https://github.com/securitywithoutborders/hardentools "Here is the list of features that Hardentools disables when you press that button: Disables Windows Scripting Host. Disables AutoRun and AutoPlay. Disables powershell.exe, powershell_ise,exe, and cmd.exe execution via Windows Explorer. Disables Microsoft Office Macros. Disables Microsoft Office OLE object execution. Disables Microsoft Office ActiveX. Disables JavaScript in PDF documents in Acrobat Reader. Disables the execution of objects embedded in PDF documents." https://www.ghacks.net/2017/02/24/hardentools-make-windows-more-secure-by-disabling-features/ They said that author is Claudio Guarnieri (Cuckoo Sandbox) https://www.security.nl/posting/505...ws?channel=rssThu, 23 Feb 2017 14:17:00 0100
I wonder, how does it disable cmd.exe, if it is via DisableCMD, good luck installing Windows Updates and other stuff, basically crippling Windows.
Not via DisableCMD, but via "DisallowRun" Code: /* Disables Powershell and cmd.exe [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun] "1"="powershell_ise.exe" "2"="powershell.exe" "3"="cmd.exe" */
It is a threshold to reduce shoot in the foot errors, together with disabling javascript, macro's, activeX and OLE-object execution, it should stop most ransomware delivered through poisoned documents. In combination of also crypto prevent like partial SRP deny execute of double file extensions, it is not watertight but it reduces an open door to the size of a letterbox. Pity he did not add ACL deny execute for Everyone in for example the download directory. All examples of partial solutions not adding up to a 100% protection, but still a lot better than without these hardening tweaks.
This is really quite interesting. At the very least, it makes it easy to enable/disable in a simple way compared to modifying each of these manually by registry, etc. Something to keep an eye on, for sure.