Q&A Simple Windows Hardening

Protomartyr

Level 7
Verified
Sep 23, 2019
325
@HarborFront
The standalone version of the Document Anti-Exploit tool can be found here: AndyFul/ConfigureDefender

ON2 refers to a specific setting for Microsoft Office in the standalone version of the tool.

SWH includes a version of the tool under Settings > Document Anti-Exploit. However, I'm not sure what the comparable setting to ON2 from the standalone version is in SWH as the options available are simplified.

Hopefully Andy can expand on that.
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,682
@HarborFront
The standalone version of the Document Anti-Exploit tool can be found here: AndyFul/ConfigureDefender

ON2 refers to a specific setting for Microsoft Office in the standalone version of the tool.

SWH includes a version of the tool under Settings > Document Anti-Exploit. However, I'm not sure what the comparable setting to ON2 from the standalone version is in SWH as the options available are simplified.

Hopefully Andy can expand on that.
So now I have SWH do I need to have the Document Anti-Exploit standalone tool or l disable the Document Anti-Exploit feature in SWH (can disable?) and use the standalone version to complement my SWH?
 
  • Like
Reactions: Protomartyr

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
I'm using SWH. Is DocumentsAntiExploit tool in SWH? I thought I saw it inside SWH. Or needs to be used independently. If it's the latter where to download the standalone version? BTW, what is ON2?

Thanks
It is a part of Hard_Configurator project, but it is also available as a standalone tool (not part of SWH):
https://github.com/AndyFul/ConfigureDefender/blob/master/H_C_HardeningTools.zip
The option *Documents Anti-Exploit* in SWH is different - it prevents the attacks based on VBA (Visual Basic for Applications). Most attacks are performed in this way. But, the non-VBA-based attacks are more and more popular so it is good to apply additional protection via the standalone DocumentsAntiExploit tool. SWH and ConfigureDefender are compatible with it.
The ON2 setting and others are explained in the help info of this tool:

1610966745390.png



It is worth to remember that H_C and SWH settings are system-wide. DocumentsAntiExploit tool can apply settings for the particular user account. After uninstalling H_C, the system-wide settings are set to Windows default values. But the user-dependent settings made via DocumentsAntiExploit tool will not be removed. That is why this tool is not removed, too (available on Desktop). To remove the user-dependent settings for MS Office, the DocumentsAntiExploit tool has to be run on each restricted account and set to OFF.
 
Last edited:

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,682
It is a part of Hard_Configurator project, but it is also available as a standalone tool (not part of SWH):
https://github.com/AndyFul/ConfigureDefender/blob/master/H_C_HardeningTools.zip
The option *Documents Anti-Exploit* in SWH is different - it prevents the attacks based on VBA (Visual Basic for Applications). Most attacks are performed in this way. But, the non-VBA-based attacks are more and more popular so it is good to apply additional protection via the standalone DocumentsAntiExploit tool. SWH and ConfigureDefender are compatible with it.
The ON2 setting and others are explained in the help info of this tool:

View attachment 253096


It is worth to remember that SWH settings are system-wide. DocumentsAntiExploit tool can apply settings for the particular user account.
Thanks. I'll add the Document Anti-Exploit standalone tool to SWH then.
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
This config is more restrictive. Some people cannot use it if they need advanced MS Office functions. In such a case there is another solution.
  1. Install Word Mobile, Excel Mobile, and PowerPoint Mobile alongside the normal MS Office and configure these apps as default programs for opening MS Office documents. These are Microsoft apps (from Microsoft Store) and they can be used for free to view the documents (editing requires the paid version).
  2. You can still use the previously installed MS Office for opening trusted documents. Simply, start the normal MS Office and open the trusted document from it.
In such a config when you double click (or press the Enter key on the document) it will be opened in the Office Mobile app. The Office Mobile apps run in AppContainer and do not run any active content embedded in documents. The trusted documents (made by the user) can be still opened without restrictions by opening the normal (desktop) MS Office.
I use these apps for viewing documents and they are most compatible with normal (desktop) MS Office versions (do not use normal MS Office at all). The document content can be copied (without active elements) or printed from these apps.

Edit.
The mobile apps are not visible in Microsoft Store until the Mobile option under the Availability tab is chosen. They can be also found there:
Get Excel Mobile - Microsoft Store
Get PowerPoint Mobile - Microsoft Store
Get Word Mobile - Microsoft Store
 
Last edited:

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,727
Should i switch from Windows internal Wordpad?
(I also have Office 365 but not installed, as i can use them in browser if i want)
If you use H_C / SWH and Wordpad is OK for you, then you can keep it.
Wordpad allows running attachments embedded in the document as OLE (warning has to be ignored). The user can be fooled by social engineering to click the OLE and the attachment will be opened. These attachments are mostly scripts or scriptlets that are covered by H_C or SWH settings.
Wordpad will open properly simple documents, but in complex documents, some content can be displayed improperly (mathematical equations, diagrams, etc.).
 
Last edited:
Top