Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

The Desktop protected by OneDrive:

It shows the files from the "user Desktop" (files on the left) and files from the "Public Desktop" (files on the right).
The files on the left (two installer executables and two shortcuts) are located both in the protected "user Desktop folder" and backed up online (have green ticked circles in the left down corner). The protected "user Desktop folder" is located in the OneDrive folder (%UserProfile%\OneDrive\Desktop).
The files on the right, stored in the "Public Desktop folder" (default location of H_C shortcuts) are not protected by OneDrive. Currently, the OneDrive can only protect the "user Desktop folder" + Documents and Pictures folders.

 

[ErzCrz]

Quick question: A friend has Windows Server 2019 at home is Hard_configurator compatible? @Andy Ful

 

[Andy Ful]

Quick question: A friend has Windows Server 2019 at home is Hard_configurator compatible? @Andy Ful

It will probably work, but honestly, I did not test H_C on Windows Server. Furthermore, If the user has applied SRP via GPO, then SRP should be first removed, before installing H_C. Both H_C and GPO use the same registry keys to apply SRP and Windows Policies, but GPO will overwrite the colliding H_C settings via the refresh feature.

 

[ErzCrz]

It will probably work, but honestly, I did not test H_C on Windows Server. Furthermore, If the user has applied SRP via GPO, then SRP should be first removed, before installing H_C. Both H_C and GPO use the same registry keys to apply SRP and Windows Policies, but GPO will overwrite the colliding H_C settings via the refresh feature.

Thanks @Andy Ful I didn't thing it would be but I'll advise him of your response.

Cheers,

Erz

 

[Andy Ful]

There will be some important changes in the new Hard_Configurator (ver. 5.0.0.1) due to adopting the <Update Mode> feature. It will be included by default in the Recommended Settings on Windows 8+, and also in some setting profiles like Avast profiles and Windows_10_MT_Windows_Security_hardening profile.
The <Update Mode> = ON setting will allow running EXE (TMP) and MSI files from ProgramData and the user AppData folders.

I prepared a special section in the Hard_Configurator manual to describe the Recommended Settings with this new feature. Please let me know if something is unclear or should be corrected.

******************************************************************************************************************

RECOMMENDED SETTINGS

Hard_Configurator is currently a flexible and quite complex piece of software. It can apply many security configurations. Some of them can highly restrict Windows and lock down the system. Others can only restrict concrete Windows features or Administrative tools.

The Hard_Configurator Recommended Settings are prepared to keep the balance between usability and security in the home environment. This can be properly done on Windows 8+ where SmartScreen is integrated with Explorer. SmartScreen can check several file types, including EXE and MSI, but the files must have MOTW attached.

If we have such protection then Hard_Configurator SRP restrictions can be lowered for some executables (EXE, TMP, MSI files) in the folders that are commonly used while installing/updating applications, e.g. in ProgramData and user Appdata. These folders are hidden, so users do not run directly anything form there.

How does it work?
Such smart default-deny protection works as follows:

1. The user can run the already installed applications in SystemSpace.
2. Any new files directly run by users (executables, scripts, shortcuts, files with unsafe extensions) are blocked in UserSpace. This also works when the file is run from the archive without unpacking the archive.
3. As an exception to point 1, the shortcuts (LNK files) can be run by users from Desktop, Start Menu, Power Menu, Task Bar, and Quick Launch.
4. As an exception to point 1, the standalone application installers (EXE or MSI files) can be run by users on-demand, with a forced SmartScreen check. Hard_Configurator adds the right-click Explorer context menu entry `Install by SmartScreen` which works well both on Administrator account and SUA. It can add MOTW to file and force the SmartScreen check.
5. Already running processes can run EXE (TMP) and MSI files in ProgramData or user Appdata folders.
6. The applications/processes running with standard rights cannot run other unsafe files (executables, scripts, files with unsafe extensions) in UserSpace, except some events when the command line can be accessed.

Can it be usable?
Yes, it can.

• The already installed applications can auto-update without turning off the protection (point 5).
• Users can install most applications without turning off the protection (point 4) and do not need to whitelist the new-installed applications (points 1, 3 and 5).
• The common non-executable files like media, photos, documents, etc. can be opened without problems. For example, when clicking on the media file, Windows triggers the already installed application in `Program Files` (point 1) or in the user AppData folder (point 5), and the file is opened by that application.

Is it safe?
Yes, it is much safer than antivirus protection alone. For example:

• If the user tries to run something new (executable, script, shortcut, file with unsafe extension) by a mouse-click or pressing the Enter key, then it will be blocked (point 1).
• When the user wants to install the application, the `Install by SmartScreen` entry in the Explorer context menu has to be applied. But then, the file is checked by SmartScreen and blocked if not recognized as safe (point 4).
• If the user opens the weaponized document in MS Office, then macros and anything that needs VBA Interpreter will be blocked. If he/she clicks on the embedded malicious OLE object, then it will be blocked, too (point 6). The user can also harden MS Office applications by using DocumentsAntiExploit tool to block other active components. Many MS Office exploits can be prevented by configuring other Hard_Configurator features (FirewallHardening, Block Sponsors, ConfigureDefender, etc.).
• If the user gets the exploit that tries to download/execute the payload (from disk or memory), then it will be prevented in most cases by SRP, Windows Firewall policies or PowerShell restrictions. This protection can be independently configured by several Hard_Configurator features (FirewallHardening, Block Sponsors, ConfigureDefender, etc.).
• If the user gets the exploit which tries to abuse Windows remote features, then this will fail, because remote features are disabled by Hard_Configurator.

Can such protection be bypassed?
Yes, but this would require exploiting the Windows system or one of the installed applications. Even then, in most cases the attack will be neutralized - this is true also for fileless attacks and many exploits with privilege escalation (due to blocking PowerShell scripts, disabling remote features, FirewallHardening, and ConfigureDefender).


Can the user feel the difference as compared to the setup without Hard_Configurator?
In daily work, it will be hardly visible, except when installing applications from CD/DVD drives, CD/DVD images, and similar non-standalone installation packages. In such cases using `Install By SmartScreen` will fail.
The installation has to be performed after turning off the Hard_Configurator default-deny protection via SwitchDefaultDeny tool.

 

[oldschool]

This looks good on my first reading. You have been hard at work, my friend!

 

[plat]

Updated to Insider build version 19541.1000. This build became available for installation just a few hours ago on the Fast Ring. Will you test your new build on this latest Windows, Andy Ful? I refreshed the Firewall Hardening Tool just to make sure.

 

[Andy Ful]

Updated to Insider build version 19541.1000. This build became available for installation just a few hours ago on the Fast Ring. Will you test your new build on this latest Windows, Andy Ful? I refreshed the Firewall Hardening Tool just to make sure.

I plan the next test in April.

 

[Gandalf_The_Grey]

There will be some important changes in the new Hard_Configurator (ver. 5.0.0.1) due to adopting the <Update Mode> feature. It will be included by default in the Recommended Settings on Windows 8+, and also in some setting profiles like Avast profiles and Windows_10_MT_Windows_Security_hardening profile.
The <Update Mode> = ON setting will allow running EXE (TMP) and MSI files from ProgramData and the user AppData folders.

I prepared a special section in the Hard_Configurator manual to describe the Recommended Settings with this new feature. Please let me know if something is unclear or should be corrected.

******************************************************************************************************************

RECOMMENDED SETTINGS

Hard_Configurator is currently a flexible and quite complex piece of software. It can apply many security configurations. Some of them can highly restrict Windows and lock down the system. Others can only restrict concrete Windows features or Administrative tools.

The Hard_Configurator Recommended Settings are prepared to keep the balance between usability and security in the home environment. This can be properly done on Windows 8+ where SmartScreen is integrated with Explorer. SmartScreen can check several file types, including EXE and MSI, but the files must have MOTW attached.

If we have such protection then Hard_Configurator SRP restrictions can be lowered for some executables (EXE, TMP, MSI files) in the folders that are commonly used while installing/updating applications, e.g. in ProgramData and user Appdata. These folders are hidden, so users do not run directly anything form there.

How does it work?
Such smart default-deny protection works as follows:

1. The user can run the already installed applications in SystemSpace.
2. Any new files directly run by users (executables, scripts, shortcuts, files with unsafe extensions) are blocked in UserSpace. This also works when the file is run from the archive without unpacking the archive.
3. As an exception to point 1, the shortcuts (LNK files) can be run by users from Desktop, Start Menu, Power Menu, Task Bar, and Quick Launch.
4. As an exception to point 1, the standalone application installers (EXE or MSI files) can be run by users on-demand, with a forced SmartScreen check. Hard_Configurator adds the right-click Explorer context menu entry `Install by SmartScreen` which works well both on Administrator account and SUA. It can add MOTW to file and force the SmartScreen check.
5. Already running processes can run EXE (TMP) and MSI files in ProgramData or user Appdata folders.
6. The applications/processes running with standard rights cannot run other unsafe files (executables, scripts, files with unsafe extensions) in UserSpace, except some events when the command line can be accessed.

Can it be usable?
Yes, it can.

• The already installed applications can auto-update without turning off the protection (point 5).
• Users can install most applications without turning off the protection (point 4) and do not need to whitelist the new-installed applications (points 1, 3 and 5).
• The common non-executable files like media, photos, documents, etc. can be opened without problems. For example, when clicking on the media file, Windows triggers the already installed application in `Program Files` (point 1) or in the user AppData folder (point 5), and the file is opened by that application.

Is it safe?
Yes, it is much safer than antivirus protection alone. For example:

• If the user tries to run something new (executable, script, shortcut, file with unsafe extension) by a mouse-click or pressing the Enter key, then it will be blocked (point 1).
• When the user wants to install the application, the `Install by SmartScreen` entry in the Explorer context menu has to be applied. But then, the file is checked by SmartScreen and blocked if not recognized as safe (point 4).
• If the user opens the weaponized document in MS Office, then macros and anything that needs VBA Interpreter will be blocked. If he/she clicks on the embedded malicious OLE object, then it will be blocked, too (point 6). The user can also harden MS Office applications by using DocumentsAntiExploit tool to block other active components. Many MS Office exploits can be prevented by configuring other Hard_Configurator features (FirewallHardening, Block Sponsors, ConfigureDefender, etc.).
• If the user gets the exploit that tries to download/execute the payload (from disk or memory), then it will be prevented in most cases by SRP, Windows Firewall policies or PowerShell restrictions. This protection can be independently configured by several Hard_Configurator features (FirewallHardening, Block Sponsors, ConfigureDefender, etc.).
• If the user gets the exploit which tries to abuse Windows remote features, then this will fail, because remote features are disabled by Hard_Configurator.

Can such protection be bypassed?
Yes, but this would require exploiting the Windows system or one of the installed applications. Even then, in most cases the attack will be neutralized - this is true also for fileless attacks and many exploits with privilege escalation (due to blocking PowerShell scripts, disabling remote features, FirewallHardening, and ConfigureDefender).


Can the user feel the difference as compared to the setup without Hard_Configurator?
In daily work, it will be hardly visible, except when installing applications from CD/DVD drives, CD/DVD images, and similar non-standalone installation packages. In such cases using `Install By SmartScreen` will fail.
The installation has to be performed after turning off the Hard_Configurator default-deny protection via SwitchDefaultDeny tool.

Looks great, much hard work went into it and there is much valuable info.
The only thing I'm thinking about is, that there are a lot of individual components; Hard_Configurator, ConfigureDefender, DocumentsAntiExploit and FirewallHardening. Will there be a recommended setup or info about what to do for all those individual components?
For example I used all components but have never done anything with the DocumentsAntiExploit tool.
Am I missing then some form of default or recommended protection?

 

[Andy Ful]

Looks great, much hard work went into it and there is much valuable info.
The only thing I'm thinking about is, that there are a lot of individual components; Hard_Configurator, ConfigureDefender, DocumentsAntiExploit and FirewallHardening. Will there be a recommended setup or info about what to do for all those individual components?
For example I used all components but have never done anything with the DocumentsAntiExploit tool.
Am I missing then some form of default or recommended protection?

If you use WD as the main AV with ConfigureDefender High Protection Level and FirewallHardening ("Recommended H_C" rules + "MS Office" rules), then you do not need to apply DocumentsAntiExploit.

For example, ConfigureDefender activates several ASR rules which are prepared to protect MS Office applications.
Yet, you can use DocumentsAntiExploit if some of the above restrictions must be released because they block something in MS Office that is important to you. Furthermore, the DocumentsAntiExploit tool can be useful if you use MS Office on several accounts and you want to apply different MS Office restrictions on them.

 

[Lenny_Fox]

@Andy Ful

Also for someone (me) who does not speak English as a first language the explanation is understandable.



BUT THESE IMPROVEMENTS . . . ARE ASKING FOR SIMPLER (AND LESS INSTRUCTION REQUIRING) PRESETS (or you could combine the first three switch-on/off presets into a seperate program with a simple switch on-of and four preset choices option)

*** option 1
*** For people thinking Windows default is not good enough, but who lack the knowledge to tweak security
***
DANGEROUS FILES RESTRICTIONS FOR WINDOWS DEFENDER (SWITCH ON _ OFF)
- Hard_Configurator with Windows_10_MT_Windows_Security_hardening profile
- Configure Defender on HIGH

*** option 2
*** Most free AV users know they miss some paid features, so some might feel the need to add something extra to their FREE antivirus
***
DANGEROUS FILES RESTRICTIONS FOR FOR THIRD-PARTY (FREE) ANTIVIRUS (SWITCH ON - OFF)
- Hard_Configurator with AVAST profile
- Firewall Hardening (Office files)
- DocumentsAntiExploit

*** option 3
*** For the security aware PC user prefering Microsoft products for maximum compatibility
***
SOFTWARE RESTRICTIONS FOR WINDOWS DEFENDER - runs with Windows Defender (SWITCH ON - OFF)
- H_C recommended settings plus instruction to use INSTALL BY SMARTSCREEN
- Firewall Hardening (Recommended + Office files)
- Configure Defender on HIGH

*** option 4
*** For the security aware PC user combining / layering (often free and of the shelve) products to a secure PC setup
***
SOFTWARE RESTRICTIONS FOR THIRD-PARTY (FREE) ANTIVIRUS - runs with any antivirus (SWITCH ON - OFF)
- H_C recommended settings plus instruction to use INSTALL BY SMARTSCREEN
- Firewall Hardening (Recommended + Office files)
- DocumentsAntiExploit

***
*** For the DIY security enthousiast wanting to tweak the security to his/her own needs
***
HARD_CONFIGURATOR (for the users who want to tweak settings themselves) as it is now

 

[Andy Ful]

Lenny_Linux,
Thanks for your ideas. I think that maybe I will work in the future on something like 3+4 on Windows 8+,
like in my previous posts:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/page-102
https://malwaretips.com/threads/har...gurator.66416/page-20#lg=thread-66416&slide=0

I think that Windows security based on restrictions is like a diet program. There does not exist one simple diet for everyone. It must be adjusted to the patient's abilities, habits, environment, and activities. You need a dietician (family Administrator ) and some diagnostics to do it safely. That is why I will stop on the level of security-aware PC users.
Of course in many cases, the dietician will not have much work (like in my family) but there will be always some patients who will require more attention and some who will require another treatment (not diet).

 

[shmu26]

When do you expect to put out ver. 5.0.0.1?

 

[oldschool]

Please do not over-complicate proposed options because I occasionally read about the GUI being hard to understand, navigate, etc. I believe a simple UI is the best.

 

[Gandalf_The_Grey]

If you use WD as the main AV with ConfigureDefender High Protection Level and FirewallHardening ("Recommended H_C" rules + "MS Office" rules), then you do not need to apply DocumentsAntiExploit.

View attachment 231812

For example, ConfigureDefender activates several ASR rules which are prepared to protect MS Office applications.
Yet, you can use DocumentsAntiExploit if some of the above restrictions must be released because they block something in MS Office that is important to you. Furthermore, the DocumentsAntiExploit tool can be useful if you use MS Office on several accounts and you want to apply different MS Office restrictions on them.

Maybe because I installed MS Office from the Microsoft Store (other paths?) add the "MS Office" rules in FirewallHardening does nothing.
Can I still apply restrictions through the DocumentsAntiExploit? Do I need to select ON1 or ON2 ?
Now showing partial probably because I used ConfigureDefender on high settings.

 

[Andy Ful]

When do you expect to put out ver. 5.0.0.1?

I will probably push the beta version after a month or two.

 

[Andy Ful]

Please do not over-complicate proposed options because I occasionally read about the GUI being hard to understand, navigate, etc. I believe a simple UI is the best.

The current GUI is for advanced users as a configuration and diagnostic tool. It is like a panel of an airplane.

So, it will always look somewhat messy, until you will learn how to use it.

 

[oldschool]

The current GUI is for advanced users as a configuration and diagnostic tool. It is like a desktop of an airplane.

View attachment 231841

So, it will always look somewhat messy, until you will learn how to use it.

Ha-ha! Precisely what I told someone on another forum.! It's actually much easier than a cockpit control panel.

 

[Andy Ful]

Maybe because I installed MS Office from the Microsoft Store (other paths?) add the "MS Office" rules in FirewallHardening does nothing.
Can I still apply restrictions through the DocumentsAntiExploit? Do I need to select ON1 or ON2 ?
Now showing partial probably because I used ConfigureDefender on high settings.

You have probably installed MS Office 365 which requires the Internet connection. FirewallHardening tool does not block it.
You do not need DocumentsAntiExploit tool when using the current settings. But, if you want to test it, then simply click the green <MS Office> button to get help about ON1 and ON2. If you select ON1, then you will be allowed to change some security settings via MS Office applications, but also malware will do it with standard rights. If you will select ON2, then this will be forbidden (good solution on the computers of children) - the changes will require Administrator rights.

 

[Gandalf_The_Grey]

You have probably installed MS Office 365 which requires the Internet connection. FirewallHardening tool does not block it.

Yes, I have Office 365 Home.
So with Office 365, I should use DocumentsAntiExploit?
Can you explain the difference between ON1 and ON2 and what should I use?
It's not clear to me after viewing the help.