Hardentools: make Windows more secure by disabling features
Hardentools is a free open source program for the Microsoft Windows operating system that will harden the system by disabling features.
The Windows operating system ships with a broad range of features. Some of these features are enabled for compatibility reasons on all editions of Windows.
While these features have their uses in certain environments, Enterprise for instance, they may not be used by the majority of home users.
The main idea behind Hardentools is to turn off these features to make Windows more secure in the process.
Note: You need to make sure that you don't require the features that Hardentools disables on Windows, as you won't be able to use them afterwards anymore. Read on to find out which features get disabled when you run the tool.
Hardentools review
Hardentools is a simple program. While it does ship with a graphical user interface, it does not provide users with many options however. In fact, the interface has only one button -- harden -- that users can click on to initiate the process. A restart is required to finalize the changes made to the operating system.
Note: The program features a restore option. You get it after you have applied the changes to the operating system, restarted the PC, and ran the tool again. This enables you to restore the features that the first run of the tool disabled.
It needs to be noted that the tool is not meant for public distribution yet according to the developers.
The developers plan to add a selection menu to the program in the future. For now, that one button is all you get.
Here is the list of features that Hardentools disables when you press that button:
- Disables Windows Scripting Host.
- Disables AutoRun and AutoPlay.
- Disables powershell.exe, powershell_ise,exe, and cmd.exe execution via Windows Explorer.
- Disables Microsoft Office Macros.
- Disables Microsoft Office OLE object execution.
- Disables Microsoft Office ActiveX.
- Disables JavaScript in PDF documents in Acrobat Reader.
- Disables the execution of objects embedded in PDF documents.
As you can see, the changes can have wide reaching consequences. Especially the disabling of PowerShell and Cmd need to be mentioned in the context.
This is obviously not a big issue for users who never run PowerShell or Cmd. All users who do however cannot use Hardentools right now because of the missing selection options.
Hardentools main feature currently is that it is dead easy to use. Users who want more control over the process can make individual changes manually instead.
While this requires a bit of research, it is usually not that hard, and it gives you more flexibility when it comes to hardening the operating system.
The biggest issue right now for home users is to determine whether a feature is needed or not. While you can simply go ahead and apply the changes, and see where that takes you after the restart, it is usually better to know beforehand.
Closing Words
Hardentools is an interesting project that may already be useful in certain situations and environments. Most users may want to hold off for now though because of the program's all or nothing approach to things right now.
This will change over time according to the developers, and that will certainly increase the application's reach significantly.
Now You: Have you hardened your operating system?
Hello how can i reverse cmd and powershell “disable”?
Disables Windows Scripting Host : done with a simple Registry setting;
Disables AutoRun and AutoPlay.: done since always;
Disables powershell.exe, powershell_ise,exe, and cmd.exe execution via Windows Explorer : I need cmd.exe and disabling PowerShell isn’t a priority;
Disables Microsoft Office Macros : no Office here;
Disables Microsoft Office OLE object executions : no Office here;
Disables Microsoft Office ActiveXs : no Office here;
Disables JavaScript in PDF documents in Acrobat Readers : no Acrobat Reader here;
Disables the execution of objects embedded in PDF documents : seems interesting, I wouldn’t know how to do that with a Windows setting.
“The developers plan to add a selection menu to the program in the future.” : seems required.
‘SBGuard Antiransomware’ discussed on these pages is the best small utility to block all things nasty. When installing & updating certain programs you might have to temporarily disable it. Thats just a slight inconvenience though.
I use this tool to harden my systems….
“Our Simple Software Restriction Policy utility overcomes that. As the name suggests, it turns a complex piece of group policy editing into a simple matter of installing the utility and selecting a few options. What’s more, if you need to suspend the policy, that is only a few clicks away and it takes effect immediately, no reboot needed.
A SRP has other advantages besides hardening the computer against malware. For example, it allows you to control the launching of programs from USB key or DVD, other routes by which unwanted software may find its way onto your computer.
Perhaps one of the best features of SSRP is that during normal use of the computer you hardly know it’s there. No screen dimming, no continual nags. About the only time you need to interact with it, is if installing or removing software. In which case you can allow yourself 30 minutes to do the work, after which the policy will reinstate itself.
SSRP also offers a means of launching specified programs with limited rights. On legacy systems where the standard user is an Admin, this can very usefully restrict the damage that a compromised Web browser or email client can do to the system. (This feature is turned off by default since later Windows versions have their own means of achieving this, UAE. )”
http://iwrconsultancy.co.uk/softwarepolicy
Hardentools has no .exe file. How do I open it?
Dwight, you need to click on releases on GitHub. Or, open this page directly: https://github.com/securitywithoutborders/hardentools/releases
Thanks. I didn’t see that link.
More comprehensive, bigger, longer, harder!
https://github.com/AndyFul/Hard_Configurator
Hardened.