New Update Testing Windows Hybrid Hardening (new hardening application).

[Andy Ful]

Windows Hybrid Hardening. (updated in October 2023)

https://github.com/AndyFul/Hard_Con...dowsHybridHardening/WHHLight_Package_1004.exe

The link to the WHHLight website:
https://github.com/AndyFul/Hard_Configurator/tree/master/WindowsHybridHardening

WindowsHybridHardening Light (WHHLight) works on Windows 10/11 (Home and Pro editions). It is a successor of SimpleWindowsHardening.
WHHLight is a simplified configurator of Windows built-in application control features: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). After initial configuration, it can be closed, and all protection comes from the Windows built-in features.
WHHLight can work with any antivirus - Microsoft Defender is not required but can be recommended with the ConfigureDefender tool.

WHHLight is adjusted to the home environment. SRP is still the best Windows built-in solution at home to prevent fileless attack vectors via scripts, shortcuts, and other non-PE files with active content. WDAC is the best prevention against malicious PE files (EXE, DLL, etc.) and MSI packages.

The hybrid of SRP and WDAC simplifies proper whitelisting. The folder whitelisted in WDAC allows only EXE, DLL, and MSI files but not scripts and other file types.

Some important post-exploitation mitigations of vulnerable applications (MS Office, Adobe Acrobat Reader, etc.) can be configured via DocumentsAntiExploit, FirewallHardening, and ConfigureDefender (tools included in the WHHLight installation package). The ConfigureDefender tool can be used only when Microsoft Defender real-time protection is enabled.

Spoiler: Videos

---

 

[Andy Ful]

Please post comments, especially when the help files require corrections. After possible corrections, I will publish the application on the GitHUB. It can take a few days because it requires whitelisting by AV vendors.

As can be seen from the OP, this application uses SRP for scripts and unsafe files (like SimpleWindowsHardening).
For PE files (EXE, DLL, etc.) it uses WDAC. The user can whitelist folders if it is necessary.
Adding support for WDAC on Windows Home can make AVs nervous. Microsoft Defender triggered 3 different detections for that, but after submission as a false positive, the application was whitelisted. Also, Avast added the application to the whitelist.
I am waiting for Norton (Symantec) and Bitdefender.

When < SWH > and < WDAC > switches are ON, the restrictions are similar to the H_C Windows_10_Recommended_Enhanced settings, but additionally, the DLLs are blocked.
When the %ProgramData%, %LocalAppData, and user AppData folders are removed from the WDAC Whitelist, the restrictions are similar to the H_C Windows_10_Strict_Recommended_Enhanced settings, but additionally, the DLLs are blocked.

 

[Digmor Crusher]

You say WHH is a simplified version of SWH, in what ways, simpler to use, less protection etc? To me it looks more complicated.

Is there a way to turn Smart Screen Block off if you don't want to use it anymore?

 

[plat]

Hi Andy! Is this supposed to replace H_C eventually? Or is Windows Hybrid Hardening meant to be another option to harden Windows? As I'm running H_C now, I see no need to use something else at the moment unless it is in some way superior.

 

[ForgottenSeer 97327]

@Andy Ful

Does this WDAC uses Intelligent Security Graph or plain deny? If the latter, please add an option to add ISG.

Where is the download link?

 

[wat0114]

Where is the download link?

After possible corrections, I will publish the application on the GitHUB. It can take a few days because it requires whitelisting by AV vendors.

 

[ForgottenSeer 97327]

I am to eager

@Andy Ful I would suggest to prevent people removing the whitelists for Windows and Program files

 

[Andy Ful]

You say WHH is a simplified version of SWH, in what ways, simpler to use, less protection etc? To me it looks more complicated.

WHH is a simplified version of the new version of SWH (will be published in a few months):

Is there a way to turn Smart Screen Block off if you don't want to use it anymore?

Yes, simply use the switch on the right.

 

[wat0114]

WHH is a simplified version of the new version of SWH (will be published in a few months):

So at the end of the day once the new version of SWH is released, which one of your fine utilities offers the strongest security for either Windows 10 or 11:

1. WHH
2. SWH (new version to be released)
3. H_C

Thanks!

 

[Andy Ful]

Hi Andy! Is this supposed to replace H_C eventually? Or is Windows Hybrid Hardening meant to be another option to harden Windows? As I'm running H_C now, I see no need to use something else at the moment unless it is in some way superior.

Hard_Configurator is far more flexible with many possible settings. WindowsHybridHardening (WHH) has got 1% of configuration possibilities, but those supported are the most useful.
People who use H_C (and are not overwhelmed by its complexity) can still use it.
There is only one setup in WHH that is stronger than any H_C settings:

But, this setup is recommendable only in specific (vulnerable) environments.

 

[Digmor Crusher]

Thanks, I guess I just misunderstood this:

 

[Andy Ful]

@Andy Ful

Does this WDAC uses Intelligent Security Graph or plain deny? If the latter, please add an option to add ISG.

The ISG has got a serious vulnerability. Currently, it can be bypassed by popular DLL hijacking methods (ISO + DLL, archive + DLL, etc.).
Other problems are broken installations/updates and situations when the application is successfully updated, and then blocked by ISG.
I must first somehow solve these problems, before applying ISG.

Where is the download link?

I can post a link to a fully functional version (whitelisted by Defender and Avast), but it has got unfinished help files.

 

[Andy Ful]

So at the end of the day once the new version of SWH is released, which one of your fine utilities offers the strongest security for either Windows 10 or 11:

1. WHH
2. SWH (new version to be released)
3. H_C

Thanks!

If you skip the super-safe setup in SWH and WHH, then in practice (at home) the differences in the strength are probably not important. There are important differences in complexity and number of possible configurations.
WHH and the new version of SWH are integrated with RunBySmartscreen and will be published as a package containing other tools (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).

 

[Andy Ful]

I am to eager

@Andy Ful I would suggest to prevent people removing the whitelists for Windows and Program filesWindows

%WindowsDir% and almost all locations of %ProgramFiles% ( and %ProgramFiles(x86)% ) are allowed by the WDAC in WHH even if the Whitelist is empty. The base WDAC policy allows all locations on the SYSTEM-drive that are non-writable with standard rights.

 

[Andy Ful]

The ISG has got a serious vulnerability. Currently, it can be bypassed by popular DLL hijacking methods (ISO + DLL, archive + DLL, etc.).
Other problems are broken installations/updates and situations when the application is successfully updated, and then blocked by ISG.
I must first somehow solve these problems, before applying ISG.

The problem with DLL hijacking could be partially solved in SWH which has got two new features

1. Block Desktop and Downloads folders.
2. Block selected drives.

But, there are no good solutions for problems with broken installations and updates.

Edit.
Using ISG would be an alternative when used with SWH (with points 1 and 2) as a super-safe setup. So, the user switches OFF the protection when installing/updating applications.

 

[ForgottenSeer 97327]

The problem with DLL hijacking could be partially solved in SWH which has got two new features

1. Block Desktop and Downloads folders.
2. Block selected drives.

But, there are no good solutions for problems with broken installations and updates.

Well, I have used WDAC and SRP since 2019. You have often inspired me (e,g, H_C with AVAST profile). To be honest I have put WDAC + SRP on a few PC's in the following setup (mostly for elderly relatives). I always set an explicit allow on UAC protected folders when I enable ISG to prevent ISG from blocking stuff, I ran into situations where ISG blocked old unsupported versions of a signed program.

WDAC
1. Enable ISG
2. Exclude scripts and dynamic code (so no DLL's)
3. Add explicit ALLOW FOLDER for Windows + Programfiles x64 and x32 and ProgramData
4. Add explicit DENY FOLDER for Shared Folder, Download Folder and Desktop
5. Block Microsoft advised executables (msHTA.exe etc)

SRP (that is basiccally a simplified version of SWH)

This WDAC runs fine with all sorts of setups (Microsoft Office and OpenOffice). I only combined this with F-Secure (because the largest ISP in the Netherlands offers free licenses for a rebranded F-Secure). Running fine in this context means = unttended set and forget with no calls that something broke or borked up.

 

[ForgottenSeer 97327]

Using ISG would be an alternative when used with SWH (with points 1 and 2) as a super-safe setup. So, the user switches OFF the protection when installing/updating applications.

Using your suggestion, would make the new hybrid a SWH on steroids (only WDAC enabled) and H_C on steroids (LOCK enabled) great idea

 

[Andy Ful]

Using your suggestion, would make the new hybrid a SWH on steroids (only WDAC enabled) and H_C on steroids (LOCK enabled) great idea

View attachment 277782

I tested ISG a few months ago. Unfortunately, it blocked about half of applications (old and new).
Furthermore, a few applications that could be run on one computer, were consistently blocked on another???
Some installations were broken.

ISG still blocks far more applications compared to SAC. It will be OK only for users who install popular applications, especially those used in businesses.

 

[ForgottenSeer 97327]

I tested ISG a few months ago. Unfortunately, it blocked about half of applications (old and new).
Furthermore, a few applications that could be run on one computer, were consistently blocked on another???
Some installations were broken.

ISG still blocks far more applications compared to SAC. It will be OK only for users who install popular applications, especially those used in businesses.

I noticed that explicitly whitelisting Windows + Program Files and disabling Dynamic Security Code makes a huge difference to prevent broken installs when using ISG

 

[Andy Ful]

I noticed that explicitly whitelisting Windows + Program Files and disabling Dynamic Security Code makes a huge difference to prevent broken installs when using ISG

My test was done without SmartScreen. Most manual installations will be done with SmartScreen because the files will have MOTW after downloading via the web browser. Most such installations will be allowed by ISG, except when the installation will download additional resources. So, files with MOTW + whitelisted %ProgramFiles% and %ProgramFiles(x86) will work well with ISG.
There are still some problems:

1. Files in the Downloads folder are blocked (to avoid DLL hijacking).
2. Files on Disk images (ISO, IMG, etc. ) are blocked (to avoid DLL hijacking).
3. Application auto-updates are done without MOTW (can be broken).

Points 1 and 2 could be solved when using RunBySmartscreen (already included in WHH and the new version of SWH).
Disabling Dynamic Security Code will skip checking DLLs made dynamically when running .NET applications.
We still have a problem with auto-updates.

I agree, that this could be an alternative for a super-safe setup.