Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
Post updated in August 2022.
The current build of Windows 11 Insider ver. 22H2 is incompatible with Hard_Configurator.

Developer website:
github.com

GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

GUI to Manage Software Restriction Policies and harden Windows Home OS - GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS
github.com github.com

The dedicated website (thanks to @askalan):
Warning - the website is temporarily unavailable!
Hard Configurator

Hard_Configurator was created after a discussion on the below treads:
https://www.wilderssecurity.com/thr...ith-lua-and-srp-even-without-ultimate.232857/
Secure Windows - Software restriction Policies to Windows Home
Windows Pro owner? Use Software Restriction Policies!
Poll - Do you use security reg tweaks?
Run by Smartscreen utility

Microsoft documentation for Software Restriction Policies (July 2021):
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This documentation was made for Windows Server (2012, 2016, 2019, and 2022), but SRP works the same on Windows 7, 8, 8.1, 10, and 11.

What it can do?

This program can configure Windows built-in security to harden the system. When you close Hard_Configurator it closes all its processes. The real-time protection comes from the reconfigured Windows settings. Hard_Configurator can be seen as a Medium Integrity Level smart default-deny setup, which is based on SRP + Application Reputation Service (forced SmartScreen) + Windows hardening settings (restricting vulnerable features).
Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:
  1. Enabling Software Restriction Policies (SRP) in Windows Home editions.
  2. Changing SRP Security Levels, Enforcement options, and Designated File Types.
  3. Whitelisting files in SRP by path (also with wildcards) and by hash.
  4. Blocking the vulnerable system executables via SRP.
  5. Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
  6. Restricting shortcut execution to some folders only (via SRP).
  7. Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
  8. Blocking outbound connections of many LOLBins and user applications.
  9. Filtering Windows Event Log for blocked outbound connections.
  10. Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
  11. Disabling PowerShell script execution (Windows 7+).
  12. Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
  13. Disabling execution of scripts managed by Windows Script Host.
  14. Removing "Run as administrator" option from the Explorer right-click context menu.
  15. Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
  16. Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
  17. Disabling execution of 16-bit applications.
  18. Securing Shell Extensions.
  19. Disabling SMB protocols.
  20. Disabling program elevation on Standard User Account.
  21. Disabling Cached Logons.
  22. Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
  23. Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
  24. Turning ON/OFF all the above restrictions.
  25. Restoring Windows Defaults.
  26. Making System Restore Point.
  27. Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
  28. Saving the chosen restrictions as a profile, and restoring when needed.
  29. Backup management for Profile Base (whitelist profiles and setting profiles).
  30. Changing GUI skin.
  31. Updating application.
  32. Uninstalling application (Windows defaults restored).
(...) and some more ...

Many of the above tasks can be made by using Windows RegEdit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
This program was created for advanced users to secure inexperienced users. :)
 
Last edited:
  • Like
  • Applause
  • Thanks
Reactions: Malleable, jerzy601, sypqys and 70 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
Here are some screenshots.
 

Attachments

  • Hard_Configurator_1.png
    Hard_Configurator_1.png
    18.5 KB · Views: 3,518
  • Hard_Configurator_2.png
    Hard_Configurator_2.png
    82.4 KB · Views: 3,492
  • Hard_Configurator_3.png
    Hard_Configurator_3.png
    54.3 KB · Views: 3,248
  • Hard_Configurator_4.png
    Hard_Configurator_4.png
    86.2 KB · Views: 3,138
  • Hard_Configurator_5.png
    Hard_Configurator_5.png
    86.6 KB · Views: 3,359
Last edited:
  • Like
  • Thanks
Reactions: sypqys, Vitali Ortzi, Devilboss94 and 25 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
Av Gurus said:
Beautiful...thank you...:)

UPDATE:
Win. Defender don't like it...
View attachment 126364

Will try with Exclude Options...
View attachment 126365
Click to expand...

Thanks. I had the same problem with RunBySmartscreen_1.0.3. After testing some malware samples, Windows Defender Heuristics flagged it as a trojan. Thankfully, after submitting it as a false positive, Microsoft qualified RunBySmartscreen_1.0.3 as clean.
Submission History Details
Yet, the new version RunBySmartscreen_2.0.1 is now flagged as a trojan.
Today, I will submit Hard_Configurator_1.0.0 and RunBySmartscreen_2.0.1 as false positives.
I hope, that Microsoft will be generous, and accept that Hard_Configurator can activate some Windows Pro capabilities in Windows Home.:)
 
Last edited:
  • Like
  • Thanks
Reactions: Nevi, Correlate, spaceoctopus and 11 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
If someone installed Hard_Configurator in the real system, please add the quarantined files: RunBySmartscreen_2.0.1.zip, Hard_Configurator(x64).exe and RunAsSmartScreen(x64).exe (or in 32Bit system Hard_Configurator(x86).exe and RunAsSmartScreen(x86).exe ) to Windows Defender exclusions .
If the detection happened after installing Hard_Configurator, it is recommended also to install it again to have control over applied restrictions.
Sorry for the inconvenience.:(

Edited.
I think that there is a simpler method. If the executables are recovered from quarantine, then Windows Defender will ignore them.
 
Last edited:
  • Like
Reactions: Nevi, spaceoctopus, XhenEd and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
I understand. Now, there's no such option. It can be added in the next version (whitelist by path). Do not you afraid to whitelist the folder in the User Space, and make the loophole in the security?
Whitelisting by hash will take you about 5 minutes.
 
Last edited:
  • Like
Reactions: Nevi, spaceoctopus, XhenEd and 5 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
You have three folders whitelisted by path in SRP (the paths: C:\Users\... and D:\...). The first path I think, is for Google Chrome and others for portable applications. All those folders are vulnerable to drive by attacks - you can run any program from those folders and bypass SRP. You are advanced user, so you know what you are doing. For inexperienced users, whitelisting by hash is much safer.
By the way, I did not see a malware file in the wild, that could exploit the above loopholes.
 
  • Like
Reactions: Tiny, AtlBo, DardiM and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
Hard_Configurator is suited to advanced users who want to configure computers of inexperienced users. Inexperienced users first try to open/run/install files by mouse click or pressing ENTER key. This is protected by Software Restriction Policies and script blocking. So, media files, documents, photos, and already installed applications can be opened without any problem, but scripts and executables are blocked (in the User Space). Next, they try to use 'Run As Administrator' from Explorer context menu to bypass SRP blocking. This is protected by script blocking, and replacing 'Run As Administrator' by 'Run As SmartScreen'.
'Run As SmartScreen' performs SmartScreen check, and if the file is considered as safe, then allows to execute it. For inexperienced users SRP without 'Run As Smartscreen' is in many cases vulnerable to the 0-day malware attacks, if run with Administrative Rights. This can be more destructive than running files without SRP, because execution by mouse click (or pressing ENTER) does not automatically elevate integrity level. There is no such danger to experienced users, if they know why some files cannot be flagged with "Mark of the Web", and then must be ignored by SmartScreen App on the Run.
Yet, such security is not good for children, because they mostly do not respect SmartScreen alerts.

Hard_Configurator can be a good solution for inexperienced users if they:
* can respect SmartScreen check (always) and can get help from experienced user (from time to time);
* do not install many programs/games/utilities, especially when installed software is not popular;
* accept replacing the program that has problem with Hard_Configurator restrictions (rarely);

If so, the Hard_Configurator restrictions do not cause problems with always changing Windows OS, and provide very good security. This is especially important with Windows 10, where many antimalware programs can still have serious issues after system updates.
 
  • Like
Reactions: Nevi, DDE_Server, caba and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
askmark said:
@Andy Ful Thanks for sharing your program. I like your idea of protecting the computers of inexperienced users by utilising system tweaks. My parent's laptop is currently protected by KIS 2016. Would the changes made by your program be compatible with KIS?
Click to expand...

I think so. But, with KIS they do not need additional protection.
 
  • Like
Reactions: Nevi, Sunshine-boy, AtlBo and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,176
askmark said:
@Andy Ful Thanks for sharing your program. I like your idea of protecting the computers of inexperienced users by utilising system tweaks. My parent's laptop is currently protected by KIS 2016. Would the changes made by your program be compatible with KIS?
Click to expand...

But anyway, script blocking or Untrusted Fonts protection may not be the bad idea. I do not know how effective is KIS with malicious scripts.
 
Last edited:
  • Like
Reactions: Nevi, Sunshine-boy and AtlBo

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
FirewallHardening tool
Replies
28
Views
4,343
Hard_Configurator Tools
zvaigzne
zvaigzne
Trooper
    • Like
    • +Reputation
NSA shares tips on securing Windows devices with PowerShell
Replies
0
Views
533
News Archive
Trooper
Trooper
TutorailBoy
    • Like
How to Fix MSDT Vulnerability using SCCM and Intune | CVE-2022-30190
Replies
1
Views
779
Online Privacy & Security Guides
Trooper
Trooper
Top Bottom