New Update Simple Windows Hardening

[Gandalf_The_Grey]

Gandalf_The_Grey,

What is the source of .xls documents? This is a legacy format from the era before MS Office 2007.

I know, but the many suppliers I work with still sent files in the old format probably for compatibility reasons or maybe because they use an alternative to MS Office.
The last part I don't know.

 

[Gandalf_The_Grey]

These files can be opened directly from Excel, even when they are blocked by SWH. The SWH prevents opening Excel documents from the Desktop or File Explorer. In your case, these extensions can be removed because you applied the hardening via DocumentsAntiExploit tool.

For me that's okay, but IMO that limits SWH as set and forget tool.

If I don't have a lot of time my security and privacy hardening would be O&O ShutUp 10+++ at recommended settings and SWH at default.

 

[Andy Ful]

For me that's okay, but IMO that limits SWH as set and forget tool.

If I don't have a lot of time my security and privacy hardening would be O&O ShutUp 10+++ at recommended settings and SWH at default.

The situation is even more complex. One can use the free Excel mobile version (UWP app from Microsoft Store) to view/print Excel files. SWH (SRP) does not block opening the Excel files via UWP apps. The Excel mobile version automatically blocks all active content and can run safely in AppContainer.
The problem remains when one has to edit Excel files. I am not sure how often this can happen at home.

 

[Gandalf_The_Grey]

The situation is even more complex. One can use the free Excel mobile version (UWP app from Microsoft Store) to view/print Excel files. SWH (SRP) does not block opening the Excel files via UWP apps. The Excel mobile version automatically blocks all active content and run safely in AppContainer.
The problem remains when one has to edit Excel files. I am not sure how often this can happen at home.

I don't think that a normal user who pays for Office 365 or has bought Office 2019/2021 will install a limited, but highly secure mobile version.
That would be okay for my mother-in-law (just viewing and printing) but probably not for the schoolwork of my children.

 

[JasonUK]

This new version can be supported by the updated H_C_HardeningTools ver. 2010:

https://github.com/AndyFul/ConfigureDefender/raw/master/H_C_HardeningTools/H_C_HardeningTools_2010.zip

Quick question on this point ~

Is the standalone version of ConfigureDefender still v3.0.1.0 as version 3.0.1.1 is included in Hardening Tools. Similarly standalone RunBySmartscreen is at v4.0.0.1 but Hardening Tools includes v4.0.1.0.

Thanks.

 

[Digmor Crusher]

With new version I cannot open an Excel file in Libre Office. If settings have to be tweaked to allow this then doesn't that mean this program goes from an easy solution ( just use default settings) to a program that is a bit more complicated because you need to tweak it?

 

[Andy Ful]

Quick question on this point ~

Is the standalone version of ConfigureDefender still v3.0.1.0 as version 3.0.1.1 is included in Hardening Tools. Similarly standalone RunBySmartscreen is at v4.0.0.1 but Hardening Tools includes v4.0.1.0.

Thanks.

Today, I am going to update the installers on the ConfigureDefender and RunBySmartscreen websites.
ConfigureDefender ver. 3.0.1.1 is the same as ver. 3.0.1.0 except support for Windows Server.

 

[Andy Ful]

It seems that the new settings for Excel are too restrictive. I have to think for a while about how to redesign the SWH to make it as usable as before and cover the growing danger of Excel files. It is possible that I will remove the * Documents Anti-Exploit * option and publish SWH together with the DocumentsAntiExploit tool.

 

[Gandalf_The_Grey]

It seems that the new settings for Excel are too restrictive. I have to think for a while about how to redesign the SWH to make it as usable as before and cover the growing danger of Excel files. It is possible that I will remove the * Documents Anti-Exploit * option and publish SWH together with the DocumentsAntiExploit tool.

And then there is no need for blocking Excel through Protected SRP Extensions anymore?

EDIT: It could be a good idea to use two tools.
1 to harden Windows
1 to harden Microsoft Office and Adobe Reader.

 

[JasonUK]

Same issue as others ~ excel files blocked ~ not a huge issue as I tend to save all my personal files to a specific directory which I could whitelist by path. Blocking by default isn't a terrible idea though as it encourages you to at least virus check any shared / received office document before opening it and placing it in a whitelisted location.

 

[Andy Ful]

And then there is no need for blocking Excel through Protected SRP Extensions anymore?

EDIT: It could be a good idea to use two tools.
1 to harden Windows
1 to harden Microsoft Office and Adobe Reader.

Yes, that is my plan. The SWH version 2.0.0.0 will be published this week so I have removed the ver. 1.1.1.1 from GitHub.

 

[Gandalf_The_Grey]

Yes, that is my plan. The SWH version 2.0.0.0 will be published this week so I have removed the ver. 1.1.1.1 from GitHub.

Thanks @Andy Ful looking forward to test version 2.0.0.0

 

[Digmor Crusher]

Yup, thanks.

 

[South Park]

The XLSX documents cannot contain macros but have got other dangerous features (like DDE, etc.). If you use Defender with ASR rules then the XLSX extension can be safely removed via <Settings><Protected SRP Extensions>.
If you use the DocumentsAntiExploit tool, then the XLSX extension can be safely removed when using any AV.

The problem can arise if one uses custom settings to harden MS Office manually. Home users are focused on Word hardening and often forget to properly harden Excel. It is not easy to make Excel hardening because it has got many dangerous features.
The Excel files are rarely used at home and commonly used in attacks, so they are blocked in SWH ver. 1.1.1.1 by default. I am not sure if this is an optimal solution. What do you think guys?

A few mutual funds still use XLSX files to list their holdings, so I had to unblock that extension so I could open them with GNUmeric.

 

[Andy Ful]

SWH vs. CHM attack vector
https://malwaretips.com/threads/ukr...-targeted-with-powershell-rat-malware.113839/

Compromising the security layers via ".chm" files is a well known and still very efficient method. I saw several such attacks in the past, for example:
Cryptowall: Cryptowall Makes a Comeback Via Malicious Help Files (CHM)
Silence banking trojan: Silence – a new Trojan attacking financial organizations
LovxCrypt Ransomware: Threat Spotlight: LovxCrypt Ransomware
RURansom Wiper: https://blog.cyble.com/2022/03/11/ongoing-russia-ukraine-warfare-significant-cyber-incidents/
APT41 espionage: https://www.mandiant.com/resources/apt41-dual-espionage-and-cyber-crime-operation

The common infection chain:
Email attachment -----> user downloads an attachment -----> user opens the .chm file -----> payload is dropped/downloaded and executed

SWH blocks opening .chm files by default via SRP restrictions.
The .chm file is opened by the hh.exe LOLBin (HTML Help), which is also a JavaScript interpreter. So, the attacker can embed the JavaScript malicious code into the .chm file.
In the past, the .chm files were often used to download and execute PE payloads, but they can be easily used also in fileless attacks like in the example of recent attacks on German users.

 

[Andy Ful]

SWH ver. 2.0.0.0

https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2000.zip

SWH ver. 2.0.0.0
1. Removed * Documents Anti-Exploit * option.
2. Added DocumentAntiExploit tool.
3. Removed some Excel extensions: XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL

SWH is now shipped in the ZIP archive together with the DocumentsAntiExploit tool and manuals.

 

[Digmor Crusher]

Thank you sir, I can open Excel files again.

 

[Gandalf_The_Grey]

For casual users, the best Adobe Acrobat Reader settings are probably the default ones (Protected View = OFF) and additionally:

1. Disable JavaScript.
2. Disable opening of non-PDF file attachments with external applications.
3. Block PDF files to all web sites.
4. Enable Defender's ASR rule for Adobe.

Even if the user will enable JavaScript for the document, it will run in AppContainer. Acrobat Reader cannot use opening non-PDF attachments in external applications or URLs embedded in the documents, and cannot run other applications/LOLBins.

When one uses Protected View and the Defender's ASR rule, then after using "Enable All Features", the protection is also OK. But URLs will be opened in the web browser.

The Protected View, especially without the Defender ASR rule, is not good for casual users.

Coming back to this for the new DocumentsAntiExploit tool 2.0.0.1:
Wouldn't it be better to use ON for Adobe Acrobat Reader?

With CD on High, SWH on default this are now my settings:



If I correctly understand what's written in the manual, the settings for the current user are not needed.
Adobe Acrobat Reader only when you want a different setting for the current user then for all (other) users.
MS Office only when you are not using ConfigureDefender and/or Office apps not installed in Program Files or Program Files (x86).

 

[Andy Ful]

Coming back to this for the new DocumentsAntiExploit tool 2.0.0.1:
Wouldn't it be better to use ON for Adobe Acrobat Reader?

With CD on High, SWH on default this are now my settings:

View attachment 266784

If I correctly understand what's written in the manual, the settings for the current user are not needed.
Adobe Acrobat Reader only when you want a different setting for the current user then for all (other) users.
MS Office only when you are not using ConfigureDefender and/or Office apps not installed in Program Files or Program Files (x86).

 

[czesetfan]

Let me get this right. That is, if I want to use desktop Office, do I need to set the Current user restriction of MS Office to ON2, or ON1? Will it be possible to open .xls, .xlsx files with this setting?