habits.

 

[Andy Ful]

The purpose of SWH and H_C_HardeningTools is to support the AV, assuming that AV provides general real-time protection, especially for *.exe and *.msi files.

1. SWH - the AV support against fileless attacks.
2. ConfigureDefender - the Defender support for Network protection, MS Office, Outlook, Adobe Reader, anti-ransomware, USB disks, non-prevalent executables, and advanced threat protection.
3. FirewallHardening - the AV support in the case when *.exe or *.msi malware uses LOLBins (directly or via code injections) to download payloads.
4. DocumentsAntiExploit (not SWH setting) - the AV support for MS Office and Adobe Reader.
5. RunBySmartscreen - on-demand support for AV and Windows SmartScreen (files without MOTW, DLL hijacking).

Some AVs do not need the support of all tools. For example, Norton 360 covers all these tools except SWH.
The tools: SWH, ConfigureDefender, FirewallHardening, DocumentsAntiExploit, RunBySmartscreen, are only configurators of Windows built-in features. These tools do not run as real-time security processes. So, the additional real-time protection is provided by already existent Windows features that have been enabled/configured by these tools.

 

[dabluez98]

I hope my question is no tout of context, but please just say if it is -> I get that #1-#5 are not real-time processes. But my question is this:
If I have SWH running with Kaspersky, and then I add OS Armor to the mix, which ones from 2-5 do I realistically need? I would guess FirewallHardening? OR may be there is no exact answer to my question?

 

[oldschool]

If I have SWH running with Kaspersky, and then I add OS Armor to the mix, ... ?

SWH & K are enough. Forget about OSA. It's overkill! Stay safe, not paranoid, my friend!

 

[dabluez98]

thanks!

 

[Andy Ful]

I hope my question is no tout of context, but please just say if it is -> I get that #1-#5 are not real-time processes. But my question is this:
If I have SWH running with Kaspersky, and then I add OS Armor to the mix, which ones from 2-5 do I realistically need? I would guess FirewallHardening? OR may be there is no exact answer to my question?

Simply use KIS with @harlan4096 settings and you will not need even SWH.

 

[dabluez98]

Thanks @Andy Ful , only thing is I do not use Kaspersky FW so not sure if that leaves many holes open.

 

[The_King]

Simply use KIS with @harlan4096 settings and you will not need even SWH.

Does the same apply to BIS and SWH?

 

[Andy Ful]

Does the same apply to BIS and SWH?

No, I am afraid.

 

[Andy Ful]

SWH ver. 1.0.1.0 (stable version)

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_1010.exe

It is functionally equal to the latest beta, except for some code optimization and some minor changes.

Edit.
Updated the wrong link, thank to @SecureKongo

 

[wat0114]

It can already prevent attacks with LOLBins, without blocking LOLBins.

Actually, don't the LOLBins simply launch the script types such as .js, .vbs, .js, .hta...etc, so then if scripts are blocked via SRP for instance, then really no need to block the LOLBins anyway?

EDIT

to be clear, I'm supporting your statement, not that you need support