It is not as bad.
Sometimes, the info in the help is not as clear as it should be.
Simple Windows Hardening
- Thread starter Andy Ful
- Start date
Sometimes, the info in the help is not as clear as it should be.
Thanks for the detailed explanation. I also prefer SWH's separate logs over HC's all in one logs. So I'm looking forward to the next release
Hi,
Thank you very much for making the software I really like it.
I would like to ask if using the default settings in SWH or HC (including the other components packed) will have any impact on the system performance?
Also, Windows 11 will be officially pushed early next month (probably Oct 5), HC already has a beta version that supports Windows 11 (I don't know when the stable version will come out), but SWH doesn't have a version that supports Windows 11 yet. You mentioned that SWH beta 1.01.0 will be released in October, and will it be released before the official launch of Windows 11? So that we can use SWH on the first day.
Thanks.
H_C or SWH has no visible impact on the system performance. But, this requires in some cases the proper whitelisting of UserSpace applications and adjusting the H_C (SWH) settings. On simple system/software configurations, the default settings can hardly cause any problem.
The complex system/software configuration usually requires more adjustments and application whitelisting.
If the H_C Basic_Settings or SWH default settings require frequent adjustments, then it is a sign for skipping H_C (SWH) for something else or using a simpler system/software configuration.
SWH 1.0.1.0 Beta2:
https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SWH_beta2.exe
SWH manual (updated):
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf
The changelog - SWH ver. 1.0.1.0 beta2:
1. Added support for Windows 11.
2. Added SLK and ELF file extensions to the default protected extensions (can be added via Settings >> Protected SRP Extensions >> <Restore Defaults> ).
3. Added the option * SRP Policy Scope * that can also apply the SRP restrictions to high privileged processes. It can be recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows 10 versions or vulnerable software.
* SRP Policy Scope *
The option * SRP Policy Scope * can apply the SRP restrictions to high privileged processes. Normally, this option is set to Standard, so the restrictions are applied to processes with standard rights and skipped for processes with higher privileges. This is a default SRP setting that does not disrupt administrative processes running from UserSpace.
The advanced users can set SRP to apply restrictions to standard and higher privileged processes. This can be done with * SRP Policy Scope * set to High. It is recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows versions or vulnerable software.
When the High setting is applied, the < Software Restriction Policies> button changes its color to red.
https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SWH_beta2.exe
SWH manual (updated):
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf
The changelog - SWH ver. 1.0.1.0 beta2:
1. Added support for Windows 11.
2. Added SLK and ELF file extensions to the default protected extensions (can be added via Settings >> Protected SRP Extensions >> <Restore Defaults> ).
3. Added the option * SRP Policy Scope * that can also apply the SRP restrictions to high privileged processes. It can be recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows 10 versions or vulnerable software.
* SRP Policy Scope *
The option * SRP Policy Scope * can apply the SRP restrictions to high privileged processes. Normally, this option is set to Standard, so the restrictions are applied to processes with standard rights and skipped for processes with higher privileges. This is a default SRP setting that does not disrupt administrative processes running from UserSpace.
The advanced users can set SRP to apply restrictions to standard and higher privileged processes. This can be done with * SRP Policy Scope * set to High. It is recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows versions or vulnerable software.
When the High setting is applied, the < Software Restriction Policies> button changes its color to red.
Last edited:
- Aug 17, 2014
- 12,726
- 123,827
- 8,399
I have changed on new setting: SRP Policy Scope => High
Windows 10 reboot/restart was required, that went well, no issues so far
Windows 10 reboot/restart was required, that went well, no issues so far
When opening SRP Policy Scope settings it changes from "Standard" to "High" even when pressing "Cancel". Otherwise everything is working fine.
Last edited:
Confirmed.When opening SRP Policy Scope settings it changes from "Standard" to "High" even when pressing "Cancel". Otherwise everything is working fine.
Only pressing <Standard> can keep/change SRP Policy Scope to Standard. I will correct it in the next week.
SWH ver. 1.0.1.0 beta4:
Improved compatibility with H_C settings in the switched OFF mode. This beta will probably become the stable version soon.
Improved compatibility with H_C settings in the switched OFF mode. This beta will probably become the stable version soon.
Last edited:
could you add these lolbins to the FirewallHardening.
hackers can use them to download malware from the internet
source: LOLBAS
hackers can use them to download malware from the internet
source: LOLBAS
Last edited:
Bitsadmin.exe cannot be blocked by a Firewall (one should block svchost.exe).
It is probable that I will add most of these LOLBins. But it will take a few months to check how blocking them can impact the system.
Of course, anyone can add these LOLBins manually to the Blocklist without waiting for the new version of FirewallHardening.
Dear @Andy Ful,
I got two errors after running SWH__beta4.exe
First I got this error:
Second time I got this error:
What concerns me is that options were applied without even my permission. Furthermore, I have no idea what settings were applied/which registry options were changed - is there any way you can help me undo any changes? Because all I did was execute the program. Nothing more.
Please note that once before I downloaded an earlier version if I Remember correctly - but I just opened it, took a simple look, and being afraid to make any changes, I closed it. And then I deleted it, because I wanted to wait for proper backup before doing anything.
My biggest fear is that I made a number of modifications to my system, such as disabling a number of services in my case which I felt were not necessary, and based on SWH second error message, I am afraid if those were undone.
I got two errors after running SWH__beta4.exe
First I got this error:
Second time I got this error:
What concerns me is that options were applied without even my permission. Furthermore, I have no idea what settings were applied/which registry options were changed - is there any way you can help me undo any changes? Because all I did was execute the program. Nothing more.
Please note that once before I downloaded an earlier version if I Remember correctly - but I just opened it, took a simple look, and being afraid to make any changes, I closed it. And then I deleted it, because I wanted to wait for proper backup before doing anything.
My biggest fear is that I made a number of modifications to my system, such as disabling a number of services in my case which I felt were not necessary, and based on SWH second error message, I am afraid if those were undone.
All you need is explained in the SWH help files.
You can use <Menu> <Restore Windows Defaults> to remove SWH restrictions.
For additional information you can look at the manuals:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf
https://github.com/AndyFul/Hard_Con.../Documentation/Hard_Configurator - Manual.pdf
Be safe.
Last edited:
Thanks, yes for sure i realize that. I suppose you intentionally made it so everything is automatically switched on when user opens software?
I also suppose that if basic recommended settings are applied automatically then I should be ok - at least i can test and if anything is broken i can revert to defaults?
And two last questions:
1) based on manual, other than remote registry service, it seems that SWH does not impact any other service? I know it also disabled SMB but that is not a service I suppose.
2) Since SWH has changed SRP restrictions to high privilage, that on it's own doesn't necessarily make me more vulnerable were I to go back to windows defaults using SWH? Furthermore, does that (reverting to windows defaults) also change my SRP restrictions to whatever they were beforehands.
I also suppose that if basic recommended settings are applied automatically then I should be ok - at least i can test and if anything is broken i can revert to defaults?
And two last questions:
1) based on manual, other than remote registry service, it seems that SWH does not impact any other service? I know it also disabled SMB but that is not a service I suppose.
2) Since SWH has changed SRP restrictions to high privilage, that on it's own doesn't necessarily make me more vulnerable were I to go back to windows defaults using SWH? Furthermore, does that (reverting to windows defaults) also change my SRP restrictions to whatever they were beforehands.
Yes. The user can next apply some other (non-default) restrictions, remove some restrictions, or restore Windows defaults.
Yes.
It uses 2 services. They are disabled via the reg keys:
HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10!Start HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb20!Start
After using <Menu> <Restore Windows Defaults> to remove SWH restrictions, all SRP restrictions are removed. Default Windows settings do not introduce SRP.
Thank you! All good after restarting. Also program opens without any messages now =)
One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
The blocks are logged via Event Id=10, Security-Mitigations (Kernel Mode/User Mode).
Microsoft prepared a nice article for inspecting Exploit Protection events:
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
The blocks are logged via Event Id=10, Security-Mitigations (Kernel Mode/User Mode).
Microsoft prepared a nice article for inspecting Exploit Protection events:
Understand and use attack surface reduction - Microsoft Defender for Endpoint
Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint.
docs.microsoft.com
Last edited:
thank you blocking via Exploit Protection did work.One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
The blocks are logged via Event Id=10, Security-Mitigations (Kernel Mode/User Mode).
Microsoft prepared a nice article for inspecting Exploit Protection events:
Understand and use attack surface reduction - Microsoft Defender for Endpoint
Learn about the attack surface reduction capabilities of Microsoft Defender for Endpoint.docs.microsoft.com
This method can be used for most of LOLBins. They will be blocked also with high privileges, so it is important to inspect the Windows Event Log as was explained in my previous post.
It is good to remember that in most cases the LOLBins are triggered via scripting methods. So, in the home environment, one can use SRP as well to block scripting, shortcuts, and files with active content. In this case, blocking LOLBins is not necessary.
It is good to remember that in most cases the LOLBins are triggered via scripting methods. So, in the home environment, one can use SRP as well to block scripting, shortcuts, and files with active content. In this case, blocking LOLBins is not necessary.
Last edited:
You may also like...
-
Defender Hardening Console (part of Hawk Eye Analysis Platform)- Started by Trident
- Replies: 62
-
Windows 11 Patch Tuesday January 2026 (KB5074109, KB5073455)- Started by silversurfer
- Replies: 18
-
-
