Q&A Simple Windows Hardening

F

ForgottenSeer 92963

Some time ago I posted that SWH on Standard and C_D on Max with Command disabled allowed windows update on Windows 11.

I had set the DisableCMD value to 2 which on Windows 10 blocks both CMD and scripts. On Windows 11 that value (2) does nothing :sneaky: To disable command in Windows 11 the DisableCMD value has to set 1.

So the update on Windows 11 succeeded with SWH (standard)and C_D (max) but without CMD disabled. I now have disabled CMD also on Windows 11. Will report later whether CMD disabled interferes with Windows updates (I had read somewhere that M$ had disabled CMD completely, but on Windows10 I need to enable CMD to enable/disable M$ Application Guard for Edge, so CMD was not abandoned completely).
 

Andy Ful

Level 79
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,824
On Windows 10 and Windows 11, the simplest method of blocking CMD (also *.bat and *.cmd scripts) is using Exploit Protection from Security Center. One has to enable the mitigation "Disable Win32k system calls" for the CMD executable. This mitigation is system-wide.

From my experience, Windows Updates do not use Windows scripts (CMD, PowerShell, JScript, VBScript, etc.). But, sometimes they are used after updates for something (nothing important) and when updating third-party components (NVIDIA, AMD, Intel).
 
Last edited:

Andy Ful

Level 79
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,824
Andy Ful is there a way to prevent (unsigned) exe or msi from accessing the internet using the firewall hardening tool or anything else.
No.:(
Anyway, this would not be strong protection because unsigned applications can use services and LOLBins to access the Internet, so the Windows Firewall will see a legal system file (like Svchost or LOLBin) instead of an unsigned process.
 
  • Like
Reactions: Nevi and oldschool

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
No.:(
Anyway, this would not be strong protection because unsigned applications can use services and LOLBins to access the Internet, so the Windows Firewall will see a legal system file (like Svchost or LOLBin) instead of an unsigned process.

ok so is there a way to control svchost.exe to specific ip's or something like that.

i found this svchost containment · Issue #516 · henrypp/simplewall but i haven't understand it.
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 79
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,824
ok so is there a way to control svchost.exe to specific ip's or something like that.

i found this svchost containment · Issue #516 · henrypp/simplewall but i haven't understand it.
Blocking Svchost can have unpredictable results. For example, after blocking it (while testing FirewallHardening) I lost the Internet wireless connection. Of course, it is possible to adjust firewall rules and get a working system for some time. But, this would require caution and inspecting the Logs. Also, you cannot be sure if this will stop the malware from calling home.
 

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
Blocking Svchost can have unpredictable results. For example, after blocking it (while testing FirewallHardening) I lost the Internet wireless connection. Of course, it is possible to adjust firewall rules and get a working system for some time. But, this would require caution and inspecting the Logs. Also, you cannot be sure if this will stop the malware from calling home.

What if we use Microsoft defender exploit protection for (svchost.exe) is there a rule that can help us mitigate the risks of a malware using to connect to the internet.
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 79
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,824
What if we use Microsoft defender exploit protection for (svchost.exe) is there a rule that can help us mitigate the risks of a malware using to connect to the internet.
This could often produce unpredictable results. I think that a better idea is preventing malware that could abuse Windows Firewall and block only those (possible) processes that you do not use.
 

Andy Ful

Level 79
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,824
The idea of protecting Svchost is natural (but hard to apply) to the Enterprise environment. Such an environment has so big attack surface that one has to assume serious chances of breach. That is why the protection is focused on postinfection remediation, anti-exploit mitigations, protecting credentials, preventing lateral movement, etc.

Such thinking is not adequate in the home environment because:
  1. The attack surface is much smaller.
  2. The features loved by attackers are rarely needed by home users.
  3. The infection rate is much smaller compared to Enterprises.
  4. The system and software are often well patched.
  5. The attacks originating from the home network are very rare.
That is why home users can focus on initial attack vectors and do not bother much about what will happen after infection.
 

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
@Andy Ful Can you reverse engineer Binisoft WFC tool and add the option to block unsigned apps from the internet to your firewall Hardning.
 

Attachments

  • pic2.png
    pic2.png
    60.5 KB · Views: 41
  • Like
Reactions: Andy Ful

Andy Ful

Level 79
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,824
@Andy Ful Can you reverse engineer Binisoft WFC tool and add the option to block unsigned apps from the internet to your firewall Hardning.
Binisoft WFC is a real-time application so it can interact and support Windows Firewall in real-time to extend its abilities. FirewallHardening is a configurator that can activate only preexistent Windows built-in features/policies. It is like a "switch", but not the "lamp". I am not aware of a preexisting Windows feature /policy that could be "switched on" to do what you want.:(
 
Last edited:

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
287
After I successfully applied SWH, Windows 11 store management wont allow me to start SWH from both portable folder exe and StartBar exe Icon.

The management banner freeze after I click install. I have to end task on taskmanager to get rid of it.

Screenshot 2021-12-19 104035.png
 

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
287
Edit:
Spoke too soon. Now windows store management wont let me install VS stable. Moreover starting SWH is a miss and hit affair with Store Management freezing.
I was looking forward to take SWH for a spin.
SWH is a great tool and I suspect it is Windows 11 that is not playing nicely with my PC. This new Store Management, is it what replaced smart screen banner?
 
Last edited:
  • Like
Reactions: Zartarra

Gandalf_The_Grey

Level 59
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,861
@VecchioScarpone I run both SWH 1.0.1.0 and VS 6.82 on Windows 11 and don't have any issues... 🤔

The windows store management is a setting in Settings ==> Apps ==> Apps & features.
When set to Anywhere your problem should be solved.

Found 2 images on the net for illustration:
1639905353693.png
1639905374320.png

In your case it was probably set to The Microsoft Store only (Recommended).
 
Last edited:

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
287
@VecchioScarpone I run both SWH 1.0.1.0 and VS 6.82 on Windows 11 and don't have any issues... 🤔

The windows store management is a setting in Settings ==> Apps ==> Apps & features.
When set to Anywhere your problem should be solved.

Found 2 images on the net for illustration:
View attachment 262960 View attachment 262961
In your case it was probably set to The Microsoft Store only (Recommended).
@Gandalf_The_Grey, thanks.
I had it set Anywhere but let me know...
I had several conflicting instances, not just with SWH and VS as reported. Never happened before on W 10
Shame, I would have liked to give SWH a spin.
I had to restore my system with Macrium to set things strait.
Let me be clear, it was not SWH fault, nor VS. Just my bad luck I guess.
 
Last edited:
  • Like
Reactions: Gandalf_The_Grey

Andy Ful

Level 79
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,824
After I successfully applied SWH, Windows 11 store management wont allow me to start SWH from both portable folder exe and StartBar exe Icon.

The management banner freeze after I click install. I have to end task on taskmanager to get rid of it.

View attachment 262954

Something (not SWH or any of my applications) silently changed (or restored periodically in real-time) the SmartScreen settings to run applications only from Microsoft Store. This is true even if you can see another setting in Apps & features. (y)
It means that any application downloaded from the Internet will be blocked on execution (file has got MOTW). You can bypass this block (for a particular executable) in this way:
 
  • Thanks
Reactions: VecchioScarpone

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
287
Something (not SWH or any of my applications) silently changed (or restored periodically in real-time) the SmartScreen settings to run applications only from Microsoft Store. This is true even if you can see another setting in Apps & features. (y)
It means that any application downloaded from the Internet will be blocked on execution (file has got MOTW). You can bypass this block (for a particular executable) in this way:

Thanks Andy. I shall bookmark the link provided as I forget things.
I'm getting ready to try SWH.