Hard_Configurator - Windows Hardening Configurator

Andy Ful said:
In the new H_C ver. 5.0.1.0, I added additional setting profile named Windows_10_Basic_hardening
It is equal to the Recommended Settings, except that in Recommended Settings the EXE and MSI files are allowed only in user AppData and ProgramData folders. In the Windows_10_Basic_hardening settings, the EXE and MSI files are allowed globally.
I added the profile description:

"Harden Windows 10 while maintaining maximum functionality and compatibility.

Please note: this profile allows the user to install/execute/update applications via EXE and MSI files. The only exceptions are EXE and MSI files executed directly from an archive or email client.
The scripts, shortcuts and other files with unsafe extensions are blocked by default in UserSpace.
The "Run By SmartScreen" entry in the Explorer context menu can be used to check the standalone application installers by SmartScreen Application Reputation service.

It is recommended to use this profile with ConfigureDefender HIGH Protection Level (if WD is the main antivirus) and "Recommended H_C" firewall outbound block rules (see <FirewallHardening> option). The profile can be used also with another antivirus with strong proactive detection."
Click to expand...
That would be a great profile for me to try (y)
 
  • Like
Reactions: Protomartyr, stefanos, toto_10 and 2 others
oldschool said:
You have a lot of layers which makes for more debugging work.

And now @Andy Ful has made a new profile for you! ;)
Click to expand...
Ha, ha.
Some other users talked about something similar for a long time. I might name it Recommended Settings for MT readers.:)
 
  • Like
  • HaHa
Reactions: South Park, Nevi, SeriousHoax and 7 others
Outpost said:
@Gandalf_The_Grey

I don't want to teach you anything, but if I may say so, I think that with the combination of F-Secure and H_C you wouldn't need VS.
Click to expand...
I know... but I really like VS and it's creator @danb
It's not on the laptop of my children only on mine.
And yes, it's overkill.
 
  • Like
  • HaHa
Reactions: SeriousHoax, Dave Russo, Protomartyr and 5 others
Andy Ful said:
In the new H_C ver. 5.0.1.0, I added additional setting profile named Windows_10_Basic_hardening
It is equal to the Recommended Settings, except that in Recommended Settings the EXE and MSI files are allowed only in user AppData and ProgramData folders. In the Windows_10_Basic_hardening settings, the EXE and MSI files are allowed globally.
Click to expand...

That is great, but it looks like you intended to say in the last sentence "WIndows_10_MT_Windows_Security_hardening profile", now you mentioned Windows_10_Basic_hardening twice

When you don't mind, could you setup some structure in the name giving. May I suggest?

Windows_10_Basic_hardening >> Windows_10_enhanced_hardening
Because the new profile limits execution of EXE and TMP to 'only' ProgramData and AppData folders, I would rather call that profile to Windows_10_secure_hardening

Windows_10_MT_Windows_Security_hardening >> Windows_10_basic_hardening
Reason to rename it to basic is because it allows EXE, MSI, MSP, MSU and MRU system wide (so less tightened than your above profile). I would also disable UAC validat eadmin setting in this profile and replace run Smartscreen as Admin with Run as Admin to prrevent users running into "Referal was returned from server" because an unsigned program tried to elevate.
 
  • Like
  • +Reputation
Reactions: Nevi, toto_10, Dave Russo and 4 others
I am not a fan of using too many 3rd party security solutions on Windows 10. But, when we forget about it, then H_C with Windows_10_Basic_hardening overlaps with VS, mainly for scripts. H_C is more restrictive for scripts so it will block them before VS could check them.
On the contrary, most file executions will be via EXE and MSI files that are ignored by H_C and protected by AV + VS or checked "Run By SmartScreen".
So, this H_C setting profile can be used with VS, especially when the user does not like using on-demand "Run By SmartScreen" for EXE and MSI files.
 
  • Like
  • +Reputation
Reactions: Nevi, toto_10, plat and 6 others
Lenny_Linux said:
That is great, but it looks like you intended to say in the last sentence "WIndows_10_MT_Windows_Security_hardening profile", now you mentioned Windows_10_Basic_hardening twice

When you don't mind, could you setup some structure in the name giving. May I suggest?

Windows_10_Basic_hardening >> Windows_10_enhanced_hardening
Because the new profile limits execution of EXE and TMP to 'only' ProgramData and AppData folders, I would rather call that profile to Windows_10_secure_hardening

Windows_10_MT_Windows_Security_hardening >> Windows_10_basic_hardening
Reason to rename it to basic is because it allows EXE, MSI, MSP, MSU and MRU system wide (so less tightened than your above profile). I would also disable UAC validat eadmin setting in this profile and replace run Smartscreen as Admin with Run as Admin to prrevent users running into "Referal was returned from server" because an unsigned program tried to elevate.
Click to expand...
The profile Windows_10_Basic_hardening is a logical variation of Recommended Settings.
Basic ---> extend allowing EXE and MSI files to all UserSpace.

The profile Windows_10_Recommended_Enhanced, is also a logical variation of Recommended Settings.
Enhanced --> block some popular Sponsors and block scripts for high privileged processes.

So, you could create the profile Windows_10_Basic_Enhanced to allow globally EXE and MSI files + block some popular Sponsors + block scripts for high privileged processes.

The profile Windows_10_MT_Windows_Security_hardening is a logical variation of Windows_10_basic_hardening, by enabling PowerShell scripts, disabling EXE and MSI restrictions for execution from archives and email clients, adding three blocked sponsors, and applying <Validate Admin C.S.>.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, toto_10, Dave Russo and 7 others
shmu26 said:
Are you referring here specifically to script files?
And how does this new config compare to "Avast hardened aggressive" config?
This new config is not in the beta version, correct?
Click to expand...
The profile Windows_10_Avast_Hardened_Mode_Aggressive differs from the Recommended Settings only by allowing EXE files globally. The MSI files are allowed only in user AppData + ProgramData folders (like in the Recommended Settings).
This profile protects EXE file via the Avast reputation service in the cloud. The MSI files are protected by Forced SmartScreen.
 
  • Like
  • +Reputation
Reactions: toto_10, Dave Russo, Gandalf_The_Grey and 4 others
Andy Ful said:
The profile Windows_10_Basic_hardening is a logical variation of

The profile Windows_10_Recommended_Enhanced, is also a logical variation of

The profile Windows_10_MT_Windows_Security_hardening is a logical variation
Click to expand...
Who else sees the logic of it in relation to these easy to grasp self explaining profiles 🤣🤣🤣
 
Last edited:
  • Like
Reactions: toto_10, Dave Russo, Gandalf_The_Grey and 1 other person
I'll admit the naming convention is a little confusing to me. It's hard to determine what the profile does or how it relates to the other profiles without reading the descriptions of what they allow/restrict. Then again, that's what the help section is for. I don't mind the reading because I actually enjoy learning about all this. But for a person new to security, it may seem daunting at first.
 
  • Like
  • +Reputation
  • Thanks
Reactions: Nevi, Gandalf_The_Grey, toto_10 and 6 others
Lenny_Linux said:
Who else sees the logic of it in relation to these easy to grasp self explaining profiles 🤣🤣🤣
The profile Windows_10_Basic_hardening is a logical variation of

The profile Windows_10_Recommended_Enhanced, is also a logical variation of

The profile Windows_10_MT_Windows_Security_hardening is a logical variation
Click to expand...
The last profile was created by @Windows_Security (MT member) so it has no logic in the naming (but functionally can be derived from Basic profile). Others are easy to understand (as I noted in previous post) as variations of the Recommended Settings (RS) on Windows 10:
RS allows EXE and MSI files only in user AppData and ProgramData folders.
Basic ---> RS + allow EXE and MSI files in all UserSpace.
Strict --> RS + block EXE and MSI files in all UserSpace.
Enhanced --> RS + block some popular Sponsors (LOLBins) and block Windows Script Host scripts for high privileged processes.

So the variations are related to different restrictions for EXE, MSI files, LOLBins and scripts.

Strict >> RS >> Basic
and
Strict + Enhanced >> RS + Enhanced >> Basic + Enhanced.

The logic is easy to see. But, of course there are some other possible logical categorizations. (y)
 
Last edited:
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, harlan4096, ForgottenSeer 85179 and 6 others
shmu26 said:
Are you referring here specifically to script files?
And how does this new config compare to "Avast hardened aggressive" config?
This new config is not in the beta version, correct?
Click to expand...
I use the term "scripts" for files and "command-lines with script Interpreters" for fileless scripting. Windows Script Host always uses scripting with files, even when command-line is used.
For example:
Code: 
wscript c:\MyScripts\script.vbs
PowerShell can use fileless command-lines:
Code: 
PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -EnableNetworkProtection Enabled; Set-MpPreference -EnableControlledFolderAccess Disabled; Set-MpPreference -DisableRealtimeMonitoring 0; Set-MpPreference -DisableBehaviorMonitoring 0; Set-MpPreference -DisableBlockAtFirstSeen 0; Set-MpPreference -MAPSReporting 2; Set-MpPreference -SubmitSamplesConsent 1; Set-MpPreference -DisableIOAVProtection 0; Set-MpPreference -DisableScriptScanning 0; Set-MpPreference -PUAProtection Enabled; Set-MpPreference -ScanAvgCPULoadFactor 50;
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, Gandalf_The_Grey, harlan4096 and 5 others

You may also like...