Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
Following empirical and logical evaluations, mitigations for Rundll32.exe and several Protected Process Light (PPL) processes have been implemented. These are Defense in Depth measures that augment the security of the PPL processes, which already necessitate Administrator privileges to be compromised with a zero-day vulnerability.
These mitigations are auditable and generate an event log when they prevent an intrusion. You can conveniently view the logs by running the Miscellaneous category in the Harden Windows Security module, which creates custom views in the Event Viewer. One of the custom views is Exploit Protection Events, which contains the logs for the exploit protection measures.
rundll32.exe: Prevent loading of DLLs from network locations such as SMB - WebDAV - etc.
rundll32.exe: Prevent loading of files that are untrusted typically because they've been downloaded from the Internet from a sandboxed browser - Some malware use rundll32.exe to load malicious file that was just downloaded from the Internet.
SMSS.exe: Prevent loading of DLLs from network locations such as SMB - WebDAV - etc. - It's called Session Manager SubSystem
Wininit.exe: Prevent loading of DLLs from network locations such as SMB - WebDAV - etc. - It stands for Windows Initialization and is a process that is responsible for starting and terminating system services and processes during startup and shutdown
NisSrv.exe: Prevent loading Non-Microsoft signed code into the process - This is a component of Microsoft Defender called Network Inspection Service
[!NOTE]\
MsMpEng.exe can have the mitigation that prevents loading Non-Microsoft signed code into the process too, but due to tamper protection, it can't be programmatically configured, not even with SYSTEM privileges. The user would need to manually use the Windows Security GUI to add that mitigation for it. It is a component of Microsoft Defender called Microsoft Malware Protection Engine.
[!NOTE]\
Other PPLs already enforce Microsoft signed code (Signature Code Integrity) by default, that's why the mitigation wasn't added to them.
[!NOTE]\
rundll32.exe can't have Microsoft Signed code enforced on it because there are 3rd party software such as Nvidia shadow play (part of the GeForce Experience program) that inject non-Microsoft signed code into that process.
[!NOTE]\
In a previous release note there was a mention of an unsigned file that was causing some problems with a policy that adds mitigations for Svchost.exe. That issue has been resolved as Microsoft has digitally signed the file.
Other Improvements
Improved verbosity for when -Verbose parameter is used with Confirm-SystemCompliance and Protect-WindowsSecurity cmdlets.
The Confirm-SystemCompliance now verifies the applied process mitigations too and their results are included in the final security score. This happens in the Microsoft Defender category.
The Confirm-SystemCompliance now verifies the status of Smart App Control and includes it in the final security score. Smart App Control is a great automated AI-based security feature.
Improved the nested data rendering in the CSV file output when using Confirm-SystemCompliance -ExportToCSV
What's Changed
New Process Mitigations / Exploit Protections
Following empirical and logical evaluations, mitigations for Rundll32.exe and several Protected Process Light (PPL) processes have been implemented. These are Defense in Depth measures that augment the security of the PPL processes, which already necessitate Administrator privileges to be compromised with a zero-day vulnerability.
These mitigations are auditable and generate an event log when they prevent an intrusion. You can conveniently view the logs by running the Miscellaneous category in the Harden Windows Security module, which creates custom views in the Event Viewer. One of the custom views is Exploit Protection Events, which contains the logs for the exploit protection measures.
Other Improvements
Improved verbosity for when
-Verboseparameter is used withConfirm-SystemComplianceandProtect-WindowsSecuritycmdlets.The
Confirm-SystemCompliancenow verifies the applied process mitigations too and their results are included in the final security score. This happens in the Microsoft Defender category.The
Confirm-SystemCompliancenow verifies the status of Smart App Control and includes it in the final security score. Smart App Control is a great automated AI-based security feature.Improved the nested data rendering in the CSV file output when using
Confirm-SystemCompliance -ExportToCSV