New Update Simple Windows Hardening

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,867
I am thinking about skipping FullEventLog in H_C, and using the idea of separate logs for SRP, PowerShell, Defender, and FirewallHardening. In most cases, the advanced users can recognize what sort of block has happened and can choose the right log to see the details. Next, it is easier to inspect the log witch is focused on the specific class of events. Only rarely, the user will be forced to use two or more logs to solve the problem with blocked processes.
Thanks for the detailed explanation. I also prefer SWH's separate logs over HC's all in one logs. So I'm looking forward to the next release :)
 

Archentrope

Level 1
Oct 10, 2020
20
I did not publish any update of SWH - version 6.0.0.0 can be probably related (by mistake) to H_C.
In October I will publish SWH beta 1.01.0 (with Windows 11 support).
Hi,

Thank you very much for making the software I really like it.

I would like to ask if using the default settings in SWH or HC (including the other components packed) will have any impact on the system performance?

Also, Windows 11 will be officially pushed early next month (probably Oct 5), HC already has a beta version that supports Windows 11 (I don't know when the stable version will come out), but SWH doesn't have a version that supports Windows 11 yet. You mentioned that SWH beta 1.01.0 will be released in October, and will it be released before the official launch of Windows 11? So that we can use SWH on the first day.

Thanks.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
...
I would like to ask if using the default settings in SWH or HC (including the other components packed) will have any impact on the system performance?
...
H_C or SWH has no visible impact on the system performance. But, this requires in some cases the proper whitelisting of UserSpace applications and adjusting the H_C (SWH) settings. On simple system/software configurations, the default settings can hardly cause any problem.
The complex system/software configuration usually requires more adjustments and application whitelisting.
If the H_C Basic_Settings or SWH default settings require frequent adjustments, then it is a sign for skipping H_C (SWH) for something else or using a simpler system/software configuration.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
SWH 1.0.1.0 Beta2:
https://github.com/AndyFul/Hard_Configurator/raw/master/Simple Windows Hardening/SWH_beta2.exe

SWH manual (updated):
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf

The changelog - SWH ver. 1.0.1.0 beta2:

1. Added support for Windows 11.
2. Added SLK and ELF file extensions to the default protected extensions (can be added via Settings >> Protected SRP Extensions >> <Restore Defaults> ).
3. Added the option * SRP Policy Scope * that can also apply the SRP restrictions to high privileged processes. It can be recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows 10 versions or vulnerable software.


* SRP Policy Scope *

1633350105572.png


The option * SRP Policy Scope * can apply the SRP restrictions to high privileged processes. Normally, this option is set to Standard, so the restrictions are applied to processes with standard rights and skipped for processes with higher privileges. This is a default SRP setting that does not disrupt administrative processes running from UserSpace.

The advanced users can set SRP to apply restrictions to standard and higher privileged processes. This can be done with * SRP Policy Scope * set to High. It is recommended when the computer is used both in the Home environment and in the Business local network. Applying restrictions for high privileged processes makes also sense when using older Windows versions or vulnerable software.

When the High setting is applied, the < Software Restriction Policies> button changes its color to red.

1633350289678.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
When opening SRP Policy Scope settings it changes from "Standard" to "High" even when pressing "Cancel". Otherwise everything is working fine. :)
Confirmed. (y)
Only pressing <Standard> can keep/change SRP Policy Scope to Standard. I will correct it in the next week.
 

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
could you add these lolbins to the FirewallHardening.

hackers can use them to download malware from the internet

source: LOLBAS

C:\Windows\System32\xwizard.exe

C:\Windows\SysWOW64\xwizard.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ieexec.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ieexec.exe

C:\Windows\System32\findstr.exe

C:\Windows\SysWOW64\findstr.exe

c:\windows\system32\desktopimgdownldr.exe

C:\Windows\System32\certreq.exe

C:\Windows\SysWOW64\certreq.exe

C:\Windows\System32\bitsadmin.exe

C:\Windows\SysWOW64\bitsadmin.exe

C:\Windows\System32\wsl.exe

c:\windows\system32\pktmon.exe
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
could you add these lolbins to the FirewallHardening.

hackers can use them to download malware from the internet

source: LOLBAS

Bitsadmin.exe cannot be blocked by a Firewall (one should block svchost.exe).
It is probable that I will add most of these LOLBins. But it will take a few months to check how blocking them can impact the system.(y)
Of course, anyone can add these LOLBins manually to the Blocklist without waiting for the new version of FirewallHardening.:)
 

dabluez98

Level 3
Verified
Oct 2, 2018
138
Dear @Andy Ful,

I got two errors after running SWH__beta4.exe

First I got this error:

Second time I got this error:

What concerns me is that options were applied without even my permission. Furthermore, I have no idea what settings were applied/which registry options were changed - is there any way you can help me undo any changes? Because all I did was execute the program. Nothing more.

Please note that once before I downloaded an earlier version if I Remember correctly - but I just opened it, took a simple look, and being afraid to make any changes, I closed it. And then I deleted it, because I wanted to wait for proper backup before doing anything.

My biggest fear is that I made a number of modifications to my system, such as disabling a number of services in my case which I felt were not necessary, and based on SWH second error message, I am afraid if those were undone.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
...
What concerns me is that options were applied without even my permission. Furthermore, I have no idea what settings were applied/which registry options were changed - is there any way you can help me undo any changes? Because all I did was execute the program. Nothing more.
All you need is explained in the SWH help files.
You can use <Menu> <Restore Windows Defaults> to remove SWH restrictions.
For additional information you can look at the manuals:
https://github.com/AndyFul/Hard_Con...rdening/Simple Windows Hardening - Manual.pdf
https://github.com/AndyFul/Hard_Con.../Documentation/Hard_Configurator - Manual.pdf

Be safe.(y)
 
Last edited:

dabluez98

Level 3
Verified
Oct 2, 2018
138
Thanks, yes for sure i realize that. I suppose you intentionally made it so everything is automatically switched on when user opens software?

I also suppose that if basic recommended settings are applied automatically then I should be ok - at least i can test and if anything is broken i can revert to defaults?

And two last questions:

1) based on manual, other than remote registry service, it seems that SWH does not impact any other service? I know it also disabled SMB but that is not a service I suppose.

2) Since SWH has changed SRP restrictions to high privilage, that on it's own doesn't necessarily make me more vulnerable were I to go back to windows defaults using SWH? Furthermore, does that (reverting to windows defaults) also change my SRP restrictions to whatever they were beforehands.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Thanks, yes for sure i realize that. I suppose you intentionally made it so everything is automatically switched on when user opens software?

Yes. The user can next apply some other (non-default) restrictions, remove some restrictions, or restore Windows defaults.

I also suppose that if basic recommended settings are applied automatically then I should be ok - at least i can test and if anything is broken i can revert to defaults?

Yes.

And two last questions:

1) based on manual, other than remote registry service, it seems that SWH does not impact any other service? I know it also disabled SMB but that is not a service I suppose.

It uses 2 services. They are disabled via the reg keys:
HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb10!Start HKLM\SYSTEM\CurrentControlSet\Services\mrxsmb20!Start

2) Since SWH has changed SRP restrictions to high privilage, that on it's own doesn't necessarily make me more vulnerable were I to go back to windows defaults using SWH? Furthermore, does that also change my SRP restrictions to whatever they were beforehands.

After using <Menu> <Restore Windows Defaults> to remove SWH restrictions, all SRP restrictions are removed. Default Windows settings do not introduce SRP.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
The blocks are logged via Event Id=10, Security-Mitigations (Kernel Mode/User Mode).
Microsoft prepared a nice article for inspecting Exploit Protection events:

event-viewer.gif


 
Last edited:

Azerty123

Level 1
Verified
Well-known
Mar 29, 2021
25
One can easily block bitsadmin.exe via Exploit Protection from Security Center.
There is mitigation "Disable Win32k system calls" that can be enabled for bitsadmin.exe and it will block the execution of this executable.
The blocks are logged via Event Id=10, Security-Mitigations (Kernel Mode/User Mode).
Microsoft prepared a nice article for inspecting Exploit Protection events:

event-viewer.gif


thank you blocking via Exploit Protection did work.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
This method can be used for most of LOLBins. They will be blocked also with high privileges, so it is important to inspect the Windows Event Log as was explained in my previous post.:)

It is good to remember that in most cases the LOLBins are triggered via scripting methods. So, in the home environment, one can use SRP as well to block scripting, shortcuts, and files with active content. In this case, blocking LOLBins is not necessary.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top