Categorygithub.com/securitywithoutborders/hardentools
modulepackage
0.0.0-20240401184259-6a2731eaae67
Repository: https://github.com/securitywithoutborders/hardentools.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
17
Dependents
0
Files
2.8k SLOC

# README

Hardentools

Hardentools

Build Status Go Report Card

Hardentools is designed to disable a number of "features" exposed by Microsoft Windows 10 and 11 and some widely used applications (Microsoft Office, LibreOffice and Adobe PDF Reader, for now). These features, commonly thought for enterprise customers, are generally useless to regular users and rather pose as dangers as they are very commonly abused by attackers to execute malicious code on a victim's computer. The intent of this tool is to simply reduce the attack surface by disabling the low-hanging fruit. Hardentools is intended for individuals at risk, who might want an extra level of security at the price of some usability. It is not intended for corporate environments.

WARNING: This tool disables a number of features, including of Microsoft Office, Adobe Reader, and Windows, that might cause malfunctions to certain applications. You can find a complete list of changes here. Use this at your own risk.

Bear in mind, after running Hardentools you won't be able, for example, to do complex calculations with Microsoft Office Excel or use the Command-line terminal, but those are pretty much the only considerable "downsides" of having a slightly safer Windows environment. Before deciding to use it, make sure you read this document thoroughly and understand that yes, something might break. In case you experience malfunctions as a result of the modifications implemented by this tool, please do let us know.

When you're ready, you can find the latest download here.

What Hardentools IS NOT

  • Hardentools is NOT an Antivirus. It does not protect your computer. It doesn't identify, block, or remove any malware.
  • It does NOT prevent software from being exploited.
  • It does NOT prevent the abuse of every available risky feature.
  • It does NOT prevent the changes it implements from being reverted. If malicious code runs on the system and it is able to restore them, the premise of the tool is defeated.

How to use it

Once you double-click on the icon of 'hardentools.exe', depending on your Windows privileges, you are asked if you want to run Hardentools with administrative privileges. If you select "No" only a subset of the harden features is available, but you can also use hardentools if you have only restricted privileges to harden your user account. If you select "Yes", depending on your Windows security settings, you should be prompted with an User Access Control dialog asking you confirmation to allow Hardentools to run. Click "Yes".

AdminPrivilegesDialogScreenshot

Then, you will see the main Hardentools window. It's very simple, you just click on the "Harden" button, and the tool will make the changes to your Windows configuration to disable a set of features that are risky. Once completed, you will be asked to restart your computer for all the changes to have full effect.

You can get some technical information about the configuration changes that will be done by Hardentools by clicking the help button: MainWindowScreenshot

MainWindowScreenshot

Note: You can select the expert settings checkbox to be able to select or deselect specific harden measures. Please only use this if you know what you are doing.

MainWindowExpertScreenshot

In case you wish to restore the original settings and revert the changes Hardentools made (for example, if you need to use cmd.exe), you can simply re-run the tool and instead of an "Harden" button you will be prompted with a "Harden again (all default settings)" and a "Restore..." button. Selecting "Restore" will start reverting the modifications. "Harden again" will first restore the original settings and then harden again using the default settings. This comes in handy if you have started a newer version of hardentools and you want to make sure the most current features are applied to your user.

MainWindowsHardenedScreenshot

Please note: the modifications made by Hardentools are exclusively contextual to the Windows user account used to run the tool from. In case you want Hardentools to change settings for other Windows users as well, you will have to run it from each one of them logged in.

Known Issues

Hardentools not working in a Virtual Machine, if used remotely (e.g. with RDP) or without OpenGL graphics drivers

Hardentools might not start when used on a Virtual Machine, if used remotely (e.g. with RDP) or on a machine with only very basic graphic drivers (no OpenGL 2.0). If started on the command line an error similar to the following will appear in these cases:

2020/09/06 02:24:47 Fyne error:  window creation error
2020/09/06 02:24:47   Cause: APIUnavailable: WGL: The driver does not appear to support OpenGL
2020/09/06 02:24:47   At: /home/travis/gopath/pkg/mod/fyne.io/[email protected]/internal/driver/glfw/window.go:1133

This is due to a bug in the UI framework used (https://github.com/fyne-io/fyne/issues/410). You can check if your VM supports an OpenGL 2.0 graphics driver and install that to get it working. Alternatively you can use the command line version (hardentools-cli.exe) to harden the system using the default settings with:

.\hardentools-cli.exe -harden

and restore with:

.\hardentools-cli.exe -restore

Error "Windows ASR rules failed with error"

Windows ASR rules hardening might fail, if you have not enabled Windows Defender antivirus and/or you use a third-party Antivirus solution. In case you use a third-party Antivirus solution either deinstall the third-party solution and activate Windows Defender or disable "Windows ASR rules" hardening item in the Hardentools expert settings dialog.

Credits

This tool is developed by Claudio Guarnieri, Mariano Graziano and Florian Probst. You can find here a full list of contributors.

Hammer icon by Travis Avery from the Noun Project.

# Functions

AddMPPreference sets a ASR rule using Add-MpPreference.
SaferDLLLoading sets DLL load path to be safer.
ShowFailure sets GUI status of name field to failureText.
ShowIsHardened sets GUI result for name to is hardened.
ShowNotHardened sets GUI result for name to not hardened.
ShowSuccess sets GUI status of name field to success.

# Variables

AdobePDFEnhancedSecurity switches on Enhanced Security setting under "Security (Enhanced)".
AdobePDFJS hardens Acrobat JavaScript.
AdobePDFObjects hardens Adobe Reader Embedded Objects.
AdobePDFProtectedMode switches on the Protected Mode setting under "Security (Enhanced)" (enabled by default in current versions).
AdobePDFProtectedView switches on Protected View for all files from untrusted sources.
Autorun is a Multi Value Registry struct for autorun registry keys.
Cmd is the struct for hardentools interface that combines registry keys and CmdDisallowRunMembers.
FileAssociations contains all extensions to be removed.
IconBase64 is the base 64 encoded hardentools window.
set this logger to get standard logging output.
LibreOfficeBlockUntrustedRefererLinks set BlockUntrustedRefererLinks: Defines whether linked images from external sources may be retrieved.
LibreOfficeDisableUpdateLink (Calc & Writer) Defines whether values from linked documents should be loaded automatically when the file is opened.
LibreOfficeHyperlinksWithCtrlClick sets HyperlinksWithCtrlClick: If this option is enabled, one mouse click is not enough to follow a hyperlink.
LibreOfficeMacroSecurityLevel sets MacroSecurityLevel and SecureURL for handling macros.
LibreOfficeUpdateCheck sets two settings to enforce check for updates and corresponding notifications to users AutoCheckEnabled: Specifies whether to automatically check for available updates.
LSA contains the registry keys to be hardened.
OfficeActiveX contains ActiveX registry keys.
OfficeDDE contains the registry keys for DDE hardening please also refer to https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440.
OfficeMacros contains Macro registry keys.
OfficeOLE hardens Office Packager Objects.
OneNoteBlockExtensions blocks certain types of files in OneNote client.
PowerShell is the struct for hardentools interface that combines registry keys and PowerShellDisallowRunMembers.
PUA contains the registry keys to be hardened.
ShowFileExt contains the Unhide Explorer File Extensions registry keys.
set this logger to get trace level verbosity logging output.
UAC is a Multi Value Registry struct for UAC registry keys.
WindowsASR contains Names for Windows ASR implementation of hardenInterface.
WSH contains registry keys for Windows Script Host Settings.

# Structs

AdobeRegistryRegExSingleDWORD is the data type for a RegEx Path and Single Value DWORD combination.
CmdDisallowRunMembers is the struct for the HardenInterface implementation.
ExplorerAssociations is the struct for HardenInterface implementation.
Extension is a helper struct.
HardentoolsWindowIconStruct is a struct that implements the fyne Resource interface.
MultiHardenInterfaces is a type for an array of HardenInterfaces.
OfficeRegistryRegExSingleDWORD is the data type for a RegEx Path / Single Value DWORD combination.
PowerShellDisallowRunMembers is the struct for the HardenInterface implementation.
RegistryMultiValue is a data type for multiple SingleValueDWORDs use if a single hardening needs multiple RegistrySingleValueDWORD to be modified.
RegistrySingleValueDWORD is a data type for a single registry DWORD value that suffices for hardening a distinct setting or as part of a RegistryMultiValue.
RegistrySingleValueSZ is a data type for a single registry string (SZ) value that suffices for hardening a distinct setting or as part of a RegistryMultiValue.
WindowsASRStruct ist the struct for HardenInterface implementation.

# Interfaces

HardenInterface is the general interface which should be used for every harden subject.