New Update Testing Windows Hybrid Hardening (new hardening application).

[Victor M]

dangerous LOLBins are those that could bypass WDAC

Which exe's are those ?

 

[Digmor Crusher]

Andy, so I am going to try WHH, got the folder on the desktop, what would happen if I dragged the WHH application from the folder to the desktop and then deleted the WHH folder? Will WHH still work? Basically I'm trying to get away from having the folder on my desktop and only having the app icon there.Thanks.

 

[ForgottenSeer 97327]

@Andy Ful

With the extra options (extra because they look more like H_C than SWH) of SRP, how would you rate a ONE account setup with the following configuration in strenght?

Use WHH as admin (SAC in ISG mode, SRP in allow admin) with allow folders in userspace removed with SRP blocking EXE, MSI and TMP also (still right click run by smartscreen when nessecary)

I know the two accounts set is by far the strongest, just asking for lazy admins

Thanks

 

[Freki123]

Cyberlock still complains,I suppose because its not signed?

Cyberlock doesn't like unsigned exe (at least from what I experienced with it)

 

[ForgottenSeer 97327]

Which exe's are those ?

Applications that can bypass App Control and how to block them

View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.

learn.microsoft.com

Andy has included that in WDAC, so as always (with Andy's freebies) it has been taken care of and is well tested

 

[Andy Ful]

Andy, so I am going to try WHH, got the folder on the desktop, what would happen if I dragged the WHH application from the folder to the desktop and then deleted the WHH folder? Will WHH still work? Basically I'm trying to get away from having the folder on my desktop and only having the app icon there.Thanks.

There is no WHH folder on the Desktop (and never been). The posts made by NormanF in this thread and on Wilders Security thread are incorrect.
The "icon" on the Desktop is a shortcut. If you click on it then the real folder "C:\ProgramData\WindowsHybridHardening_Tools" is opened in Explorer. If you remove the "icon", only the shortcut will be deleted, and not the real folder in %ProgramData%.

I am not sure why you would want to keep the WHH Light executable on the Desktop instead of a shortcut.
Anyway, If you drag the WHH application from the default folder to the desktop, then the file will be moved from the WHH folder to the Desktop, and allowed by WDAC.
But, do not copy the file. Microsoft made ISG in a way that the copy does not inherit the positive reputation (only moving the file does).

 

[ForgottenSeer 97327]

@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks

 

[upnorth]

@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks

Please send a report request on this as I have to prioritise what I'm doing at the moment and also can never be sure how long I will be online. But a basic hint/tip, it's normally the threads OP that should request in first hand what you suggest. Send @Andy Ful a PM and ask him first if you haven't already, would be my best advice right here and now.

 

[Andy Ful]

Which exe's are those ?

Applications that can bypass App Control and how to block them

View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.

learn.microsoft.com

 

[Andy Ful]

@Andy Ful

With the extra options (extra because they look more like H_C than SWH) of SRP, how would you rate a ONE account setup with the following configuration in strenght?

Use WHH as admin (SAC in ISG mode, SRP in allow admin) with allow folders in userspace removed with SRP blocking EXE, MSI and TMP also (still right click run by smartscreen when nessecary)

I know the two accounts set is by far the strongest, just asking for lazy admins

Thanks

Looks very strong.

 

[Andy Ful]

@Mods (at the moment mod on duty @upnorth )

Is it possible to copy post #196 and #192 (in that order) to a new Sticky thread called "Introducing Hybrid Windows Hardening"?

With all the responses the video tutorial (post 196) and the two user ID's setup explanation (post 192) will sink away (and will be hard to find for people interested)

Thanks

In a few months, I will open a similar thread. I did not do it for now, because the beta phase is not finished.
I also updated the content of the opening post in this thread (with links to those videos).

 

[ForgottenSeer 97327]

In a few months, I will open a similar thread. I did not do it for now, because the beta phase is not finished.
I also updated the content of the opening post in this thread (with links to those videos).

When it will take a few months, would it be possible to sign the WHH-light already? (works great on my wife's laptop, but I like to block unsigned elevation also)

 

[Andy Ful]

When it will take a few months, would it be possible to sign the WHH-light already? (works great on my wife's laptop, but I like to block unsigned elevation also)

Yes, probably in March 2024.

 

[Andy Ful]

Non-problematic use of WHHLight:

1. Use default-Admin account.
2. Keep default folders on the Whitelist.
3. Use "Run By SmartScreen" if the standalone installer is blocked by ISG (usually when the file is on the flash drive, and sometimes for MSI installers).
4. Do not ignore SmartScreen alerts. On the computers of children, use < SmartScreen Block > = ON.
5. Keep the WHH_Tools shortcut on the Desktop or remember that WHHLight can be run from "C:\ProgramData\WindowsHybridHardening_Tools".
   WHHLight can be executed from any location (also from the flash drive) via "Run By SmartScreen".

Edit.
In case the user deletes the WHHLight executable, the WHHLight_package can be downloaded from the Internet via the web browser - it can be executed in any WHHLight settings (even the Super_Safe setup on SUA). Simply, ISG will get a reputation from SmartScreen, and the package has a good SmartScreen reputation.

 

[Back3]

I've been using SWH and Firewall Hardening with F-Secure Safe (19.1) for the last two years. No issues. Disabled SWH and trying non-problematic use of WHHlight. So far, so good.

 

[wat0114]

@Andy Ful

thank you for providing this Windows hardening tool. I've set it up on Windows 11, version: 21H2 with all options "On" in WHHL and Firewall hardening LolBins, MS Office and Recommended H_C rules applied. So far no issues, seems to be working fine.

For fun I tried launching two different, digitally signed and confirmed safe executables from my Downloads folder from my Standard account. Both were blocked as expected, although in different ways:




Application Control and Device Guard. Both of these blocked events were logged in the WDAC-> EXE/DLL logs

Because I also use NVT OSArmor, in the process of installing it and setting it up, I created the following Exclusions so nothing will be blocked:

[%PROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PROCESSCMDLINE%: "C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Medium]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WHHLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*.tmp\*.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Local\Temp\*.tmp\*=C:\WINDOWS\Hard_ConfiguratorTemp\] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: High]

[%PROCESS%: C:\Windows\System32\taskkill.exe] [%PROCESSCMDLINE%: C:\WINDOWS\system32\taskkill.exe /f /im WindowsHybridHardening*.exe] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WDAC\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: *]

[%PROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\FirewallHardening*.exe] [%PROCESSCMDLINE%: "C:\ProgramData\WindowsHybridHardening_Tools\FirewallHardening*.exe"] [%SIGNER%: Open Source Developer, Andrzej Pluta] [%PARENTPROCESS%: C:\Windows\explorer.exe] [%PARENTSIGNER%: Microsoft Windows] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Medium]

[%PROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLight*.exe] [%PROCESSCMDLINE%: "C:\WINDOWS\Hard_ConfiguratorTemp\WHHLight*.exe"] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\ProgramData\WindowsHybridHardening_Tools\WindowsHybridHardeningLight*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Unknown]

[%PROCESS%: C:\Users\*\AppData\Local\Temp\*.tmp\*_*.exe] [%PROCESSCMDLINE%: "C:\Users\*\AppData\Local\Temp\*.tmp\*.exe"  *C:\WINDOWS\Hard_ConfiguratorTemp\] [%SIGNER%: <NULL>] [%PARENTPROCESS%: C:\Windows\Hard_ConfiguratorTemp\WHHLightUnins*.exe] [%PARENTSIGNER%: <NULL>] [%PROCESSINTEGRITY%: High] [%PARENTINTEGRITY%: Unknown]

These rules should work for anyone else who uses OSArmor, because I've incorporated some wildcard usage in the rules.

 

[silversurfer]

Just playing around with the new WHHLight ver. 1.0.0.4
WDAC enabled ON. I see no longer blocks for some legit applications what are blocked with the previous version WWH_Light 1.00.4 (Whitelisted folders are the same)
@Andy Ful My question what is the difference compared to when WDAC off ? Guess it's misunderstanding from me

 

[ForgottenSeer 97327]

@Watt

When you run WHH-light with all on. Why are you running OS-Armor also?

Just curious, not judging (security is an emotion, so everyone has his own preference)

Regards Max

 

[wat0114]

@Watt

When you run WHH-light with all on. Why are you running OS-Armor also?

Just curious, not judging (security is an emotion, so everyone has his own preference)

Regards Max

Yes, I realize I don't need to run OSA with WHHL with all or even partially On. I wanted to create the necessary OSA rules for those who might want to run OSA paired with WHHL. I've hardly used Windows at all in the last 6 months, using primarily Linux, so of course if I ever do go back to Windows I would reassess my security setup. Because I view Windows security mostly as a kind of hobby and for fun, I'm apt to try all kinds of security setups, even if they are overkill. Andy's latest tool, WHHL, is one I've been keen on trying for some time now.

 

[wat0114]

Hi @Andy Ful

or anyone who might know, is it possible, or will it be possible in the future, to use wildcards for Paths under WDAC-> Whitelist option? I wasn't able to add a Path rule with wildcards.