SysHardener: Harden Windows Settings

We have released SysHardener v2.5.0:
https://www.syshardener.com/download/

Here is the changelog:

You can install it "over-the-top" of the installed version, reboot is not needed.

 

Thanks for the update, Andreas.

 

According to a blog post on the OSArmor website "not just OneNote, also Microsoft Publisher Maldocs can deliver malware".
Source: https://blog.osarmor.com/327/not-ju...soft-publisher-documents-can-deliver-malware/
It would therefore be a good idea if it were possible to unassociate .ONE and .PUB file extensions in SysHardener. I would also like to be able to unassociate old MS Office file extensions such as .DOC and .XLS, which also frequently deliver malware.

As for the "Vulnerable Software Tweaks", could you add the Acrobat Reader options for PDF XChange Editor?

 

Do you need SysHardener if you have OSA? Do you need OSA if you have SysHardener?

 

Yes, I have read this post:

#4

 

I am thinking SysHardener will not show a window indicating something has been blocked. Correct?

 

@Rainwalker

Yes correct, it doesn't show alerts when something is blocked or similar.

It "only" applies the selected policies to the system (they should be re-applied after a major Windows OS upgrade and on new user accounts).

If needed, you can restore one policy by right-click over it and select "Restore This" or select (check) only the policies you want to restore and click the "Restore Selected" button - they will be restore to the original (factory-default) values.

From our tests and user feedbacks, with the "Home User" profile it should create no issues at all.

A few possible suggestions:

1) If you have devices that connect to your computer you may want to uncheck "Block Inbound Connections" (from v2.5 it is unchecked by default)

2) If you use Microsoft Office with a Microsoft account to sync data to/from the cloud you may want to uncheck the options to block outbound connections for Word, Excel and PowerPoint (winword.exe, excel.exe, powerpnt.exe)

3) If you have applications that use the Windows Geolocation service you may want to uncheck "Disable Geolocation Service"

4) If you frequently work with .ISO files (rare) you may want to uncheck "Unassociate .ISO File Extension" or you can use 7-zip to extract/manage .ISO files

5) If you frequently use .CPL commands (e.g to open the "Modify Date/Time) you may want to uncheck "Unassociate .CPL File Extension"

6) If you frequently use .BAT scripts you may want to uncheck "Unassociate .BAT File Extension" and maybe "Unassociate .CMD File Extension"

7) If you frequently use .REG scripts (rare) you may want to uncheck "Unassociate .REG File Extension"

8] If you have applications that use PowerShell to download files (very rare) you may want to uncheck "Block Outbound Connections for Powershell.exe" (but I would not recommend this)

9) Other users reported annoyances with these two options, so in case you can uncheck or restore them (they are unchecked by default):
"Disable Autoplay for Any Drive"
"Show Hidden and System Files"

If for example, in one occasion you need to run a .REG script you can open SysHardener -> right-click on "Unassociate .REG File Extension" -> click on "Restore This", then run the .REG script, and then go back to SysHardener and click over the same policy as before and click on "Apply This" to re-apply the policy, that's all.

So apart from these above suggestions to be taken into consideration, there should be really no issues and the improved security that SysHardener policies can provide is huge.

 

Thank you for your answer and time. I have a couple of your products. Very happy with them.

 

Feature request: In the Uninstall section, 'Uninstall Outlook for Windows'.

 

We have released SysHardener v2.6.0:
https://www.syshardener.com/download/

Here is the changelog:

You can install it "over-the-top" of the installed version, reboot is not needed.

@Krusty

Added

 

Thanks for the new version. Maybe v2.7 will make it possible to unassociate .ONE and .PUB file extensions as well as old MS Office file extensions such as .DOC and .XLS, which frequently deliver malware. Well, Andreas, la speranza è l'ultima a morire. Anyway, I'm glad SH is still frequently updated.

 

@Buddel

Sure will take a look at that in the next days.

Will need to test with different MS Office versions to make sure there are no issues/differences and can be restored correctly in case.

 

Thank you very much.

 

Nice update, Andreas.

 

Just a quick update:

We have released SysHardener v2.7.0:
https://www.syshardener.com/download/

Here is the changelog:

You can install it "over-the-top" of the installed version, reboot is not needed.

 

Got it. Thank you.

Later edit: Could you also add "Vulnerable Software Tweaks" for PDF XChange Editor?

 

Apart from the "Vulnerable Software Tweaks" for PDF-XChange Editor and the unassociation of certain Office file types mentioned above, it may also be worth adding some more "Windows Privacy Tweaks". Maybe O&O ShutUp10++ can be used as a source of inspiration.

 

If it is too much of a hassle to unassociate Office file types, it may be better to forget my suggestion about unassociating such files types. However, adding tweaks for PDF-XChange Editor and perhaps some more privacy-related tweaks to SH would definitely be welcome here.

 

@Buddel

Will check PDF XChange for possible optimizations to see if I can add them to SysHardener.

Will update here on the next week approximately.

 

This is good news. Thank you so much.

 

We have released SysHardener v2.8.0:
https://www.syshardener.com/download/

Here is the changelog:

You can install it "over-the-top" of the installed version, reboot is not needed.

Some information:

This option was added because IE is deprecated but can still be abused by malware in some W10 builds:
Block Outbound Connections for Iexplore.exe

If you use a third-party browser like Firefox or Chrome, we added this option that can be useful for some:
Block Outbound Connections for Msedge.exe

This option is applied to all Firefox profiles (make sure to first close Firefox):
Mozilla Firefox - Disable JavaScript on PDF Reader

We've added options to block outbound connections of some Windows Apps like WindowsCamera.exe, Microsoft.Photos.exe, etc.

Most of these new options are disabled in both Home and Business profiles.

 

Thanks a lot for the new version.

Quick question:
+ Added PDF-XChange - Disable Opening of Attachments
+ Added PDF-XChange - Disable Opening of Files
Am I right in thinking that I should disable these rules if I want PDF-XChange to be able to open pdf files, either as a PDF on my desktop or as an attachment in an email?

 

@Buddel

That 2 options are unchecked by default (only the option to disable Javascript is enabled by default in both profiles).

According to the program docs, I think they are related to PDF files that will not be allowed to open files or attachments/embedded files.

So the program should still be able to open PDF files on your desktop or as attachments in an email.

Please confirm in case (they can be easily restored to default values with right-click on the option -> "Restore This" and then just close and re-open PDF XChange).

 

OK, I will give it a try. Thanks.

 

I guess maybe they can be renamed to like:

"PDF-XChange - Disable Opening of Attachments from PDF"
"PDF-XChange - Disable Opening of Files from PDF"