Greetings! I think Hardentools should make Windows show file extensions for all files. Can be done easily with regedit:
http://www.itprotoday.com/management-mobility/how-can-i-modify-registry-enable-option-show-file-extensions-windows-explorer
https://www.youtube.com/watch?v=M2LXhroaDEo

Would really help people differentiate between cat.jpg and cat.jpg.exe

I've added PRs for some network related fixes and some Explorer tweaks...

As we start to grow... we should start to seperate windows into subservices and applications into companies and versions... I know JAVA, flash and reader have different paths per major release.

Flash is still used for exploiting browsers. The last flash 0day was publicly found some weeks ago.
According to statistics from google chrome flash seems to be pretty much dead:
Flash usage as presented by @Laparisa at NDSS18 a couple days ago
https://twitter.com/gannimo/status/966366499601444866

hy, good project, but i can't find commandline options?

For me it is essential that i can deploy this package as a script.
i this isn't possible it was a major disadvantage. i recommend to leave normal cmd as eecutable and just deny powershell and all the other settings.

Hey, just a quick note

thanks for the tool

for the sake of security and ( I was doing something else at the time)

I dont know if it's enough of a risk, but I guess that depends on how hostile you think a users downloads folder is, those highlighted are ones that triggered Didier Stevens cmd.dll (renamed)

The README says that "after running Hardentools you won't be able, for example, to [...] use the Command-line terminal". But it also states that hardentools "[d]isables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer." So is the Command-line terminal disabled altogether or only when launched by Windows Explorer?

Hardentools should generate a debug log (perhaps optional using a Command line Parameter?) so we are able to assist users if they experience problems.

When I hardened some of the settings, using this software, the following happened to me.
[1] Cannot initialize system restore any longer. I tried but it is disabled. Is there a fix for this?
[2] Cannot use recovery settings any longer. That specifically means I cannot see the advanced startup settings in order to troubleshoot my system. System Fix is not working either if I want to revert some of these settings to the original.
[3] Cannot boot up from safe mode any longer even if I wished to. The screen flickers and then it doesn't go anywhere. It just goes back to booting the system normally.
[4] Cannot run windows scripts any longer. I needed it in order to install a update for a driver. It is refusing to install without windows scripts.
[5] Couldn't install a update from Windows Update & Security. I can still install updates though Windows Update Assistant, however, is it safe to do so? I was going to do that tomorrow in hope that some of these problems that I am having would be reverted.
Overall the software is great, but I seem to have run into these issues on every user account as of now.

As a follow-up to issue #28, I'd like to request a user related label to be added. I don't think I can add it.

This helps UX people identify user related requests to start working on.

If there's lots, we can add others, but as a beginning the label "design" would be a good start.

What do you think?

Adobe PDF module could need some enhancements to cover all the most important security settings:

• Switch on the Protected Mode setting under "Security (Enhanced)" (enabled by default in current versions) (HKEY_LOCAL_USER\Software\Adobe\Acrobat Reader<version>\Privileged -> DWORD „bProtectedMode“ = 1)
• Switch on Protected View for all files from untrusted sources (HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\TrustManager -> iProtectedView = 1)
• Switch on Enhanced Security setting under "Security (Enhanced)" (enabled by default in current versions) (HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\TrustManager -> bEnhancedSecurityInBrowser = 1 & bEnhancedSecurityStandalone = 1)

There is an issue with wsh.go on my 64Bit Windows 10 (most probably other 64Bit versions are also affected, see http://windowsir.blogspot.de/2013/03/wow6432node-registry-redirection.html).

Issue is that when creating "Enabled" at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings
the real Key is created in
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings

Windows Scripting Host is then not disabled.

The existing code replaced with
key, _, _ := registry.CreateKey(registry.LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows Script Host\Settings", registry.WRITE | registry.WOW64_64KEY)
works. At least when executed with local admin rights.

Without local admin rights this still doesn't work. We have two options:

• write to HKCU only
• verify if HKLM entry create has been successful. If not inform the user that local admin rights are needed (or request local admin rights from windows)

Which way should we go.

If you give my account access to the repository I can implement that in an experimental branch.

Florian

More Information: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724878.aspx

How about enabling Software Restriction Policy or Applocker to prevent execution from the %Appdata% path? This prevents most of the 'finger faster than brain' infections and also some of multi-stage malware.

Users will get an error message telling that something was blocked.

https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/using-software-restriction-policies-and-applocker-policies

As pointed out in #31, there are limitations due to the use of Golang. It might be worth considering rewriting Hardentools with a more suitable language. Some suggested PowerShell (although, that would be a sad irony).

Let's discuss here what we all think is the best way forward.

Hi! I disabled CMD in Hardentools. Now, I can't enable it. I try use your tool and registry (https://www.maketecheasier.com/disable-command-prompt-windows/) because gpedit isn't installed on Home version of Windows.

How do you disable CMD in Hardentools on Windows 10 Home?

It would be a good idea to provide at least sha256 for each file in the releases section.

Any way to disable this?
https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/

See https://betanews.com/2019/04/15/internet-explorer-mht-vulnerability/

Greetings! First of all, great program. However, it was come to my attention that if I run the program from a standard account it asks me for admin privileges. Great, so I enter my admin password and I run the tool. All seems well.

However, on my standard account I can still open CMD. This to me makes it seem as if hardening standard accounts is impossible with this program. Considering Microsoft recommends using a standard account for day-to-day business, that seems odd.

So tl;dr I wish I could harden standard accounts as well. I'm mostly interested in the Office hardening though.

Admittedly, blocking cmd.exe is a problem for many. Is it worth removing the block of cmd.exe at least until we have a more granular GUI/UI as defined in #17 ?

Greetings! I just discovered this excellent program and I propose you harden LibreOffice as well. It's popular for us poor poor students after all.

PS: There's a spelling error on the description for this program

It should say "a utility" since utility is pronounced "youtility"

Hi All,
Hi @botherder,

what do you think about integrating https://github.com/obsti8383/UpdateChecker (which i programmed over the last weeks) somehow into hardentools (perhaps using a different UI and also changing other things)?

What's not so good about that is that it requires a connection to a online service to get information about current software versions).

Alternative could be to provide this as a separate tool.

Any kind of feedback greatly appreciated.

Cheers
Florian

P.S.: You can try the compiled alpha release if you like. Otherwise just do a "go build" and execute the binary from within the source directory (it needs the main.html and static/ directory).

I haven't seen Rich Text Format listed here, so here come malformed RTF files with changed header control word to bypass Anti-Virus protection:
Fake email with malformed RTF file attachments delivering Lokibot

Microsoft disabled DDE in Word with Office Update ADV170021 update. We should make sure that it is in default (disabled) state:

This update adds a new Windows registry key that controls the DDE feature's status for the Word app. The default value disables DDE. Here are registry key's values:

1. In the Registry Editor navigate to \HKEY_CURRENT_USER\Software\Microsoft\Office\version\Word\Security AllowDDE(DWORD)
2. Set the DWORD value based on your requirements as follows:

AllowDDE(DWORD) = 0: To disable DDE. This is the default setting after you install the update.
AllowDDE(DWORD) = 1: To allow DDE requests to an already running program, but prevent DDE requests that require another executable program to be launched.
AllowDDE(DWORD) = 2: To fully allow DDE requests.

This can be a nice feature:
https://twitter.com/oddvarmoe/status/1196330474970501120?s=21

We should test it and understand when is effective.

What do you think of restricting communication of Powershell in addition to the existing measures based on
https://isc.sans.edu/forums/diary/Restricting+PowerShell+Capabilities+with+NetSh/24434/ ?

Please document all registry and policy changes being done by the tool to allow for automation OR enable command-line hardening, where each option is a command line switch which can be turned off or on.

If the the account type is "Administrator" then change it to "Standard".

"Hardentools" is a terrible name.
Any suggestions for a better one?

can you please also add an option to disable the new "bash on ubuntu on windows" feature under windows 10? i am able to call powershell or cmd over it.

We should disable JavaPlugin if installed and activated. Any thoughts?

After a Twitter request for usability input into Hardentools, I've been speaking with @botherder on Mattermost.

From our discussion he's concerned with:

1. the GUI "being ugly"
2. the progress bar is pretty much fake. Th progress is too quick - you click on the button (which is awkwardly large and thin) and boom, it's done
3. the need for GUI to allow to enable/disable single features

As a beginning, I suggested the best thing would be for me to run it and do what's called an usability (expert) review - where the reviewer "pretends" to be a user, try to think how they think, do what they do.

When doing a usability review we use well established usability heuristics to keep focused on what he user would do.

These include important heuristics like: visibility of what the system is doing, preventing the user from making mistakes, helping the user to recover from errors - system or user, consistency.

This would deal with 1 and 2 above.

Once this is done, I'd post the results here and we can discuss how to deal with them.

What do you think about that?

HardenTools already disables wscript, but also removing the default file associations for what it runs and other commonly abused file types may help a bit in the case of a user re-enabling it manually or if something malicious enables it automatically prior to executing another stage involving these file types.

I see all of these used very frequently as initial delivery mechanisms, droppers, etc.

File Types

• .vbs, .vba, .vbe, .vb
• .wsh, .wsf, .wsc, .ws
• .js, .jse
• .hta (mshta.exe)

Personally I haven't yet looked to see how this would be automated. Also, this is a pretty short/quick list, many more could be added that rarely require direct execution but I figured for a first pass to get feedback, it'll do.

I can look into it a bit and make a PR if this makes sense to everyone.

As you might have heard, the Equation calculator has been a subject of multiple vulnerabilities, e.g.:
https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about/

At the bottom of that posts the author provide registry key changes to disable that component. Perhaps it is worth adding them on?

subj

WPAD is totally useless and exposes your client to unnecessary MITM situations and potatos stealing your hashes.

Suggested steps:

1. Disable the service “WinHTTP Web Proxy Auto-Discovery Service”
   (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WinHttpAutoProxySvc\Start -> 4)
2. echo "255.255.255.255 wpad." >> c:\windows\system32\drivers\etc\hosts
3. "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride" -> 0

Greetings! I think you should consider making it so that admins need to enter their passwords during UAC prompts instead of the standard yes/no.

How to enable this feature using a simple reg file is described here:
https://www.eightforums.com/tutorials/41136-uac-change-prompt-behavior-administrators-windows.html

Arguments for adding this:

• It will make people think longer before accepting/denying something that might potentially be malware
• Could make it more difficult for malware to bypass UAC in the case of an exploit

Arguments against adding this:

• Typing in your password could be annoying

That's all I can think of really.

I read an answer here, but I suggest to add something as:

Compatible with Microsoft Windows Operative Systems, starting from Vista.

into the readme.

I have some of the settings applied manually already. If I were to try out the program and (for whatever reason) didn't like what I just did, and disabled the changes, I would fall back to a worse state than I started. Mainly because most settings are reset to (I guess?) factory defaults.

I'd like to propose a long-term change where the program keeps track of the previous state when overwriting it. So that I can roll back to that instead of completely disabling to factory default.

This would also make tinkering with it easier once #17 is a thing.

I think hardentools would be more useful if there were some settings there (might be hidden behind a 'settings' button or something like that if you want to preserve its easy to use nature) to allow e.g. disabling VBscript but not cmd/powershell. I get that power users and sysadmins are not the primary target of this because they generally know how to modify the registry but this could be a good way to automate it.

What's the scope?

Some tweaks only effect select versions of Windows. might need to code some logic into the tests.

closed.

I recommend that hardentools would block internet access for some Windows tool which can be abused to dwonload malicious code

example:
netsh advfirewall firewall add rule name="Block certutil.exe netconns" program="%systemroot%\system32\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any
source
windows_hardening.cmd in gitgub
https://gist.github.com/ricardojba/ecdfe30dadbdab6c514a530bc5d51ef6

CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malware-while-bypassing-av/

The use of office startup folders as persistence mechanism is quite popular currently.
The malware just puts a DLL file with the file extension .wll into %appdata%\Roaming\Microsoft\Word\Startup\ and with the next start of word the DLL gets loaded by word.

This could be blocked by explicitly denying file writes for the 'power user'. (icacls .. )
I do not expect a lot of collateral damage since this feature is rarely used IMHO.

more info:
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
https://attack.mitre.org/wiki/Technique/T1137

In the light of WannaCry, I've been wondering if it would make sense to add an option to disable SMBv1.
Thoughts?

I am wondering if it would be good to establish a process for people willing to run newer versions of the tool. At the moment, because of the way we developed, a user would be required to use the original version of the tool that was used to make the modifications to the system, revert those changes, download the new version and reapply the changes.

If the user deleted the copy of the original version of Hardentools, then they would need to figure out which had they actually used and download that. This seems quite impractical.

It would be good to identify a way that would allow us to keep a record on the system on the changes that have been and now to restore them. That could be just as simple .reg file stored in a persistent directory, to be invoked right before the execution of a new version of Hardentools.

Thoughts?

Are there firewall policies that can help against common threats without breaking thing. E.g. Velocet suggested:
"The Explorer leaks NTLM hashes (not in every case) and your IP (every case) via simply display a folder that does contain a specially crafted "desktop.ini": Create a new firewall rule that prevents the explorer.exe from accessing the internet..."

Another idea:
I assume setting the default rule for outgoing connections to "not allow" will break lots of things (via "netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbund")?

Any experience out there?

Need to upgrade to latest main Go release.

Disables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer. You will not be able to use the terminal and it should prevent the use of PowerShell by malicious code trying to infect the system.

I need CMD, how turn it on? Would better that user can chose what is on and off.