Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Yes, I have Office 365 Home.
So with Office 365, I should use DocumentsAntiExploit?
Can you explain the difference between ON1 and ON2 and what should I use?
It's not clear to me after viewing the help.

You pushed your post while I was editing mine.
You can use DocumentsAntiExploit with Office 365.

 

[Lenny_Fox]

@Andy Ful

I really like the simplicity of WDDS As I have mentioned earlier on my dual boot I have Windows 10 PRO, but it is much easier to use Hard_Configurator. With H_C many things requiring a lot of tweaking can be set by selecting a single option, because of the knowledge you have put into it

H_C it is not only easier (as secpol) it also helps me by adjusting all related registry settings (while tweaking gpedit by hand it is easy to forget a setting somewhere). Since I joined this forum I learned a lot but there is still a gap between theoretical knowledge (following a minor on security) and correct implementation of theory.

Speaking in your terms people want to loose weight and know they have to follow a diet. But making a weekly menu with balanced breakfast, lunch, dinner meals and preparation instruction requires another level of food and nutrition (and cooking) knowledge. Providing WDDS maybe with some presets suggestions of individual options which work well together helps a lot people to increase the security of their PC.

 

[show-Zi]

The current GUI is for advanced users as a configuration and diagnostic tool. It is like a panel of an airplane.

View attachment 231841

So, it will always look somewhat messy, until you will learn how to use it.

For me, it is a cockpit of an advanced alien ship. It starts with the decipherment of the instrument panel text.

Are there any plans for multilingual support? I want to personalize the UI into Japanese personally.

 

[Andy Ful]

For me, it is a cockpit of an advanced alien ship. It starts with the decipherment of the instrument panel text.

Are there any plans for multilingual support? I want to personalize the UI into Japanese personally.

This would be hard for H_C. I will think about it while creating a more basic version with a simpler GUI.
If I might give some advice, then it is not necessary to use all the buttons. From the main H_C window, just use the buttons around the central two panels. The central part is for advanced users:

 

[Lenny_Fox]

@andy full, your answer makes me laugh, imagine this (while the counter is ticking away the time to explosion). . .

Said the senior bomb disposal specialist to the junior specialist "If I may give you some advice? It is not necessary to cut all the wires, just use the ones around the central two panels. The central part is for advanced users".

"Well that is a relief" said the junior bomb disposal specialist, "that reduces the error margin to cut the wrong wire by a multitude, thanks mate!"

 

[Andy Ful]

@andy full, your answer makes me laugh, imagine this (while the counter is ticking away the time to explosion). . .

Said the senior bomb disposal specialist to the junior specialist "If I may give you some advice? It is not necessary to cut all the wires, just use the ones around the central two panels. The central part is for advanced users".

"Well that is a relief" said the junior bomb disposal specialist, "that reduces the error margin to cut the wrong wire by a multitude, thanks mate!"

Ha, ha.
Except that there was a switch available to reset the counter:

Anyway, the advice to reduce the error surface seems reasonable to me.
You can spend much less time when reading the instruction on how to dismantle the bomb.

Edit.
I edited my post because it was too long and repetitive.

 

[Lenny_Fox]

On request, here is the profile for Dangereous Filetype Restrictions. It is a little different from Avast_Hardened_mode and Windows10_MT_Windows_Security. Download file and rename it from Dangereous_Filetype_Restrictions.txt to Dangereous_Filetype_Restrictions.hdc

@Andy Ful could you check it to confirm I implemented the intended use correctly:
- block dangereous file extensions (with embbedded code) from running in user folders (allow in UAC protected folders)
- block script interpreters from running as standard user (allow running as elevated administrator)
- other settings are aimed to disable Windows features which average home users don't need

Notes:

1. Validate Admin Code Signing is ON. Most mainstream software is signed, so this should not impact average PC users. When you have unsigned programs needing to run as Admin, disable "Validate Admin CS".
2. Most common script interpreters are blocked from running as standard user. Regular programs installed in UAC protected folders need to update elevated. In the unusual event when they would require power/command shell to run, those programs are allowed because the Software Restriction Policies are not applied to Administrators. When you are afraid to use this hardening fall back to using Windows10_MT_Windows_Security

As the explanation mentions: run this profile with ConfigureDefender set to MAX (so all programs unknown are blocked by the cloud protection of Windows Defender) and Firewall Hardening blocking Office programs.

 

[Andy Ful]

Lenny_Linux,
Could you send this profile as an attachment (.txt)?

 

[Lenny_Fox]

Lenny_Linux,
Could you send this profile as an attachment (.txt)?

sorry forgotten, now attached to post

 

[Andy Ful]

...

1. Most common script interpreters are blocked from running as standard user. Regular programs installed in UAC protected folders need to update elevated. In the unusual event when they would require power/command shell to run, those programs are allowed because the Software Restriction Policies are not applied to Administrators. When you are afraid to use this hardening fall back to using Windows10_MT_Windows_Security

The profile is OK but requires some comment.
Unfortunately, there are many cases where 3rd party software can use cmd.exe, wscript.exe, cscript.exe or mshta.exe with standard rights. That can be seen for example from OSArmor threads on MT and Wilderssecurity forums. From personal experience, the Intel software can use BAT files to start some tools with Windows. That is why the files with BAT, CMD, VBS, JS, and HTA extensions are blocked by SRP with the possibility to whitelist the blocked events. Blocking the sponsors do not allow whitelisting, so this has to be done only after testing the system for some time and looking at the H_C Log of blocked events.

As the explanation mentions: run this profile with ConfigureDefender set to MAX (so all programs unknown are blocked by the cloud protection of Windows Defender) and Firewall Hardening blocking Office programs.

The MAX Protection level will prevent users from running most of the unknown programs by applying SmartScreen and one ASR rule related to the file prevalence. It is close to blocking unknown programs, but SmartScreen will work only for files with MOTW. The ASR rule will block sometimes the application updates. The user can open/run on-demand any new file via "Run By SmartScreen", to get the full protection against unknown files.

 

[Andy Ful]

I know that I am boring, but the below notes should be rethought by the H_C users:

SETUP OVERKILL

1. The Recommended Settings are already very strong (if coupled with antivirus).
2. The user should rather learn how to live with them, than trying to add more protection.
3. Adding more advanced features is usually not necessary and often ends with overkill, incompatibilities, and disappointment.
4. When using Recommended Settings, the user should not think about more advanced Hard_Configurator features, but rather about improving the protection of web browser and router.
5. If the system/software is not properly updated or the computer is used in the vulnerable environment, then using SUA and adding some advanced Hard_Configurator restrictions would be justified.

You have been warned!

Edit.
These notes are not related to the recent posts but to the H_C manual.

 

[Lenny_Fox]

The profile is OK but requires some comment.
Unfortunately, there are many cases where 3rd party software can use cmd.exe, wscript.exe, cscript.exe or mshta.exe with standard rights.

That is why I added them to the sponsors blocked (in the profile posted above). Did I do something wrong?

The MAX Protection level will prevent users from running most of the unknown programs by applying SmartScreen and one ASR rule related to the file prevalence. It is close to blocking unknown programs, but SmartScreen will work only for files with MOTW. The ASR rule will block sometimes the application updates. The user can open/run on-demand any new file via "Run By SmartScreen", to get the full protection against unknown files.

My assumption was based on discussion in reddit (where MS people had participated) and the official Microsoft documentation. Allow me to write down on how I understood this so you can correct it:

Block at first sight applies to executables and non-portable executable files (such as JS, VBS, or macros) applies only when they have the Mark Of The Web (are downloaded from the internet by a browser which sets the MOTW).

ASR rule Block executable files from running unless they meet a prevalence, age, or trusted list criteria applies to ALL executables

Cloud delivered protection level Zero Tolerance (your block option)
Block at first sight and cloud delivered protection level are mentioned explicitly as two different mechanisms (link Microsoft)? In the documentation of Block at first sight the reference to MOTW only is explained explicitly. While this is not mentioned explicitly at Cloud Protection Level. These settings are controlled by two different settings in group policy. That is why I assumed Cloud Protection Level applies to all executables.

 

[Andy Ful]

That is why I added them to the sponsors blocked (in the profile posted above). Did I do something wrong?

Nothing wrong if your software (from vendors like Intel, HP, etc.) do not use scripts with standard rights. Unfortunately, this is not true on some computers.

Block at first sight applies to executables and non-portable executable files (such as JS, VBS, or macros) applies only when they have the Mark Of The Web (are downloaded from the internet by a browser which sets the MOTW).

ASR rule Block executable files from running unless they meet a prevalence, age, or trusted list criteria applies to ALL executables

Cloud delivered protection level Zero Tolerance (your block option)
Block at first sight and cloud delivered protection level are mentioned explicitly as two different mechanisms (link Microsoft)? In the documentation of Block at first sight the reference to MOTW only is explained explicitly. While this is not mentioned explicitly at Cloud Protection Level. These settings are controlled by two different settings in group policy. That is why I assumed Cloud Protection Level applies to all executables.

All of the above is true. BAFS and Cloud delivered protection Zero Tolerance level do not block unknown files, but only files that were initially recognized as sufficiently suspicious. The ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" are related to fresh files with a low prevalence - this is also a kind of suspiciousness criterium.
The above features do not block all unknown files, but only unknown & suspicious.
SmartScreen integrated with Explorer works with different criteria, and will block files unknown to the reputation cloud or known as malicious.

Post edited.

 

[Lenny_Fox]

@Andy Ful

Pfff a relief that my setup intentions are correctly translated to settings and confirmed by the master himself thanks for sharing your knowledge to me, much appreciated

P.S. It really credits you as a person that you always take the time to answer questions, without any bias or disdain the person's knowledge or experience, you are an asset to this forum, thanks a lot

 

[Andy Ful]

@Andy Ful

Pfff a relief that my setup intentions are correctly translated to settings and confirmed by the master himself thanks for sharing your knowledge to me, much appreciated

P.S. It really credits you as a person that you always take the time to answer questions, without any bias or disdain the person's knowledge or experience, you are an asset to this forum, thanks a lot

You are welcome.

 

[Chuck57]

I have a question. I was one of the overkill people, using HC and Voodooshield. I removed Voodooshield yesterday. I've got 9 months left on a license for AVAST premium security. Is there any reason to install AVAST Premium and use that firewall and AV, or is that just more overkill?

 

[Andy Ful]

I have a question. I was one of the overkill people, using HC and Voodooshield. I removed Voodooshield yesterday. I've got 9 months left on a license for AVAST premium security. Is there any reason to install AVAST Premium and use that firewall and AV, or is that just more overkill?

What is your actual setup? Do you use popular & vulnerable software?

 

[Chuck57]

My setup is Win 10 Pro, 64 bit, Libreoffice, Macrium free backup, Aomei backupper Pro, a couple of screenwriting softwares, Privazer, Revo Uninstaller, but nothing I consider vulnerable. All are either free or paid. I got AVAST premium security about 3 months ago and haven't installed it and wondered whether I should bother. I guess the one year license starts ticking when it's installed, but I see no point if it isn't needed. I can give it to one of my kids.

 

[oldschool]

My setup is Windows 10 Pro, 64 bit, Libreoffice, Macrium free backup, Aomei backupper Pro, a couple of screenwriting softwares, Privazer, Revo Uninstaller, but nothing I consider vulnerable. All are either free or paid. I got AVAST premium security about 3 months ago and haven't installed it and wondered whether I should bother. I guess the one year license starts ticking when it's installed, but I see no point if it isn't needed. I can give it to one of my kids.

My 2 cts. --> Give your license away. Windows Defender + H_C or VS.

 

[Andy Ful]

My setup is Windows 10 Pro, 64 bit, Libreoffice, Macrium free backup, Aomei backupper Pro, a couple of screenwriting softwares, Privazer, Revo Uninstaller, but nothing I consider vulnerable. All are either free or paid. I got AVAST premium security about 3 months ago and haven't installed it and wondered whether I should bother. I guess the one year license starts ticking when it's installed, but I see no point if it isn't needed. I can give it to one of my kids.

You can use WD + H_C Recommended settings (ConfigureDefender High Protection Level, FirewallHardening Recommended H_C). I will push soon the new version of H_C with <Update Mode>, and then you will not even see the H_C settings working.
Please bear in mind, that H_C is currently for advanced users.
If you will not like WD, then you can install Avast + H_C and choose the profile for Avast.