Hard_Configurator - Windows Hardening Configurator

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,617
Andy Ful said:
In the new H_C ver. 5.0.1.0, I added additional setting profile named Windows_10_Basic_hardening
It is equal to the Recommended Settings, except that in Recommended Settings the EXE and MSI files are allowed only in user AppData and ProgramData folders. In the Windows_10_Basic_hardening settings, the EXE and MSI files are allowed globally.
I added the profile description:

"Harden Windows 10 while maintaining maximum functionality and compatibility.

Please note: this profile allows the user to install/execute/update applications via EXE and MSI files. The only exceptions are EXE and MSI files executed directly from an archive or email client.
The scripts, shortcuts and other files with unsafe extensions are blocked by default in UserSpace.
The "Run By SmartScreen" entry in the Explorer context menu can be used to check the standalone application installers by SmartScreen Application Reputation service.

It is recommended to use this profile with ConfigureDefender HIGH Protection Level (if WD is the main antivirus) and "Recommended H_C" firewall outbound block rules (see <FirewallHardening> option). The profile can be used also with another antivirus with strong proactive detection."
Click to expand...
That would be a great profile for me to try (y)
 
  • Like
Reactions: Protomartyr, stefanos, toto_10 and 2 others
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,617
Outpost said:
@Gandalf_The_Grey

I don't want to teach you anything, but if I may say so, I think that with the combination of F-Secure and H_C you wouldn't need VS.
Click to expand...
I know... but I really like VS and it's creator @danb
It's not on the laptop of my children only on mine.
And yes, it's overkill.
 
  • Like
  • HaHa
Reactions: SeriousHoax, Dave Russo, Protomartyr and 5 others
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Andy Ful said:
In the new H_C ver. 5.0.1.0, I added additional setting profile named Windows_10_Basic_hardening
It is equal to the Recommended Settings, except that in Recommended Settings the EXE and MSI files are allowed only in user AppData and ProgramData folders. In the Windows_10_Basic_hardening settings, the EXE and MSI files are allowed globally.
Click to expand...

That is great, but it looks like you intended to say in the last sentence "WIndows_10_MT_Windows_Security_hardening profile", now you mentioned Windows_10_Basic_hardening twice

When you don't mind, could you setup some structure in the name giving. May I suggest?

Windows_10_Basic_hardening >> Windows_10_enhanced_hardening
Because the new profile limits execution of EXE and TMP to 'only' ProgramData and AppData folders, I would rather call that profile to Windows_10_secure_hardening

Windows_10_MT_Windows_Security_hardening >> Windows_10_basic_hardening
Reason to rename it to basic is because it allows EXE, MSI, MSP, MSU and MRU system wide (so less tightened than your above profile). I would also disable UAC validat eadmin setting in this profile and replace run Smartscreen as Admin with Run as Admin to prrevent users running into "Referal was returned from server" because an unsigned program tried to elevate.
 
  • Like
  • +Reputation
Reactions: Nevi, toto_10, Dave Russo and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
I am not a fan of using too many 3rd party security solutions on Windows 10. But, when we forget about it, then H_C with Windows_10_Basic_hardening overlaps with VS, mainly for scripts. H_C is more restrictive for scripts so it will block them before VS could check them.
On the contrary, most file executions will be via EXE and MSI files that are ignored by H_C and protected by AV + VS or checked "Run By SmartScreen".
So, this H_C setting profile can be used with VS, especially when the user does not like using on-demand "Run By SmartScreen" for EXE and MSI files.
 
  • Like
  • +Reputation
Reactions: Nevi, toto_10, plat and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
Lenny_Linux said:
That is great, but it looks like you intended to say in the last sentence "WIndows_10_MT_Windows_Security_hardening profile", now you mentioned Windows_10_Basic_hardening twice

When you don't mind, could you setup some structure in the name giving. May I suggest?

Windows_10_Basic_hardening >> Windows_10_enhanced_hardening
Because the new profile limits execution of EXE and TMP to 'only' ProgramData and AppData folders, I would rather call that profile to Windows_10_secure_hardening

Windows_10_MT_Windows_Security_hardening >> Windows_10_basic_hardening
Reason to rename it to basic is because it allows EXE, MSI, MSP, MSU and MRU system wide (so less tightened than your above profile). I would also disable UAC validat eadmin setting in this profile and replace run Smartscreen as Admin with Run as Admin to prrevent users running into "Referal was returned from server" because an unsigned program tried to elevate.
Click to expand...
The profile Windows_10_Basic_hardening is a logical variation of Recommended Settings.
Basic ---> extend allowing EXE and MSI files to all UserSpace.

The profile Windows_10_Recommended_Enhanced, is also a logical variation of Recommended Settings.
Enhanced --> block some popular Sponsors and block scripts for high privileged processes.

So, you could create the profile Windows_10_Basic_Enhanced to allow globally EXE and MSI files + block some popular Sponsors + block scripts for high privileged processes.

The profile Windows_10_MT_Windows_Security_hardening is a logical variation of Windows_10_basic_hardening, by enabling PowerShell scripts, disabling EXE and MSI restrictions for execution from archives and email clients, adding three blocked sponsors, and applying <Validate Admin C.S.>.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, toto_10, Dave Russo and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
shmu26 said:
Are you referring here specifically to script files?
And how does this new config compare to "Avast hardened aggressive" config?
This new config is not in the beta version, correct?
Click to expand...
The profile Windows_10_Avast_Hardened_Mode_Aggressive differs from the Recommended Settings only by allowing EXE files globally. The MSI files are allowed only in user AppData + ProgramData folders (like in the Recommended Settings).
This profile protects EXE file via the Avast reputation service in the cloud. The MSI files are protected by Forced SmartScreen.
 
  • Like
  • +Reputation
Reactions: toto_10, Dave Russo, Gandalf_The_Grey and 4 others
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Andy Ful said:
The profile Windows_10_Basic_hardening is a logical variation of

The profile Windows_10_Recommended_Enhanced, is also a logical variation of

The profile Windows_10_MT_Windows_Security_hardening is a logical variation
Click to expand...
Who else sees the logic of it in relation to these easy to grasp self explaining profiles 🤣🤣🤣
 
Last edited:
  • Like
Reactions: toto_10, Dave Russo, Gandalf_The_Grey and 1 other person
P

Protomartyr

Level 7
Sep 23, 2019
314
I'll admit the naming convention is a little confusing to me. It's hard to determine what the profile does or how it relates to the other profiles without reading the descriptions of what they allow/restrict. Then again, that's what the help section is for. I don't mind the reading because I actually enjoy learning about all this. But for a person new to security, it may seem daunting at first.
 
  • Like
  • +Reputation
  • Thanks
Reactions: Nevi, Gandalf_The_Grey, toto_10 and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
Lenny_Linux said:
Who else sees the logic of it in relation to these easy to grasp self explaining profiles 🤣🤣🤣
The profile Windows_10_Basic_hardening is a logical variation of

The profile Windows_10_Recommended_Enhanced, is also a logical variation of

The profile Windows_10_MT_Windows_Security_hardening is a logical variation
Click to expand...
The last profile was created by @Windows_Security (MT member) so it has no logic in the naming (but functionally can be derived from Basic profile). Others are easy to understand (as I noted in previous post) as variations of the Recommended Settings (RS) on Windows 10:
RS allows EXE and MSI files only in user AppData and ProgramData folders.
Basic ---> RS + allow EXE and MSI files in all UserSpace.
Strict --> RS + block EXE and MSI files in all UserSpace.
Enhanced --> RS + block some popular Sponsors (LOLBins) and block Windows Script Host scripts for high privileged processes.

So the variations are related to different restrictions for EXE, MSI files, LOLBins and scripts.

Strict >> RS >> Basic
and
Strict + Enhanced >> RS + Enhanced >> Basic + Enhanced.

The logic is easy to see. But, of course there are some other possible logical categorizations. (y)
 
Last edited:
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, harlan4096, ForgottenSeer 85179 and 6 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,168
shmu26 said:
Are you referring here specifically to script files?
And how does this new config compare to "Avast hardened aggressive" config?
This new config is not in the beta version, correct?
Click to expand...
I use the term "scripts" for files and "command-lines with script Interpreters" for fileless scripting. Windows Script Host always uses scripting with files, even when command-line is used.
For example:
Code: 
wscript c:\MyScripts\script.vbs
PowerShell can use fileless command-lines:
Code: 
PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -EnableNetworkProtection Enabled; Set-MpPreference -EnableControlledFolderAccess Disabled; Set-MpPreference -DisableRealtimeMonitoring 0; Set-MpPreference -DisableBehaviorMonitoring 0; Set-MpPreference -DisableBlockAtFirstSeen 0; Set-MpPreference -MAPSReporting 2; Set-MpPreference -SubmitSamplesConsent 1; Set-MpPreference -DisableIOAVProtection 0; Set-MpPreference -DisableScriptScanning 0; Set-MpPreference -PUAProtection Enabled; Set-MpPreference -ScanAvgCPULoadFactor 50;
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, Gandalf_The_Grey, harlan4096 and 5 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
257
Views
18,218
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,328
Hard_Configurator Tools
South Park
South Park
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
535
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top