Q&A Simple Windows Hardening

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,089
I made some research. The block is for WindowsPackageManagerServer.exe. It can be important for developers who are going to submit their applications to Microsoft Store. When opening, the Microsoft Store tries to access it.
This block can be ignored by home users. The updates and installations of UWP apps are not impacted.
Anyway, it would be good to get rid of it. :unsure:
 

Back3

Level 12
Verified
Top poster
Apr 14, 2019
570
I made some research. The block is for WindowsPackageManagerServer.exe. It can be important for developers who are going to submit their applications to Microsoft Store. When opening, the Microsoft Store tries to access it.
This block can be ignored for home users. The updates and installations of UWP apps are not impacted.
True. Everything in the Microsoft Store can be updated manually or automatically as usual. No issues on my computer.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,089
This will require some important changes with my repositories on GitHub and MT threads, so I am not sure when it will happen. I am thinking about adding FirewallHardening and RunBySmartScreen to the SWH repository. So, there will be two main repositories: ConfigureDefender and SWH (with DocumentsAntiExploit, FirewallHardening, and RunBySmartscreen).
 

Digmor Crusher

Level 15
Verified
Top poster
Well-known
Jan 27, 2018
713
This will require some important changes with my repositories on GitHub and MT threads, so I am not sure when it will happen. I am thinking about adding FirewallHardening and RunBySmartScreen to the SWH repository. So, there will be two main repositories: ConfigureDefender and SWH (with DocumentsAntiExploit, FirewallHardening, and RunBySmartscreen).
Nice.
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,853
This will require some important changes with my repositories on GitHub and MT threads, so I am not sure when it will happen. I am thinking about adding FirewallHardening and RunBySmartScreen to the SWH repository. So, there will be two main repositories: ConfigureDefender and SWH (with DocumentsAntiExploit, FirewallHardening, and RunBySmartscreen).
Seems like a good plan to me. (y)
 

JasonUK

Level 5
Apr 14, 2020
206
This will require some important changes with my repositories on GitHub and MT threads, so I am not sure when it will happen. I am thinking about adding FirewallHardening and RunBySmartScreen to the SWH repository. So, there will be two main repositories: ConfigureDefender and SWH (with DocumentsAntiExploit, FirewallHardening, and RunBySmartscreen).
Or H_C and standalone (everything else!) tools repositories.
 
  • Like
Reactions: Nevi and Andy Ful

Freki123

Level 11
Verified
Top poster
Aug 10, 2013
518
Maybe H_C could get big buttons that would do the stuff SWH could do (with or without DocumentsAntiExploit, FirewallHardening, and RunBySmartscreen) and the normal (like they are now option) H_C option/settings would just be accessible with a small "advanced user I know the risks" button.
So there would be only H_C which could be used by novice users and advanced. Just take it as a random thought of a none coder who got no clue about the amount of work it would require :D
Thanks for all your time and work to keep H_C running :)
Tldr H_C would start with "novice" interface that would onlyallow to do stuff like SWH, while more "dangerous" option would be still there but "hidden" with an "advanced" button.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,089
Maybe H_C could get big buttons that would do the stuff SWH could do (with or without DocumentsAntiExploit, FirewallHardening, and RunBySmartscreen) and the normal (like they are now option) H_C option/settings would just be accessible with a small "advanced user I know the risks" button.
It is not possible. The H_C must be installed (not a portable application) and the standalone tools like ConfigureDefender, SWH, etc. are portable applications.
I could do what you have proposed, but only for the H_C. I am not sure that this is necessary when the standalone tools can do just the same.
 
  • Like
Reactions: Freki123

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,089
SWH vs. AstraLocker attack


The attack is very primitive and well known. I doubt if such malware could infect the users under the protection of any popular AV. Anyway, it shows the method used a few years ago quite often.

The malware uses the well known method to weaponize MS Word documents via embedding the malicious executable directly into the document (OLE method). This method is uncommon in the wild nowadays, because the user must click on the icon in the document and next allow to run the file:

1656686923905.png


The infection chain:
Email attachment (Word document) ----> user opens the document and clicks the icon (OLE) -----> user presses Run button ---> malware is executed

The malware is blocked by SWH 2.0.0.0 recommended settings:
  1. No ConfigureDefender HIGH Protection Level: malware blocked after MS Office hardening via DocumentsAntiExploit tool.
  2. Defender + ConfigureDefender HIGH Protection Level: malware blocked by ASR rule.
The malware is also blocked by default in Microsoft Office 365.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,089
SWH vs. Raspberry Robin worm


It is a typical attack via an infected USB drive that contains a malicious shortcut (.lnk file) masquerading as a legitimate folder on a USB device. Opening the fake folder starts the infection chain.

1656780910722.png


SWH can block such attacks by default due to the special SRP restrictions for shortcuts. The shortcuts are rarely restricted in the business environment even for USB drives. Furthermore, the Applocker and Microsoft Application Control cannot block shortcuts and most administrators do not know how to effectively manage the shortcuts via SRP.

Edit.
This thread can be also blocked by FirewallHardening tool - the LOLBin msiexec.exe will be prevented from downloading the malicious DLL from the URL.
 
Last edited:

wat0114

Level 7
Verified
Well-known
Apr 5, 2021
322
SWH can block such attacks by default due to the special SRP restrictions for shortcuts. The shortcuts are rarely restricted in the business environment even for USB drives. Furthermore, the Applocker and Microsoft Application Control cannot block shortcuts and most administrators do not know how to effectively manage the shortcuts via SRP.

Thanks Andy. I guess no need to block additional Sponsors such as msiexec.exe or odbcconf.exe?

EDIT

Oops :oops: this is the SWH thread. I was thinking of H_C which I use, so I'm not even sure if my question can also apply to SWH.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,089
Thanks Andy. I guess no need to block additional Sponsors such as msiexec.exe or odbcconf.exe?

EDIT

Oops :oops: this is the SWH thread. I was thinking of H_C which I use, so I'm not even sure if my question can also apply to SWH.

Yes. SWH cannot block LOLBins because it generally allows EXE files. But, as you can see by reading the examples in this thread, it can efficiently prevent running LOLBins in fileless attacks. :)
If SWH can block the attack, then also H_C can do it even with Basic_Recommended_Settings.