New Update Simple Windows Hardening

[pxxb1]

When something is blocked, then usually you get the Windows alert. The details can be seen in the SWH Log. Some actions are rarely blocked by Windows without alert (like in SysHardener).

SysHardener default settings are not so restrictive as the SWH default setup. So, usually the opposite is true.

You can make SysHardener stronger by ticking all options, but this is not recommended because SysHardener does not have a log of blocked processes, so you will have problems with identifying what setting is the issue. It does not also allow whitelisting, so one blocked BAT script required to run Intel or AMD firmware, will cause you to disable protection of all BAT scripts, etc.

Most of these problems can be solved when using SWH + FirewallHardening. The FirewallHardening tool is an enhanced version of the SysHardener part related to blocking Internet access to LOLBins:

ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender

Utility for configuring Windows 10 built-in Defender antivirus settings. - ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender

github.com

This setup is stronger and safer for the user than tweaked SysHardener, because of using detailed Logs and whitelisting.

If you need simple and basic protection (no whitelisting), then you can use SysHardener on default settings. If you need something stronger and more comprehensive then go for SWH.

I have a suggestion. After having "ADD" block rules in FH it would be good with a colour change on the button so one could see what one has applied on a later occasion.

 

[Andy Ful]

I see.

To sum it up. You mean that SWH is better because it logs and blocks and together with FH the protection is enhanced so it is equal to, or better, than SH?

Yes, SWH can additionally block shortcuts and much more unsafe file types. Firewall hardening can block more LOLBins and the user can add custom executables/LOLBins to the Blocklist. These additional restrictions can work without issues because of adopting Logs and whitelisting. If one does not like Logs and occasional whitelisting, then I recommend using SysHardener on default settings.

 

[Andy Ful]

I have a suggestion. After having "ADD" block rules in FH it would be good with a colour change on the button so one could see what one has applied on a later occasion.

Could you expand your idea? It is not clear to me.
After pressing the <ADD> button, the new entries are simply added at the end of the Blocklist, so you can see them. When you will close and open FirewallHardening again, the Blocklist is sorted alphabetically.

 

[pxxb1]

Could you expand your idea? It is not clear to me.
After pressing the <ADD> button, the new entries are simply added at the end of the Blocklist, so you can see them. When you will close and open FirewallHardening again, the Blocklist is sorted alphabetically.

Well, for me it is all jibberish what comes up in the frame after pressing a button in FH so i do not know what it means even though i know what i am pressing. Therefore i think it would be nice with a colour change to the pressed button so i can see in the future what i have activated before. As for now i can not see it and have to depend on memory. As long as that stays. Probably there is some message that says that it is done already if i press a button again but, nevertheless, it would be nice with that colour change so a simple view makes certainty of what`s been done before.

 

[pxxb1]

Yes, SWH can additionally block shortcuts and much more unsafe file types. Firewall hardening can block more LOLBins and the user can add custom executables/LOLBins to the Blocklist. These additional restrictions can work without issues because of adopting Logs and whitelisting. If one does not like Logs and occasional whitelisting, then I recommend using SysHardener on default settings.

Ok.
Thanks.

 

[Andy Ful]

...
Therefore i think it would be nice with a colour change to the pressed button so i can see in the future what i have activated before.
...

The FirewallHardening Blocklist is very customizable, so such simple solution does not apply.
The ADD and REMOVE buttons simply save time, but usually do not create the final Blocklist.
The user can remove the particular entries from the Blocklist or deactivate some other blocked entries on the Blocklist. There are 2^n possibilities to remove some LOLBins from the Blocklist with "n" entries. So for example, only for the "Recommended H_C" entries, the number of theoretical possibilities is enormous (2^45 > 30 000 000 000 000). Furthermore, all entries included in "Recommended H_C" are also present in "LOLBins".

There is no need to remember how you created the final Blocklist. The most important thing follows from the FirewallHardening Log (<Blocled Events>). If the executable is both on the Blocklist and in the Log, then you have a problem to solve. If not, then everything is OK (nothing to remember).
The Log shows all outbound connections blocked by Windows Firewall, so some events can be caused not by FirewallHardening but another security (AV, etc.).

 

[pxxb1]

The FirewallHardening Blocklist is very customizable, so such simple solution does not apply.
The ADD and REMOVE buttons simply save time, but usually do not create the final Blocklist.
The user can remove the particular entries from the Blocklist or deactivate some other blocked entries on the Blocklist. There are 2^n possibilities to remove some LOLBins from the Blocklist with "n" entries. So for example, only for the "Recommended H_C" entries, the number of theoretical possibilities is enormous (2^45 > 30 000 000 000 000). Furthermore, all entries included in "Recommended H_C" are also present in "LOLBins".

There is no need to remember how you created the final Blocklist. The most important thing follows from the FirewallHardening Log (<Blocled Events>). If the executable is both on the Blocklist and in the Log, then you have a problem to solve. If not, then everything is OK (nothing to remember).
The Log shows all outbound connections blocked by Windows Firewall, so some events can be caused not by FirewallHardening but another security (AV, etc.).

For a novice like me it would apply with some sort of certainty about my done actions. And with novice i mean a guy who do not do ANYTHING else then press the buttons.

But this is not a big thing so it`s ok as it is for now.

 

[ColonelMal]

I'm trying this program, but I have come across a small problem:
My clipboard manager is CopyQ. It has a number of plugins including one that plays a sound when I copy something to the clipboard. Apparently it uses Powershell because the plugin script is as follows:

powershell:
(New-Object Media.SoundPlayer "c:\Users\colonelmal\Documents\Wav\cfbeep4.wav").PlaySync()

I'm running Windows 10 Pro from a Standard User Account.
Is there a way to allow this plugin?

 

[Andy Ful]

(New-Object Media.SoundPlayer "c:\Users\colonelmal\Documents\Wav\cfbeep4.wav").PlaySync()
....
I'm running Windows 10 Pro from a Standard User Account.
Is there a way to allow this plugin?

The type "Media.SoundPlayer" is not supported in PowerShell Constrained Language Mode.
So, it will not be possible with SWH.

 

[codswollip]

Return to default failed me.

Last week my Excel 2013 workbooks quit communicating with published Google Sheets. This was a hellish thing to dig into. Running out of ideas, I reset both Simple Windows Hardening and Configure Defender to default (at least I thought I did). Still no connection. Next, I ran an online repair for Microsoft Office. When it completed, registration checks failed because Office couldn't connect out, leaving me with a ten-day trial.

After a lot of googling I found the offending rules in the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules]
"{f016b...}"="v2.29|Action=Block|Active=TRUE|Dir=Out|App=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\winword.exe|Name=H_C rule for: winword.exe|EmbedCtxt=H_C Firewall Rules|"
"{f016b...}"="v2.29|Action=Block|Active=TRUE|Dir=Out|App=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\excel.exe|Name=H_C rule for: excel.exe|EmbedCtxt=H_C Firewall Rules|"
"{f016b...}"="v2.29|Action=Block|Active=TRUE|Dir=Out|App=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\powerpnt.exe|Name=H_C rule for: powerpnt.exe|EmbedCtxt=H_C Firewall Rules|"

Deleted registry entries. Problems solved? Well... I can now connect, and the firewall "Some settings are managed by your system administrator" warning is gone.

Seems like restore to default settings has a bug?

 

[Andy Ful]

Return to default failed me.

Last week my Excel 2013 workbooks quit communicating with published Google Sheets. This was a hellish thing to dig into. Running out of ideas, I reset both Simple Windows Hardening and Configure Defender to default (at least I thought I did). Still no connection. Next, I ran an online repair for Microsoft Office. When it completed, registration checks failed because Office couldn't connect out, leaving me with a ten-day trial.

After a lot of googling I found the offending rules in the registry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules]
"{f016b...}"="v2.29|Action=Block|Active=TRUE|Dir=Out|App=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\winword.exe|Name=H_C rule for: winword.exe|EmbedCtxt=H_C Firewall Rules|"
"{f016b...}"="v2.29|Action=Block|Active=TRUE|Dir=Out|App=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\excel.exe|Name=H_C rule for: excel.exe|EmbedCtxt=H_C Firewall Rules|"
"{f016b...}"="v2.29|Action=Block|Active=TRUE|Dir=Out|App=C:\\Program Files\\Microsoft Office 15\\Root\\Office15\\powerpnt.exe|Name=H_C rule for: powerpnt.exe|EmbedCtxt=H_C Firewall Rules|"

Deleted registry entries. Problems solved? Well... I can now connect, and the firewall "Some settings are managed by your system administrator" warning is gone.

Seems like restore to default settings has a bug?

In fact, you solved your problem by removing the firewall rules - other actions were unnecessary, because Simple Windows Hardening and ConfigureDefender have nothing to do with firewall rules.
These three registry entries are related to FirewallHardening. You manually added them in FirewallHardening by pressing the <ADD> button under the label MS Office. These rules worked as they should and blocked the Internet access to excel.exe, powerpnt.exe, and word.exe. It is easy to add/remove them (anytime you need) by using FirewallHardening and pressing the <ADD>/<REMOVE> button under the label MS Office (reboot is required).

 

[Andy Ful]

All my applications have the ability to find the restricted/blocked events from Windows Logs.

Using these Logs is very important when hardening the system and can save a lot of time when troubleshooting.

 

[Andy Ful]

Using Logs can be sometimes uneasy for people who are not trained. But usually, one can use the time correlation between the moment when the problem happens and the time of the blocked event. This works even when we do not know if the problem is related to ConfigureDefender, FirewallHardening, or Simple Windows Hardening. If there is no time correlation, then the problem is caused in most cases by another security application.

In the case of FirewallHardening, one has to remember that the executable from the Log has to be also on the FirewallHardening Blocklist. If not, then the Internet connection is blocked, but not by FirewallHardening. The Log in FirewallHardening shows all blocked events for outbound connections, also these events that are caused by Windows privacy settings, applications that restrict Windows telemetry, etc.

 

[codswollip]

In fact, you solved your problem by removing the firewall rules - other actions were unnecessary, because Simple Windows Hardening and ConfigureDefender have nothing to do with firewall rules.

Yes... I confused the various hardening tools at my disposal. I overlooked the fact that I had run "firewall hardening" recently. Troubleshooting was complicated by the fact that I took the Windows 2004 upgrade just prior to my connectivity loss.

Thank you for pointing this out. I must keep better records when I change security settings.

 

[Andy Ful]

Yes... I confused the various hardening tools at my disposal.
...

That is normal when you start hardening. It needs some training. It is good to harden the system step by step and look if everything works well. If you need help, then do not hesitate to post me.

 

[Andy Ful]

By the way, it is possible to allow Excel and still disable PowerPoint and Word to access the Internet. One has to use the <ADD> button under the label "MS Office". Next, the rule for Excel can be selectively deleted by highlighting the rule on the Blocklist (for excel.exe) and using the <Remove Rule> button (on the bottom of the FirewallHardening window).

 

[oldschool]

I must keep better records when I change security settings.

I find it helpful when applying any of these hardening applications to keep them pinned to the taskbar, then I am keenly aware of any applied hardening, e.g. no FW Hardening icon = no firewall hardening.

 

[codswollip]

I find it helpful when applying any of these hardening applications to keep them pinned to the taskbar, then I am keenly aware of any applied hardening, e.g. no FW Hardening icon = no firewall hardening.

Good idea. I now keep a Joplin log. I've always done that with my NAS, but not so much with the PC. And make liberal use of Macrium Reflect's incremental imaging. The thing is I tweak too many things within days, and rely on an aging memory to keep track of it all.

 

[paulderdash]

Good idea. I now keep a Joplin log. I've always done that with my NAS, but not so much with the PC. And make liberal use of Macrium Reflect's incremental imaging. The thing is I tweak too many things within days, and rely on an aging memory to keep track of it all.

OT but thanks for mentioning Joplin log. Hadn't come across that - nice find ...

 

[codswollip]

I'm blocked when attempting to launch URLs from Microsoft One Note. Nothing appears in the logs. Any ideas?

EDIT1: I'm an idiot. Yesterday I was browsing my Win10 apps and saw Internet Explorer 11... and it had an uninstall button. So sure... I never use this relic, and so I uninstalled. Earlier today my OneNote URLs quit functioning. It wasn't until after posting here, that I saw my pc change notes, and I wondered... So I reinstalled IE 11 (bummer), rebooted and now OneNote is happy.

So off to see if this involves some odd html association I can reassign to Edge so I can kick IE 11 from my machine.

It goes without saying... all this is unrelated to SWH. I should have known