search

HotCakeX / Harden-Windows-Security

Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Enterprise, Government and Military security levels | Read The Rationale https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Rationale.md
https://hotcakex.github.io
MIT License
1.84k stars 143 forks source link

[Bug]: Dropping the "Untrusted Font Blocking" setting #89

Closed agpt8 closed 1 year ago

agpt8 commented 1 year ago

Tools category

Harden Windows Security Script

Does your system meet the requirements?

Please explain the bug

According to the linked article under Miscellaneous Configuration in the README.md, it suggests blocking untrusted fonts and excluding certain apps if it causes any issues.

In the same article, under Related Content section, another techcommunity article is linked which the following:

With GDI font parsing performed in a restrictive AppContainer, the risk of handling untrusted fonts in GDI is now acceptably low enough that we feel confident that the costs of font-blocking exceed its benefits. Therefore, we are removing our previous recommendation to enable untrusted font blocking.

I believe, this setting should be dropped as current OS versions have other mitigations in place.

HotCakeX commented 1 year ago

Hi, This hardening measure is one of those that requires additional confirmation before applying and link to the official document is mentioned as well. It's not being applied by default when the miscellaneous category is run.

The document shows the potential reduced functionality

https://learn.microsoft.com/en-us/windows/security/threat-protection/block-untrusted-fonts-in-enterprise#potential-reductions-in-functionality

Basically any font outside %windir%/Fonts won't be allowed to run.

That blog post states that the risk is acceptably low but still not zero, and this security measure is offered optionally to anyone who wished to use it so I don't see the need to remove it, it's still a valid and supported policy in Windows.

I've been using it myself for long time and haven't experienced any issues outside of the ones Microsoft mentioned. Do you experience any issues that's not already mentioned?

The reason the tech community post mentioned that the cost of untrusted font blocking exceed it's benefit is most likely because since Microsoft security baselines are used by a wide range of companies, it should maintain a balance between security and usability, and since this policy can directly affect office products it's perfectly understandable for them not to include it in the baseline. However, this repository uses Microsoft security baseline as it's starting point and builds upon it by adding additional security measures that impose further restrictions or increase the security level of the policies.

You can read about privileged access workstations as an example where policies like this are suitable, but productivity apps are not: https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices