New Update Testing Windows Hybrid Hardening (new hardening application).

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
Windows Hybrid Hardening. (updated in October 2023)

https://github.com/AndyFul/Hard_Con...dowsHybridHardening/WHHLight_Package_1004.exe

The link to the WHHLight website:
https://github.com/AndyFul/Hard_Configurator/tree/master/WindowsHybridHardening



1691776792138.png


WindowsHybridHardening Light (WHHLight) works on Windows 10/11 (Home and Pro editions). It is a successor of SimpleWindowsHardening.
WHHLight is a simplified configurator of Windows built-in application control features: SmartScreen, Software Restriction Policies (SRP), and Windows Defender Application Control (WDAC). After initial configuration, it can be closed, and all protection comes from the Windows built-in features.
WHHLight can work with any antivirus - Microsoft Defender is not required but can be recommended with the ConfigureDefender tool.

WHHLight is adjusted to the home environment. SRP is still the best Windows built-in solution at home to prevent fileless attack vectors via scripts, shortcuts, and other non-PE files with active content. WDAC is the best prevention against malicious PE files (EXE, DLL, etc.) and MSI packages.

The hybrid of SRP and WDAC simplifies proper whitelisting. The folder whitelisted in WDAC allows only EXE, DLL, and MSI files but not scripts and other file types.

Some important post-exploitation mitigations of vulnerable applications (MS Office, Adobe Acrobat Reader, etc.) can be configured via DocumentsAntiExploit, FirewallHardening, and ConfigureDefender (tools included in the WHHLight installation package). The ConfigureDefender tool can be used only when Microsoft Defender real-time protection is enabled.









 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
Please post comments, especially when the help files require corrections. After possible corrections, I will publish the application on the GitHUB. It can take a few days because it requires whitelisting by AV vendors. (y) :)

As can be seen from the OP, this application uses SRP for scripts and unsafe files (like SimpleWindowsHardening).
For PE files (EXE, DLL, etc.) it uses WDAC. The user can whitelist folders if it is necessary.
Adding support for WDAC on Windows Home can make AVs nervous. Microsoft Defender triggered 3 different detections for that, but after submission as a false positive, the application was whitelisted. Also, Avast added the application to the whitelist.
I am waiting for Norton (Symantec) and Bitdefender.

When < SWH > and < WDAC > switches are ON, the restrictions are similar to the H_C Windows_10_Recommended_Enhanced settings, but additionally, the DLLs are blocked.
When the %ProgramData%, %LocalAppData, and user AppData folders are removed from the WDAC Whitelist, the restrictions are similar to the H_C Windows_10_Strict_Recommended_Enhanced settings, but additionally, the DLLs are blocked.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
You say WHH is a simplified version of SWH, in what ways, simpler to use, less protection etc? To me it looks more complicated.

WHH is a simplified version of the new version of SWH (will be published in a few months):

1691787192123.png


Is there a way to turn Smart Screen Block off if you don't want to use it anymore?

Yes, simply use the switch on the right.

1691787429153.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
Hi Andy! Is this supposed to replace H_C eventually? Or is Windows Hybrid Hardening meant to be another option to harden Windows? As I'm running H_C now, I see no need to use something else at the moment unless it is in some way superior.
Hard_Configurator is far more flexible with many possible settings. WindowsHybridHardening (WHH) has got 1% of configuration possibilities, but those supported are the most useful.
People who use H_C (and are not overwhelmed by its complexity) can still use it.
There is only one setup in WHH that is stronger than any H_C settings:

1691787968298.png


But, this setup is recommendable only in specific (vulnerable) environments.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
@Andy Ful 👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏👏

Does this WDAC uses Intelligent Security Graph or plain deny? If the latter, please add an option to add ISG.
The ISG has got a serious vulnerability. Currently, it can be bypassed by popular DLL hijacking methods (ISO + DLL, archive + DLL, etc.).
Other problems are broken installations/updates and situations when the application is successfully updated, and then blocked by ISG.
I must first somehow solve these problems, before applying ISG.

Where is the download link?
I can post a link to a fully functional version (whitelisted by Defender and Avast), but it has got unfinished help files.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
So at the end of the day once the new version of SWH is released, which one of your fine utilities offers the strongest security for either Windows 10 or 11:

1. WHH
2. SWH (new version to be released)
3. H_C

Thanks! :)

If you skip the super-safe setup in SWH and WHH, then in practice (at home) the differences in the strength are probably not important. There are important differences in complexity and number of possible configurations.
WHH and the new version of SWH are integrated with RunBySmartscreen and will be published as a package containing other tools (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
I am to eager :)

@Andy Ful I would suggest to prevent people removing the whitelists for Windows and Program filesWindows

%WindowsDir% and almost all locations of %ProgramFiles% ( and %ProgramFiles(x86)% ) are allowed by the WDAC in WHH even if the Whitelist is empty. The base WDAC policy allows all locations on the SYSTEM-drive that are non-writable with standard rights.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
The ISG has got a serious vulnerability. Currently, it can be bypassed by popular DLL hijacking methods (ISO + DLL, archive + DLL, etc.).
Other problems are broken installations/updates and situations when the application is successfully updated, and then blocked by ISG.
I must first somehow solve these problems, before applying ISG.
The problem with DLL hijacking could be partially solved in SWH which has got two new features
  1. Block Desktop and Downloads folders.
  2. Block selected drives.
But, there are no good solutions for problems with broken installations and updates. :confused:

Edit.
Using ISG would be an alternative when used with SWH (with points 1 and 2) as a super-safe setup. So, the user switches OFF the protection when installing/updating applications. (y)
 
Last edited:
F

ForgottenSeer 97327

The problem with DLL hijacking could be partially solved in SWH which has got two new features
  1. Block Desktop and Downloads folders.
  2. Block selected drives.
But, there are no good solutions for problems with broken installations and updates. :confused:
Well, I have used WDAC and SRP since 2019. You have often inspired me (e,g, H_C with AVAST profile). To be honest I have put WDAC + SRP on a few PC's in the following setup (mostly for elderly relatives). I always set an explicit allow on UAC protected folders when I enable ISG to prevent ISG from blocking stuff, I ran into situations where ISG blocked old unsupported versions of a signed program.

WDAC
1. Enable ISG
2. Exclude scripts and dynamic code (so no DLL's)
3. Add explicit ALLOW FOLDER for Windows + Programfiles x64 and x32 and ProgramData
4. Add explicit DENY FOLDER for Shared Folder, Download Folder and Desktop
5. Block Microsoft advised executables (msHTA.exe etc)

SRP (that is basiccally a simplified version of SWH)

This WDAC runs fine with all sorts of setups (Microsoft Office and OpenOffice). I only combined this with F-Secure (because the largest ISP in the Netherlands offers free licenses for a rebranded F-Secure). Running fine in this context means = unttended set and forget with no calls that something broke or borked up.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
Using your suggestion, would make the new hybrid a SWH on steroids (only WDAC enabled) and H_C on steroids (LOCK enabled) great idea (y)(y)(y)

View attachment 277782

I tested ISG a few months ago. Unfortunately, it blocked about half of applications (old and new). :confused:
Furthermore, a few applications that could be run on one computer, were consistently blocked on another???
Some installations were broken.

ISG still blocks far more applications compared to SAC. It will be OK only for users who install popular applications, especially those used in businesses.
 
F

ForgottenSeer 97327

I tested ISG a few months ago. Unfortunately, it blocked about half of applications (old and new). :confused:
Furthermore, a few applications that could be run on one computer, were consistently blocked on another???
Some installations were broken.

ISG still blocks far more applications compared to SAC. It will be OK only for users who install popular applications, especially those used in businesses.

I noticed that explicitly whitelisting Windows + Program Files and disabling Dynamic Security Code makes a huge difference to prevent broken installs when using ISG
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,098
I noticed that explicitly whitelisting Windows + Program Files and disabling Dynamic Security Code makes a huge difference to prevent broken installs when using ISG
My test was done without SmartScreen. Most manual installations will be done with SmartScreen because the files will have MOTW after downloading via the web browser. Most such installations will be allowed by ISG, except when the installation will download additional resources. So, files with MOTW + whitelisted %ProgramFiles% and %ProgramFiles(x86) will work well with ISG.
There are still some problems:
  1. Files in the Downloads folder are blocked (to avoid DLL hijacking).
  2. Files on Disk images (ISO, IMG, etc. ) are blocked (to avoid DLL hijacking).
  3. Application auto-updates are done without MOTW (can be broken).
Points 1 and 2 could be solved when using RunBySmartscreen (already included in WHH and the new version of SWH).
Disabling Dynamic Security Code will skip checking DLLs made dynamically when running .NET applications.
We still have a problem with auto-updates.

I agree, that this could be an alternative for a super-safe setup.:)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top