Q&A Simple Windows Hardening

Kees1958

Level 4
Verified
Sep 5, 2021
174
955
One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
I have blocked mshtma.exe in Windows Exploit Protection (by simply enabling all protections) and enabled Code Integrity Guard for LOLbins/sponsors (without any incidents or problems since using Windows 10). LolBins with label 'binaries' hardened using Code Integrity Guard: LOLBAS

Since you made these great SRP programs, I stopped tweaking SRP in my Windows Pro and also did not bother to read about latest LOLbins misuge in staged attacks.
But BTSadmin rings a bell: Is BTSAdmin not used for Windows updates anymore?
 
Last edited:

The_King

Level 12
Verified
Aug 2, 2020
551
6,121
could you add these lolbins to the FirewallHardening.

hackers can use them to download malware from the internet

source: LOLBAS
Lolbins are relatively new to me, I heard the term used here and there on MT.

My question is should the exe files in the list you posted be blocked from accessing the internet through firewall rules?
 

The_King

Level 12
Verified
Aug 2, 2020
551
6,121
yes they can be blocked via the firewall rules apart from Bitsadmin which you have use windows defender exploit protection.
Is this setting correct for blocking Bitsadmin?
W32block.jpg
 

Kees1958

Level 4
Verified
Sep 5, 2021
174
955
Blocking all LOLBins has never caused a breakage that cannot be fixed, if needed. Millions block LOLBins daily and the world has never had an IT meltdown. If anyone hadn't noticed, the LOLBin list is quite manageable as it changes slowly.
Thanks for your answer. I had a futile discussion to add block rules for sponsors also in SWH with @Andy Ful , but he declined in fear it might break/complicate things for ordinary user. Maybe you could give it another try to convince him to block sponsors in SWH :)
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,282
42,865
SWH is a simple application for home users that should require only minimal adjustments. I am trying to avoid unnecessary options. SWH is intended to prevent fileless attacks. It can already prevent attacks with LOLBins, without blocking LOLBins.

Let's make an experiment. If someone can find a few malware used in widespread attacks that use LOLBins and cannot be prevented by SWH + FirewallHardening, then I will consider adding the option <Block LOLBins> to SWH.

:)(y)
 
Last edited:

Kees1958

Level 4
Verified
Sep 5, 2021
174
955
@Andy Ful

:) I am challenging you, not criticizing you (y)

At the moment I have exported the Firewall Hardening rules from Hard_Configirator to a regfile (see attached files) .

Two questions
1. Are these the FW hardening rules you mentioned above (need I add more)?
2. Could you make the FW hardening a seperate module (it is part of H_C not SWH)?


EDIT thanks @SeriousHoax
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,282
42,865
SWH is a part of modular security. Other modules (separate tools) are available as standalone applications included in the H_C_HardeningTools (ConfigureDefender, FirewallHardening, DocumentsAntiExploit, RunBySmartscreen).

The necessity of using other modules can depend on the AV, installed software, home environment, user's safe habits, and desired security level. For example, if one uses MS Office in daily work then it is recommended to use Defender with ConfigureDefender, or with DocumentsAntiExploit tool. If one uses Norton 360 as an AV, then SWH will be probably enough. Many users will be happy just with SWH + ConfigureDefender.

If the user is cautious, then (with some basic knowledge and a few safe habits) a good AV + RunBySmartscreen will be enough. For happy clickers or children protection, I would recommend using Hard_Configurator instead of SWH (and hardening tools). Hard_Configurator is also a good application to learn about Windows security and safe habits.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,282
42,865
The purpose of SWH and H_C_HardeningTools is to support the AV, assuming that AV provides general real-time protection, especially for *.exe and *.msi files.
  1. SWH - the AV support against fileless attacks.
  2. ConfigureDefender - the Defender support for Network protection, MS Office, Outlook, Adobe Reader, anti-ransomware, USB disks, non-prevalent executables, and advanced threat protection.
  3. FirewallHardening - the AV support in the case when *.exe or *.msi malware uses LOLBins (directly or via code injections) to download payloads.
  4. DocumentsAntiExploit (not SWH setting) - the AV support for MS Office and Adobe Reader.
  5. RunBySmartscreen - on-demand support for AV and Windows SmartScreen (files without MOTW, DLL hijacking).
Some AVs do not need the support of all tools. For example, Norton 360 covers all these tools except SWH.
The tools: SWH, ConfigureDefender, FirewallHardening, DocumentsAntiExploit, RunBySmartscreen, are only configurators of Windows built-in features. These tools do not run as real-time security processes. So, the additional real-time protection is provided by already existent Windows features that have been enabled/configured by these tools.
 
Last edited:

dabluez98

Level 3
Oct 2, 2018
140
288
I hope my question is no tout of context, but please just say if it is -> I get that #1-#5 are not real-time processes. But my question is this:
If I have SWH running with Kaspersky, and then I add OS Armor to the mix, which ones from 2-5 do I realistically need? I would guess FirewallHardening? OR may be there is no exact answer to my question?
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,282
42,865
I hope my question is no tout of context, but please just say if it is -> I get that #1-#5 are not real-time processes. But my question is this:
If I have SWH running with Kaspersky, and then I add OS Armor to the mix, which ones from 2-5 do I realistically need? I would guess FirewallHardening? OR may be there is no exact answer to my question?
Simply use KIS with @harlan4096 settings and you will not need even SWH.(y)
 

wat0114

Level 4
Verified
Apr 5, 2021
181
1,291
It can already prevent attacks with LOLBins, without blocking LOLBins.

Actually, don't the LOLBins simply launch the script types such as .js, .vbs, .js, .hta...etc, so then if scripts are blocked via SRP for instance, then really no need to block the LOLBins anyway?

EDIT

to be clear, I'm supporting your statement, not that you need support :)
 
Last edited:
Top