New Update Simple Windows Hardening

[HarborFront]

Does SWH works with O&O ShutUp 10, WPD etc?

I was looking at the readme file of WPD a while ago and saw the below (a snapshot)

### List of buttons ###
* **Local Group Policy**
* CEIPEnable - Windows Customer Experience Improvement Program
* DisableCustomerImprovementProgram - Internet Explorer Customer Experience Improvement Program
* CEIP - Windows Messenger Customer Experience Improvement Program
* AllowCortana - Allow Cortana
* AllowSearchToUseLocation - Allow search and Cortana to use location
* WindowsErrorReporting - Windows Error Reporting
* DisableUAR - Steps Recorder
* DisableInventory - Inventory Collector
* AllowTelemetry - Telemetry
* RestrictImplicitCollection - Handwriting automatic learning
* AllowInputPersonalization - Input personalization / Allow users to enable online speech recognition services
* AllowLinguisticDataCollection - Improve inking and typing recognition
* ScenarioExecutionEnabled - PerfTrack
* DisableQueryRemoteServer - Microsoft Support Diagnostic Tool
* AdvertisingInfo - Advertising ID
* DisableContentFileUpdates - Search Companion
* DisableWindowsConsumerFeatures - Microsoft consumer experiences
*
* **MS Office Local Group Policy**
* qmenable - Customer Experience Improvement Program
* sendtelemetry - Send Telemetry
* sendcustomerdata - Send personal information
*
* **Microsoft Edge (Chromium) Local Group Policy**
* AddressBarMicrosoftSearchInBingProviderEnabled - Enable Microsoft Search in Bing suggestions in the address bar
* AlternateErrorPagesEnabled - Suggest similar pages when a webpage can't be found
* AutofillAddressEnabled - Enable AutoFill for addresses
* AutofillCreditCardEnabled - Enable AutoFill for credit cards
* NetworkPredictionOptions - Enable network prediction
* PersonalizationReportingEnabled - Allow personalization of ads, search and news by sending browsing history to Microsoft


I believe those are Local Group Policy settings. I assume O&O ShutUp 10 and similar privacy tools also work alike.

So, am I right to say SWH will have problems working with these softwares since SWH works on SRP? Or such privacy tools are doing part of SWH is doing so not needed?

Thanks

 

[L0ckJaw]

Can this SWH be used with Norton360, the firewall of Norton has a lot of features like this already.

 

[Gandalf_The_Grey]

Does SWH works with O&O ShutUp 10, WPD etc?

I was looking at the readme file of WPD a while ago and saw the below (a snapshot)

### List of buttons ###
* **Local Group Policy**
* CEIPEnable - Windows Customer Experience Improvement Program
* DisableCustomerImprovementProgram - Internet Explorer Customer Experience Improvement Program
* CEIP - Windows Messenger Customer Experience Improvement Program
* AllowCortana - Allow Cortana
* AllowSearchToUseLocation - Allow search and Cortana to use location
* WindowsErrorReporting - Windows Error Reporting
* DisableUAR - Steps Recorder
* DisableInventory - Inventory Collector
* AllowTelemetry - Telemetry
* RestrictImplicitCollection - Handwriting automatic learning
* AllowInputPersonalization - Input personalization / Allow users to enable online speech recognition services
* AllowLinguisticDataCollection - Improve inking and typing recognition
* ScenarioExecutionEnabled - PerfTrack
* DisableQueryRemoteServer - Microsoft Support Diagnostic Tool
* AdvertisingInfo - Advertising ID
* DisableContentFileUpdates - Search Companion
* DisableWindowsConsumerFeatures - Microsoft consumer experiences
*
* **MS Office Local Group Policy**
* qmenable - Customer Experience Improvement Program
* sendtelemetry - Send Telemetry
* sendcustomerdata - Send personal information
*
* **Microsoft Edge (Chromium) Local Group Policy**
* AddressBarMicrosoftSearchInBingProviderEnabled - Enable Microsoft Search in Bing suggestions in the address bar
* AlternateErrorPagesEnabled - Suggest similar pages when a webpage can't be found
* AutofillAddressEnabled - Enable AutoFill for addresses
* AutofillCreditCardEnabled - Enable AutoFill for credit cards
* NetworkPredictionOptions - Enable network prediction
* PersonalizationReportingEnabled - Allow personalization of ads, search and news by sending browsing history to Microsoft


I believe those are Local Group Policy settings. I assume O&O ShutUp 10 and similar privacy tools also work alike.

So, am I right to say SWH will have problems working with these softwares since SWH works on SRP? Or such privacy tools are doing part of SWH is doing so not needed?

Thanks

Personally, I only use O&O ShutUp10++ and without any problems together with Simple Windows Hardening.
They can work together because they focus on different things.
O&O on privacy and SWH on security.
They don't overlap but complement each other.

 

[Andy Ful]

Does SWH works with O&O ShutUp 10, WPD etc?
...

These policies are focused on privacy and are unrelated to SWH.
Anyway, SWH has only a few settings. Simply remember them (or write somewhere) and then apply WPD or O&O Shutup. Restart the computer, run SWH, and look if the settings were changed.

 

[Andy Ful]

Can this SWH be used with Norton360, the firewall of Norton has a lot of features like this already.

SWH and Norton can nicely support each other. SWH mostly prevents the fileless part of the attack and Norton is focused on the rest (mostly the protection of PE executables like EXE files, DLLs, etc.).

 

[L0ckJaw]

SWH and Norton can nicely support each other. SWH mostly prevents the fileless part of the attack and Norton is focused on the rest (mostly the protection of PE executables like EXE files, DLLs, etc.).

Thanks @Andy Ful

 

[SeriousHoax]

Hi @Andy Ful! I see SWH blocks Winget by default. What should be the proper way to whitelist it?
Using SWH 1011 Beta 3.

 

[Andy Ful]

Hi @Andy Ful! I see SWH blocks Winget by default. What should be the proper way to whitelist it?
Using SWH 1011 Beta 3.
View attachment 266494

The only way to allow Winget is to set <More SRP ...> <Block AppInstaller> = ON.
Winget is blocked as a side effect of blocking AppInstaller by a very special SRP rule, which cannot allow whitelisting. But you can bypass SRP by running Winget via CMD (Administrator) or PowerShell (Administrator).
You can also use Winget when it is located in another (whitelisted) folder.

Winget is a LOLBin. It was used in the wild to download malware just like Bitsadmin or Curl. It is not necessary, except when you want to download desktop applications (not UWP apps) directly from Microsoft Store. There is no advantage to do this because such applications are not signed by Microsoft (on the contrary to UWP apps) and they are not updated via Microsoft Store updates. Furthermore, desktop applications can be downloaded normally (from Softpedia, developer website, etc.).

 

[SeriousHoax]

The only way to allow Winget is to set <More SRP ...> <Block AppInstaller> = ON.
Winget is blocked as a side effect of blocking AppInstaller by a very special SRP rule, which cannot allow whitelisting. But you can bypass SRP by running Winget via CMD (Administrator) or PowerShell (Administrator).
You can also use Winget when it is located in another (whitelisted) folder.

Winget is a LOLBin. It was used in the wild to download malware just like Bitsadmin or Curl. It is not necessary, except when you want to download desktop applications (not UWP apps) directly from Microsoft Store. There is no advantage to do this because such applications are not signed by Microsoft (on the contrary to UWP apps) and they are not updated via Microsoft Store updates. Furthermore, desktop applications can be downloaded normally (from Softpedia, developer website, etc.).

I often use it because it can even detect and update quite a few non-MS Store apps.
I tried Winget again by launching Windows Terminal as administrator and like you said, now it works. Thanks!

 

[Andy Ful]

I often use it because it can even detect and update quite a few non-MS Store apps.

Yes. It is a useful tool for Administrators, like many LOLBins.

I tried Winget again by launching Windows Terminal as administrator and like you said, now it works. Thanks!

This way is safer. You can still use Winget, but most malware cannot.

 

[Andy Ful]

I am not definitely convinced about blocking Winget in relation to AppInstaller restrictions. The current method has got some pros and cons. It is probably OK for now, when people install desktop applications mostly via a web browser or USB drive.
The situation may change when Microsoft Store will be a popular way of installing both UWP and desktop applications.
As an alternative solution, it is possible to block AppInstaller via Exploit Protection and Winget by SRP.

Post edited,

 

[Andy Ful]

Post udated.

SWH ver 1.1.1.1

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_1111.ZIP

SWH changelog
ver. 1.1.1.1

1. Added several file extensions to the "Protected SRP Extensions", mostly for MS Excel Add-ins, Query files, and some legacy file formats.
   New default extensions : ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM, XLS, XLSB, XLSM, XLT, XLTM, XSL.
   New Paranoid extensions: ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ.
   Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not by Windows built-in handler).
2. Improved policies for Adobe Acrobat Reader XI/DC.
3. Corrected some minor bugs.

ver. 1.0.1.1
Added the option * AppInstaller * to restrict the installation of UWP apps via the web browser or downloaded packages:.msix, .appx, .msibundle, .appxbundle

UPDATING new features.

1. New default extensions: <Settings> <Protected SRP Extensions> <Restore Defaults>
   New Paranoid extensions: <Settings> <Protected SRP Extensions> <Paranoid Extensions>
2. Improved documents antiexploit: <Settings> * Documents Anti-Exploit> <Not configured> and next
   <Settings> * Documents Anti-Exploit> <Adobe+VBA> (or <Adobe>)

Edit.
The new SWH version 2.0.0.0. will come this week.
Added the info about IMG, ISO, and VHDX file extensions.

 

[Andy Ful]

This new version can be supported by the updated H_C_HardeningTools ver. 2010:

https://github.com/AndyFul/ConfigureDefender/raw/master/H_C_HardeningTools/H_C_HardeningTools_2010.zip

 

[cc207]

Thanks @Andy Ful, I like this protection application.

 

[Gandalf_The_Grey]

This new version can be supported by the updated H_C_HardeningTools ver. 2010:

https://github.com/AndyFul/ConfigureDefender/raw/master/H_C_HardeningTools/H_C_HardeningTools_2010.zip

Thanks @Andy Ful for the new DocumentsAntiExploit version 2.0.0.1 that now works with the current version of Adobe Reader

 

[Gandalf_The_Grey]

SWH ver 1.1.1.1

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_1111.ZIP

SWH changelog
ver. 1.1.1.1

1. Added several file extensions to the "Protected SRP Extensions", mostly for MS Excel Add-ins, Query files, and some legacy file formats.
   New default extensions : ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM, XLS, XLSB, XLSM, XLT, XLTM, XSL.
   New Paranoid extensions: ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ.
2. Improved policies for Adobe Acrobat Reader XI/DC.
3. Corrected some minor bugs.

ver. 1.0.1.1
Added the option * AppInstaller * to restrict the installation of UWP apps via the web browser or downloaded packages:.msix, .appx, .msibundle, .appxbundle

UPDATING new features.

1. New default extensions: <Settings> <Protected SRP Extensions> <Restore Defaults>
   New Paranoid extensions: <Settings> <Protected SRP Extensions> <Paranoid Extensions>
2. Improved documents antiexploit: <Settings> * Documents Anti-Exploit> <Not configured> and next
   <Settings> * Documents Anti-Exploit> <Adobe+VBA> (or <Adobe>)

With the new default extensions, I can't work with received Excel files.
I had to remove .xlsx and maybe later today some others.
Does that mean that Simple Windows hardening at default settings is not suited for someone working with MS Office anymore?

 

[Andy Ful]

With the new default extensions, I can't work with received Excel files.
I had to remove .xlsx and maybe later today some others.
Does that mean that Simple Windows hardening at default settings is not suited for someone working with MS Office anymore?

The XLSX documents cannot contain macros but have got other dangerous features (like DDE, etc.). If you use Defender with ASR rules then the XLSX extension can be safely removed via <Settings><Protected SRP Extensions>.
If you use the DocumentsAntiExploit tool, then the XLSX extension can be safely removed when using any AV.

The problem can arise if one uses custom settings to harden MS Office manually. Home users are focused on Word hardening and often forget to properly harden Excel. It is not easy to make Excel hardening because it has got many dangerous features.
The Excel files are rarely used at home and commonly used in attacks, so they are blocked in SWH ver. 1.1.1.1 by default. I am not sure if this is an optimal solution. What do you think guys?

 

[Gandalf_The_Grey]

The XLSX documents cannot contain macros. If you use Defender with ASR rules or the DocumentsAntiExploit tool, then the XLSX extension can be safely removed via <Settings><Protected SRP Extensions>.

The problem can arise if one uses custom settings to harden MS Office manually. Users are focused on Word hardening and often forget to properly harden Excel. It is not easy to make Excel hardening because it has got many dangerous features.
The Excel files are rarely used at home so they are blocked in SWH ver. 1.1.1.1 by default. I am not sure if this is an optimal solution. What do you think guys?

My mother-in-law receives a schedule from her church in Excel.
My children have to do some homework in Excel for school.
People keep track of their expenses in Excel.

So I think Excel is used in its basic form at home.

I'm personally not a typical home user and need to use at least .xls, .xlsx and .xltx.

 

[Andy Ful]

My mother-in-law receives a schedule from her church in Excel.
My children have to do some homework in Excel for school.
People keep track of their expenses in Excel.

So I think Excel is used in its basic form at home.

I'm personally not a typical home user and need to use at least .xls, .xlsx and .xltx.

These files can be opened directly from Excel, even when they are blocked by SWH. The SWH prevents opening Excel documents from the Desktop or File Explorer. In your case, these extensions can be removed because you applied the hardening via DocumentsAntiExploit tool.

 

[Andy Ful]

Gandalf_The_Grey,

What is the source of .xls documents? This is a legacy format from the era before MS Office 2007.