- Apr 16, 2017
- 2,607
yeah, ok, you talked me out of it. I have some other VM where probably a better fit. thanks!!!
Testing Windows Hybrid Hardening (new hardening application).
- Thread starter Andy Ful
- Start date
- Mar 17, 2023
- 505
FBI wishes they had the budget of the CIA.
@Andy Ful Thanks for taking your time to create some new nice software for us. I just read through your instruction pictures from your first post.
2. Windows OS components, Microsoft signed applications, and MS Strore apps (whitelisted by EKU)
5. Location in UserSpace on the SYSTEM-drive, but unblocked in WDAC by modifying the ACL permissions
Could you consider writing the full name for it (at least once) please? I can't be the only person that would otherwise have to DDG it's meaning (atleast that's what I hope). If I have missed it in the huge amount of text I'm sorry. My first results were like EKU=Eastern Kentucky University
It's just easier if you have the correct search term if you want to find later more information about what e.g. EKU is.
2. Windows OS components, Microsoft signed applications, and MS Strore apps (whitelisted by EKU)
5. Location in UserSpace on the SYSTEM-drive, but unblocked in WDAC by modifying the ACL permissions
Could you consider writing the full name for it (at least once) please? I can't be the only person that would otherwise have to DDG it's meaning (atleast that's what I hope). If I have missed it in the huge amount of text I'm sorry. My first results were like EKU=Eastern Kentucky University
It's just easier if you have the correct search term if you want to find later more information about what e.g. EKU is.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
EKU = Extended Key Usage or Enhanced Key Usage@Andy Ful Thanks for taking your time to create some new nice software for us. I just read through your instruction pictures from your first post.
2. Windows OS components, Microsoft signed applications, and MS Strore apps (whitelisted by EKU)
5. Location in UserSpace on the SYSTEM-drive, but unblocked in WDAC by modifying the ACL permissions
Could you consider writing the full name for it (at least once) please? I can't be the only person that would otherwise have to DDG it's meaning (atleast that's what I hope). If I have missed it in the huge amount of text I'm sorry. My first results were like EKU=Eastern Kentucky University
It's just easier if you have the correct search term if you want to find later more information about what e.g. EKU is.
ACL = Access Control List
Implementing Windows Defender Application Control (WDAC)–Part 3
This post is part of a series focused on Windows Defender Application Control (WDAC). The previous article can be found here:Understanding Policy RulesIn this article I’ll continue looking at the X…
blog.ciaops.com
Access Control overview
Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
learn.microsoft.com
How Permissions Work
learn.microsoft.com
- Mar 29, 2018
- 7,613
I agree. I won't be trying or using this because it looks like a lot more under the hood, more like H_C than SWH.
When you use SAC better only use the old SWH part of it.
@Andy Ful
Last time I beg you, please run WDAC with (in smart mode)
1. Allow Microsoft + ISG (ISG is sort of similar to SAC)
2. Explicit allow rules for
a) Program Files
b Program files (x86)
c) Users\Admin\Apdata
d) Users\Admin\Local\temp
3. Microsoft advised block Rules for User space and kernel
4. SWH (SRP blocking risky file extensions and allowing exe, msi. tmp)
5. fall back to Audit mode when a driver fails to load
6. Exclude dynamic code and scripts (I told you so )
This is really a huge improvement for most home users in terms of security, while it allows for most programs updates.
Your version is as strong as the UAC protection of 2 C and 2 D, so allowing ISG (which is similar to SAC) does not weaken it substantionally, only increasing useability. You provided us with excellent freebies (H_C, CD, SWH), I really have no idea why you would provide such a complex hybride hardening. I don't understand the logic behind it (when you allow UAC holes, you might as well add ISG). Normally I can follow you and applaude your tweaks, but you got me lost here.
Don't be offended, but I would propose three levels of protection
a) Basic (only old SWH)
b) Smart (as I outlined above)
c) Deny all (block all in user folders)
With option B and C the user additionally has an option to exclude user folders
Last time I beg you, please run WDAC with (in smart mode)
1. Allow Microsoft + ISG (ISG is sort of similar to SAC)
2. Explicit allow rules for
a) Program Files
b Program files (x86)
c) Users\Admin\Apdata
d) Users\Admin\Local\temp
3. Microsoft advised block Rules for User space and kernel
4. SWH (SRP blocking risky file extensions and allowing exe, msi. tmp)
5. fall back to Audit mode when a driver fails to load
6. Exclude dynamic code and scripts (I told you so
)This is really a huge improvement for most home users in terms of security, while it allows for most programs updates.
Your version is as strong as the UAC protection of 2 C and 2 D, so allowing ISG (which is similar to SAC) does not weaken it substantionally, only increasing useability. You provided us with excellent freebies (H_C, CD, SWH), I really have no idea why you would provide such a complex hybride hardening. I don't understand the logic behind it (when you allow UAC holes, you might as well add ISG). Normally I can follow you and applaude your tweaks, but you got me lost here.
Don't be offended, but I would propose three levels of protection
a) Basic (only old SWH)
b) Smart (as I outlined above)
c) Deny all (block all in user folders)
With option B and C the user additionally has an option to exclude user folders
Last edited by a moderator:
- Mar 29, 2018
- 7,613
This was the point I was trying to make above, of course with no offense to @Andy Ful.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
You have no choice when using WHH. It turns off the WDAC part automatically.When you use SAC better only use the old SWH part of it.
Great, but ...
I find it hard to critigue a man who has offered us with great programs and I value highly.
I recognize your genius, but why did you felt the need to combine stuff?
What is wrong with keeping the old style SWH for windows 11 (used alongside SAC or WDAC) as a seperate program?
Offer a new Hybrid hardening (as replacement for H_C) with two modes (for people not haviing SAC enabled)
Hybrid hardening offers a smart mode and a super safe mode
Smart mode
1. Allow Microsoft + ISG (ISG is sort of similar to SAC)
2. Explicit allow rules for
a) Program Files
b Program files (x86)
c) Users\Admin\Apdata
d) Users\Admin\Local\temp
3. Microsoft advised block Rules for User space and kernel
4. Exclude dynamic code and scripts (I told you so
)Super safe mode
1. Allow Microsoft
2. Explicit allow rules for
a) Program Files
b Program files (x86)
3. Microsoft advised block Rules for User space and kernel
Both of these have an option to whitelist user folders
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
@Max90,
I think that most of your concerns could disappear if you simply tested WHHLight for a week.
The ISG makes sense only when blocking Desktop, Downloads, USB drives, removable drives (disk images), etc.
Such a setup is more complicated. We already talked about it. The right place for ISG is probably WHH (full version) and not the WHH Light.
I do not think so. WHH Light (SWH + default WDAC settings) will prevent almost all attacks before the UAC can be triggered.
ISG can help only when something is exploited. But, we have other tools that can prevent or mitigate such rare events (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).
Using ISG cannot increase usability without adding nasty vulnerabilities. These vulnerabilities can be avoided when blocking Desktop, Downloads, removable drives, etc. but then WHHLight is more usable (with Run By SmartScreen).
a) Prevent fileless attacks which are poorly covered by many AVs. Use other tools from the SWHLight package (RunBySmartScreen, DocumentsAntiExploit, FirewallHardening, ConfigureDefender) to support your AV.
b) Extend the protection in a smart way for PE (EXE, DLL, etc.) and MSI files. Do this only if you think that it is necessary or if you use a semi-static setup.
c) Prepare a super-safe setup with a limited set of applications. You can use it in a vulnerable environment.
I think that most of your concerns could disappear if you simply tested WHHLight for a week.
The ISG makes sense only when blocking Desktop, Downloads, USB drives, removable drives (disk images), etc.
Such a setup is more complicated. We already talked about it. The right place for ISG is probably WHH (full version) and not the WHH Light.
I do not think so. WHH Light (SWH + default WDAC settings) will prevent almost all attacks before the UAC can be triggered.
ISG can help only when something is exploited. But, we have other tools that can prevent or mitigate such rare events (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).
Using ISG cannot increase usability without adding nasty vulnerabilities. These vulnerabilities can be avoided when blocking Desktop, Downloads, removable drives, etc. but then WHHLight is more usable (with Run By SmartScreen).
Is it complex? You have only 3 possible settings. It is probably the simplest application made by me.
The logic is simple.
a) Prevent fileless attacks which are poorly covered by many AVs. Use other tools from the SWHLight package (RunBySmartScreen, DocumentsAntiExploit, FirewallHardening, ConfigureDefender) to support your AV.
b) Extend the protection in a smart way for PE (EXE, DLL, etc.) and MSI files. Do this only if you think that it is necessary or if you use a semi-static setup.
c) Prepare a super-safe setup with a limited set of applications. You can use it in a vulnerable environment.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
The hybrid SRP + WDAC is natural in the home environment.
In SRP, it is hard to separately whitelist/blacklist scripts and PE files. At home, the scripts can be blocked almost everywhere. This is not possible for PE and MSI files. So, you need different whitelists for them. This can be done in a simple way by using SRP + WDAC.
You can do it with one click in WHHLight. I am only a human, and cannot handle too many applications. So, SWH will probably survive as a part of WHH.
That is my plan (except for ISG and kernel drivers).Offer a new Hybrid hardening (as replacement for H_C) with two modes (for people not haviing SAC enabled)
Hybrid hardening offers a smart mode and a super safe mode
Smart mode
1. Allow Microsoft + ISG (ISG is sort of similar to SAC)
2. Explicit allow rules for
a) Program Files
b Program files (x86)
c) Users\Admin\Apdata
d) Users\Admin\Local\temp
3. Microsoft advised block Rules for User space and kernel
4. Exclude dynamic code and scripts (I told you so
You can get it in a simple way by removing 3 entries from the WDAC Whitelist.
I will not add the policy for kernel drivers. WHHLight is for home administrators. Blocking kernel drivers would require some additional features like scanning for drivers, auditing, etc. Furthermore, Windows 10/11 has some driver protection that is probably sufficient at home.
Last edited:
- Jan 27, 2018
- 1,410
I'll admit it is a tad confusing if we are going to have SWH, WHH Light and WHH, ( is this correct or not, too lazy to go back and re-read the thread) throw in HC and its getting "crowded". If you are going to keep all 3 applications I would rename them so that each one is totally different from the others, they all sound basically the same now and thus are harder to differentiate. Of course what do I know?
I run WDAC since 2019. I adviced to disable dynamic code protection. I also posted that WDAC is easier to use with reduncdant allows for UAC protected folders. When you loosen up the protection by allowing dynamic code and punching an admin/temp hole in the default deny, it makes more sence to use ISG for useability as well. But I realize you can't win them all. so I thank for you implementing two out three.@Max90,
I think that most of your concerns could disappear if you simply tested WHHLight for a week.
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
When you loosen up the protection by allowing dynamic code and punching an admin/temp hole in the default deny, it makes more sence to use ISG for useability as well. But I realize you can't win them all. so I thank for you implementing two out three.
Yes. It is not possible to safely implement ISG in WHHLight. The safe way would require a more complex application probably something like this:
The above settings restrict Desktop & Downloads folders and all non-System drives. The user cannot run anything from these locations without using "Run By Smartscreen". Other locations can be protected by ISG (WDAC). Such a setup can be probably used without whitelisting %ProgramData% and user AppData folders, but then, some applications can be blocked after the installation/update (they can still run in the WHH Light setup).
The advantage of using ISG in a safe way is a slightly more robust setup at the post-exploitation stage at the cost of increasing false positives. One could probably skip other tools (DocumentsAntiExploit, FirewallHardening, ConfigureDefender).
If you skip other tools, then for some users WHH alone can be as usable as WHHLight + tools.
Attachments
Last edited:
Andy, you are making it complex to make your point. Also your Polish WDAC version must behave completelely different from the US version I am using, because I can't relate this to my experience with the WDAC wizzard.
1. Downside you mention that ISG might generate some false positives. That is true but compared to a default deny it does not make sense, a default deny blocks way more.
2. To overcome the default deny restrictions you leave large holes in the setup to facilitate installs/updates. With ISG you don't need those holes so it is more secure.
3. Because ISG is less secure (true) against possible advanced staged DLL attacks you are adding extra restrictions. Which is strange because you already said you would not include dynamic code (like dotNet) restrictiions in your setup which by itself creates a DLL attack hole, so I am completely lost (to me your making a buzz about a small hole and ignoring a large hole on the same topic)
4. ISG might be safer in post-intrusion according to you, but in my setup (to prevent partly succeeded updates and blocking issues) I allow UAC protected folders (which you also do in the default deny), when you add UAC protected folders to the allow list, there is no post intrusion advantage, again I can't follow you
Let's agree to disagree.
Let me again express my gratitude for making available (for free) great sofware like CD, SWH an H_C. To me you are the champion in making available complex business options of the OS for average PC users.
You are a hero and I will stop criticising you on WHH 
Last edited by a moderator:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,510
It is normal that you cannot relate the WDAC used in WHHLight to your experience. Simply, WHHLight uses WDAC in a different way.
Your setup is based on ISG and WHHLight avoids ISG for some reasons.
It does not, because WHHLight is not a default deny, but a smart-default deny similar to ISG. You will see it when using WHHLight. Almost all applications are installed/updated in folders whitelisted by default in WHHLight. Many of them will be blocked by ISG (especially software updates).
It is not true. The holes would be important while only using the WDAC restrictions. The WHHLight settings + tools included in the package make these holes negligible at home. Allowing ISG introduces larger holes via DLL hijacking.
The attacks via DLL hijacking are pretty common nowadays and very simple, the extra restrictions are necessary. You clearly underestimate this attack vector.
It is simple. I can skip dynamic code trust verification because in WHH it is only a theoretical problem limited to Microsoft-signed .NET applications. So far, no one found any such vulnerable application. On the contrary, the ISG vulnerability is large and commonly abused in the wild (DLL hijacking). Furthermore, ISG is much more vulnerable to abusing dynamic code, because it will allow all reputable applications (not only Microsoft-signed).
The post-intrusion attacks are performed mostly via user AppData or %ProgramData% folders. WHHLight protects these locations for scripts, also when the script is executed with high privileges. But the EXE, DLL, and MSI files are allowed (user AppData and %ProgramData% are on the WDAC Whitelist). The ISG setup can help to block them.
If you will test WHHLight then there will not be any disagreement. I understand that is not easy to grasp all details without using the application.
Thank you. Your critique and my answers can help others understand how WHHLight (and WHH full version) works.
Let's only remember to avoid repeating the same questions & answers.
- Mar 29, 2018
- 7,613
There will be no stand-alone SWH, rather SWH-like settings are included in WHH if I understand correctly.
- Jan 27, 2018
- 1,410
Yes, I reread this thread and I think I have a better understanding of what's going on now. SWH will be part of WHH I believe.
Similar threads
-
- Sticky
