Hard_Configurator - Windows Hardening Configurator

Discussion in 'System Utilities' started by Andy Ful, Dec 10, 2016.

  1. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    Official Website:
    https://github.com/AndyFul/Hard_Configurator
    Release Notes:
    https://github.com/AndyFul/Hard_Configurator
    Build version:
    Hard_Configurator was created after discussion on the below treads:

    Secure Windows - Software restriction Policies to Windows Home
    Windows Pro owner? Use Software Restriction Policies!
    Poll - Do you use security reg tweaks?
    Run by Smartscreen utility

    I have got an idea to make the GUI for managing Software Restriction Policies, Registry hardening tweaks, and forced SmartScreen check. Hard_Configurator was compiled in AutoIt and can be downloaded from GitHub:
    GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

    What it can do?

    Hard_Configurator makes changes in Windows Registry to accomplish tasks enumerated below:

    1. Enabling/Disabling Software Restriction Policies (as anti-exe) in Windows Home.
    2. Changing SRP Security Levels, Enforcement options, and protected extensions.
    3. Whitelisting files by hash in SRP.
    4. Enabling/Disabling Windows Defender PUA protection (Windows 8+).
    5. Disabling/Enabling Untrusted Fonts (Windows 10).
    6. Disabling/Enabling file execution from removable disks (Windows 7+).
    7. Disabling/Enabling PowerShell script execution (Windows 7+).
    8. Restricting shortcut execution to some folders only.
    9. Disabling/Enabling Windows Script Host.
    10.Hiding/Unhiding "Run As Administrator" option in Explorer context menu (Windows Vista+).
    11.Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
    12.Disabling/Enabling Remote Assistance (Windows Vista+).
    13.Turning ON/OFF all above restrictions.
    14.Saving the chosen restrictions as defaults.
    15.Loading defaults.
    16.Choosing GUI skin.

    All the above tasks (except forcing Smartscreen check) can be made by hand using Windows regedit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
    This program was created for advanced users to secure inexperienced users. :)
     
    mehdi.n, tonibalas, Opcode and 24 others like this.
  2. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    #2 Andy Ful, Dec 10, 2016
    Last edited: Dec 10, 2016
    Here are some screenshots.
     

    Attached Files:

  3. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,724
    10,668
    Testing security programs
    Earth
    Windows 10
    #3 Av Gurus, Dec 10, 2016
    Last edited: Dec 10, 2016
    Beautiful...thank you...:)

    UPDATE:
    Win. Defender don't like it...
    wd.jpg

    Will try with Exclude Options...
    wd2.jpg
     
    mehdi.n, Sunshine-boy, XhenEd and 7 others like this.
  4. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    #4 Andy Ful, Dec 11, 2016
    Last edited: Dec 11, 2016
    Thanks. I had the same problem with RunBySmartscreen_1.0.3. After testing some malware samples, Windows Defender Heuristics flagged it as a trojan. Thankfully, after submitting it as a false positive, Microsoft qualified RunBySmartscreen_1.0.3 as clean.
    Submission History Details
    Yet, the new version RunBySmartscreen_2.0.1 is now flagged as a trojan.
    Today, I will submit Hard_Configurator_1.0.0 and RunBySmartscreen_2.0.1 as false positives.
    I hope, that Microsoft will be generous, and accept that Hard_Configurator can activate some Windows Pro capabilities in Windows Home.:)
     
    mehdi.n, Opcode, XhenEd and 7 others like this.
  5. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    Files submitted. Now, we will wait.
     
    XhenEd, davisd, DardiM and 4 others like this.
  6. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,724
    10,668
    Testing security programs
    Earth
    Windows 10
    Can a hole folder be added to exception or can you add that?
     
    davisd, DardiM, askmark and 3 others like this.
  7. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    #7 Andy Ful, Dec 11, 2016
    Last edited: Dec 11, 2016
    If someone installed Hard_Configurator in the real system, please add the quarantined files: RunBySmartscreen_2.0.1.zip, Hard_Configurator(x64).exe and RunAsSmartScreen(x64).exe (or in 32Bit system Hard_Configurator(x86).exe and RunAsSmartScreen(x86).exe ) to Windows Defender exclusions .
    If the detection happened after installing Hard_Configurator, it is recommended also to install it again to have control over applied restrictions.
    Sorry for the inconvenience.:(

    Edited.
    I think that there is a simpler method. If the executables are recovered from quarantine, then Windows Defender will ignore them.
     
    XhenEd, davisd, DardiM and 2 others like this.
  8. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    What do you mean?
     
    davisd and AtlBo like this.
  9. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    The simplest method is to recover quarantined executables. Windows Defender will ignore them.
     
    XhenEd, davisd, DardiM and 1 other person like this.
  10. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,724
    10,668
    Testing security programs
    Earth
    Windows 10
    I mean in Hard_Configurator.
    There is only Whitelist by Hash.
    Hard_Configurator_1.png
    I have a folder with 20 portable apps and would like to add that folder to Whitelist, not one by one.
     
    XhenEd, davisd, AtlBo and 1 other person like this.
  11. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    #11 Andy Ful, Dec 11, 2016
    Last edited: Dec 11, 2016
    I understand. Now, there's no such option. It can be added in the next version (whitelist by path). Do not you afraid to whitelist the folder in the User Space, and make the loophole in the security?
    Whitelisting by hash will take you about 5 minutes.
     
    XhenEd, davisd, DardiM and 3 others like this.
  12. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    But on the other side, there is such option in Windows Pro SRP, so I think it can be useful for advanced users?
     
    AtlBo, davisd and DardiM like this.
  13. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,724
    10,668
    Testing security programs
    Earth
    Windows 10
    I have like that in my SRP settings.
    Clipboard01.jpg
     
    davisd, DardiM and Andy Ful like this.
  14. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    You have three folders whitelisted by path in SRP (the paths: C:\Users\... and D:\...). The first path I think, is for Google Chrome and others for portable applications. All those folders are vulnerable to drive by attacks - you can run any program from those folders and bypass SRP. You are advanced user, so you know what you are doing. For inexperienced users, whitelisting by hash is much safer.
    By the way, I did not see a malware file in the wild, that could exploit the above loopholes.
     
    AtlBo, davisd, DardiM and 1 other person like this.
  15. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    Hard_Configurator is suited to advanced users who want to configure computers of inexperienced users. Inexperienced users first try to open/run/install files by mouse click or pressing ENTER key. This is protected by Software Restriction Policies and script blocking. So, media files, documents, photos, and already installed applications can be opened without any problem, but scripts and executables are blocked (in the User Space). Next, they try to use 'Run As Administrator' from Explorer context menu to bypass SRP blocking. This is protected by script blocking, and replacing 'Run As Administrator' by 'Run As SmartScreen'.
    'Run As SmartScreen' performs SmartScreen check, and if the file is considered as safe, then allows to execute it. For inexperienced users SRP without 'Run As Smartscreen' is in many cases vulnerable to the 0-day malware attacks, if run with Administrative Rights. This can be more destructive than running files without SRP, because execution by mouse click (or pressing ENTER) does not automatically elevate integrity level. There is no such danger to experienced users, if they know why some files cannot be flagged with "Mark of the Web", and then must be ignored by SmartScreen App on the Run.
    Yet, such security is not good for children, because they mostly do not respect SmartScreen alerts.

    Hard_Configurator can be a good solution for inexperienced users if they:
    * can respect SmartScreen check (always) and can get help from experienced user (from time to time);
    * do not install many programs/games/utilities, especially when installed software is not popular;
    * accept replacing the program that has problem with Hard_Configurator restrictions (rarely);

    If so, the Hard_Configurator restrictions do not cause problems with always changing Windows OS, and provide very good security. This is especially important with Windows 10, where many antimalware programs can still have serious issues after system updates.
     
    caba, AtlBo, davisd and 4 others like this.
  16. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,724
    10,668
    Testing security programs
    Earth
    Windows 10
    Try to run on Win 7 x64 in VM, but got this pop-up:
    Clipboard01.jpg
     
    AtlBo and Andy Ful like this.
  17. askmark

    askmark Level 11

    Aug 31, 2016
    512
    4,202
    united kingdom
    Windows 10
    Default-Deny
    @Andy Ful Thanks for sharing your program. I like your idea of protecting the computers of inexperienced users by utilising system tweaks. My parent's laptop is currently protected by KIS 2016. Would the changes made by your program be compatible with KIS?
     
    Sunshine-boy, AtlBo, davisd and 2 others like this.
  18. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    I think so. But, with KIS they do not need additional protection.
     
    Sunshine-boy, AtlBo and davisd like this.
  19. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    Thanks. Confirmed on Windows 7 64Bit. I will work on this. It seems to be connected with not supporting 'SmartScreen on the Run' by Windows 7.
     
    AtlBo, Av Gurus and davisd like this.
  20. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,115
    4,800
    business
    Poland
    Windows 10
    Microsoft
    #20 Andy Ful, Dec 12, 2016
    Last edited: Dec 12, 2016
    But anyway, script blocking or Untrusted Fonts protection may not be the bad idea. I do not know how effective is KIS with malicious scripts.
     
    Sunshine-boy and AtlBo like this.
Loading...
Similar Threads Forum Date
Windows Process Manager (32 Bit) Malware Removal Assistance For Windows Yesterday at 6:18 PM
Unlimited Giveaway SoftMaker Office Standard 2016 for Windows & Elegant Art Nouveau Fonts for Windows, Linux & Mac Giveaways, Promotions and Contests Friday at 8:56 PM
Need Help Any Best Free Alternative for My windows Pc Apps - Questions & Help Friday at 2:41 PM