Hard_Configurator - Windows Hardening Configurator

[Protomartyr]

@Andy Ful Seeing the descriptions layed out like that made perfect sense to me. Thanks for the clarification!
@Gandalf_The_Grey Sorry for hijacking your thread! Haha

 

[shmu26]

I use the term "scripts" for files and "command-lines with script Interpreters" for fileless scripting. [/CODE]

Thanks. I was asking due to the comparison with VoodooShield, in the context of which you mentioned that H_C will probably stop the scripts before VS gets a chance to handle them. That makes perfect sense to me as regards script files. But it puzzles me as regards fileless scripting, because the recommended settings of H_C don't block script interpreters per se.

@Gandalf_The_Grey,
The discussion about H_C is probably off-topic. If you want we can move some posts to the H_C thread.

Maybe we can ask a mod to move the posts? There are a lot of them, containing valuable discussion about H_C, and I think the H_C thread is where it belongs.

By the way, the names for the configs make sense to me. But they do require some previous knowledge.
Idea: give them a strictness rating. The most lenient config is 1, and the strictest is 10.

 

[Lenny_Fox]

@Andy Ful

So you have 3 basic configurations, each with an enhancement making it 6 variations for each OS (Win7 Win8 & Win10). I would keep it clean and drop all other versions.

 

[Andy Ful]

@Andy Ful

So you have 3 basic configurations, each with an enhancement making it 6 variations for each OS (Windows 7 Windows 8 & Windows 10). I would keep it clean and drop all other versions.

There are some special configs for Avast and for SUA lockdown. The H_C setting profiles for Avast require some knowledge about SRP, CyberCapture and Hardened Aggressive Mode, so I made the predefined configs.

The setups for Windows Vista are the same as for Windows 7, and the setups for Windows 8.1 are the same as for Windows 8. That is why the names of setups start with Windows_7..., Windows_8..., Windows_10....

The name Recommended Settings means that these settings can apply similar protection on different Windows versions. It means that Recommended Settings on Windows 7 will have more restrictive SRP settings as compared to Windows 10. Simply SRP has to cover more on Windows 7, because Windows 7 has fewer security features as compared to Windows 10.

 

[Andy Ful]

Thanks. I was asking due to the comparison with VoodooShield, in the context of which you mentioned that H_C will probably stop the scripts before VS gets a chance to handle them. That makes perfect sense to me as regards script files. But it puzzles me as regards fileless scripting, because the recommended settings of H_C don't block script interpreters per se.

The fileless anti-scripting protection is applied in H_C by SRP (PowerShell works in Constrained Language Mode), <Block Sponsors>, <Protect Shortcuts>, <FirewallHardening>, <ConfigureDefender>.

By the way, the names for the configs make sense to me. But they do require some previous knowledge.
Idea: give them a strictness rating. The most lenient config is 1, and the strictest is 10.

You forgot that other H_C settings, ConfigureDefender and FirewallHardening can add to the strictness.
If you will define the strictness as chances to block something that the user would not want to block, then on Windows 10 (RS is always the base of calculations):
RS = 2, Basic = -1, Strict = +2, Enhanced =+1, CD HIGH = +1, CD MAX =+ 4, FirewallHardening (FH)= +1 or +2, other H_C hardening +1 or +2.

For example:
Basic_Recommended = -1 + 2 = 1
Basic_Recommended_Enhanced = -1 + 2 + 1 = 2
Recommended = 2
Basic_Recommended + CD HIGH + FH (H_C recommended) = -1 + 2 + 1 + 1 = 3
Recommended + CD HIGH + FH (H_C recommended) = 2 + 1 + 1 = 4
Strict_Recommended_Enhanced = 2 + 2 + 1 = 5
Basic_Recommended + CD MAX = -1 + 2 + 4 = 5
etc.

 

[Lenny_Fox]

Because I studied webdesign/digital marketing I am always called (in our family) when somebody messes up his/her PC or wants a cheap Microsoft Office version installed (digital Office license). I hope an all Microsoft setup (now including Edge-chromium) reduces the chance of being called for help.

Since 2019 every family member having problems or came to ask to setup a new Laptop/PC, I use the configuration below

1. Hard_configurator setting:
- default deny for basic user (allow admin) except dll, exe, msi, msp, msu and tmp (in all user folders).
- designated (protected) file types the default plus powershell minus above file extensions
- enhanced blocked sponsors set (25 in total).
- protect windows folders and shortcuts
- enabled shell extension security and anti-exploit set to block Adobe + VBA
- disabled remote access, 16 bits and SMB1
- powershell script block and windows script host block both off
- validate Admin Code Signature, Run as Admin, Run as Smartscreen all off

2. ConfigureDefender set to MAX and Protected Folders OFF

3. Firewall Hardening blocking Office programs only

At least 7 PC's are setup this way and I have never been called for problems. So even with risk value of 5, most average PC users (using programs in stead of installing and trailing programs) are probably good to go. (thanks to @Andy Ful)

Note: I have same H_C and FH config on my girlfriend's laptop with Kaspersky Free and I never heard her complain about anything either.

 

[shmu26]

The fileless anti-scripting protection is applied in H_C by SRP (PowerShell works in Constrained Language Mode), <Block Sponsors>, <Protect Shortcuts>, <FirewallHardening>, <ConfigureDefender>.

You forgot that other H_C settings, ConfigureDefender and FirewallHardening can add to the strictness.
If you will define the strictness as chances to block something that the user would not want to block, then on Windows 10 (RS is always the base of calculations):
RS = 2, Basic = -1, Strict = +2, Enhanced =+1, CD HIGH = +1, CD MAX =+ 4, FirewallHardening (FH)= +1 or +2, other H_C hardening +1 or +2.

For example:
Basic_Recommended = -1 + 2 = 1
Basic_Recommended_Enhanced = -1 + 2 + 1 = 2
Recommended = 2
Basic_Recommended + CD HIGH + FH (H_C recommended) = -1 + 2 + 1 + 1 = 3
Recommended + CD HIGH + FH (H_C recommended) = 2 + 1 + 1 = 4
Strict_Recommended_Enhanced = 2 + 2 + 1 = 5
Basic_Recommended + CD MAX = -1 + 2 + 4 = 5
etc.

Can't argue with arithmetic!
Really what I was suggesting was a way for someone who clicks on the "load profile" button to easily evaluate what he is seeing. If the options presented there would have some kind of color code or number code, the user could just choose a config on that basis.
Alternatively, they could be assigned a paranoia rating: ultra lenient, very lenient, slightly lenient, standard, slightly paranoid, very paranoid, ultra paranoid.

 

[Andy Ful]

Can't argue with arithmetic!
Really what I was suggesting was a way for someone who clicks on the "load profile" button to easily evaluate what he is seeing. If the options presented there would have some kind of color code or number code, the user could just choose a config on that basis.
Alternatively, they could be assigned a paranoia rating: ultra lenient, very lenient, slightly lenient, standard, slightly paranoid, very paranoid, ultra paranoid.

I think that Basic_Recommended, Recommended, and Strict_Recommended just do a similar thing as lenient, standard, and slightly paranoid. Use all restrictions for ultra paranoid and use only the restrictions from the right H_C panel for ultra lenient.

 

[shmu26]

The fileless anti-scripting protection is applied in H_C by SRP (PowerShell works in Constrained Language Mode), <Block Sponsors>, <Protect Shortcuts>, <FirewallHardening>, <ConfigureDefender>.

True, but my experience shows that VoodooShield will still block some scripts that H_C ignores. I see this when I try to print something with my HP printer. I think it is rundll32 that VS is detecting.

I think that Basic_Recommended, Recommended, and Strict_Recommended just do a similar thing as lenient, standard, and slightly paranoid. Use all restrictions for ultra paranoid and use only the restrictions from the right H_C panel for ultra lenient.

True.

 

[Andy Ful]

True, but my experience shows that VoodooShield will still block some scripts that H_C ignores. I see this when I try to print something with my HP printer. I think it is rundll32 that VS is detecting.

True.

It cannot do it, if by scripts you mean files with script extensions, except if the script is whitelisted in H_C. Is your HP software in the whitelisted folders?

 

[shmu26]

It cannot do it, if by scripts you mean files with script extensions, except if the script is whitelisted in H_C. Is your HP software in the whitelisted folders?

Here is from VS whitelist:

 

[Andy Ful]

Here is from VS whitelist:
View attachment 235926

These command-lines come from scripts located in whitelisted folders or from Registry keys added by HP software. There is no reason to block them.
The executable rundll32.exe can be also used by exploits, but first, the exploit has to download/extract/drop the malicious DLL payload. The H_C settings (including FirewallHardening) can prevent this in most cases.

 

[shmu26]

These command-lines come from scripts located in whitelisted folders or from Registry keys added by HP software. There is no reason to block them.
The executable rundll32.exe can be also used by exploits, but first, the exploit has to download/extract/drop the malicious DLL payload. The H_C settings (including FirewallHardening) can prevent this in most cases.

Thanks, Andy. Not sure how practical this is, but Voodooshield should be using you as a consultant. I think they would have less FPs and frustrated users.

 

[Digmor Crusher]

Andy, I am using the basic profile, every time I open the GUI and close it the box pops up asking me to log off even though I have not touched any settings. Is this normal? Thanks.

 

[Gandalf_The_Grey]

Andy, I am using the basic profile, every time I open the GUI and close it the box pops up asking me to log off even though I have not touched any settings. Is this normal? Thanks.

It's a know issue with the latest beta:

Hard_Configurator - Windows Hardening Configurator

Trying Hard_Configurator again with a new setup. Use it like SysHardener to harden Windows. With WIndows_10_MT_Windows_Security_hardening profile and Validate Admin C.S. off. Using this profile my HP Office Jet Pro 9015 works without any problems (y) And would prefer it because it seems that...

malwaretips.com

 

[Andy Ful]

Thanks, Andy. Not sure how practical this is, but Voodooshield should be using you as a consultant. I think they would have less FPs and frustrated users.

I think that VS took a different security approach. It would be hard to change the FPs rate, without diminishing the protection.

 

[Andy Ful]

Andy, I am using the basic profile, every time I open the GUI and close it the box pops up asking me to log off even though I have not touched any settings. Is this normal? Thanks.

Yes. That is a known minor bug in the newest H_C beta version. H_C shows an unnecessary alert, even when nothing was changed. Please, look at this post:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-869220

Edit
It seems that @Gandalf_The_Grey posted the above just before me.

 

[Lenny_Fox]

Question @Andy Ful

The ConfigureDefender MAX sets the Windows Defender Antivirus Cloud delivered protection to BLOCK all unknown executables. How does this differ from Smartscreen's cloud based protection? My guess is that WD cloud checks all executables while Smartscreen only checks executables with Mark Of The Web. Is that correct? Do you have links to info sources on scope of WD Cloud where this is explained?

As far as I understand this is not explicitely mentioned in the info below.

Cloud protection and Microsoft Defender Antivirus - Microsoft Defender for Endpoint

Learn about cloud protection and Microsoft Defender Antivirus

docs.microsoft.com

Other question. Does Configure defender also sets the ad-hoc updates based on cloud protection data?

Apply Microsoft Defender Antivirus updates after certain events - Microsoft Defender for Endpoint

Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.

docs.microsoft.com

 

[Andy Ful]

Question @Andy Ful

The ConfigureDefender MAX sets the Windows Defender Antivirus Cloud delivered protection to BLOCK all unknown executables. How does this differ from Smartscreen's cloud based protection? My guess is that WD cloud checks all executables while Smartscreen only checks executables with Mark Of The Web. Is that correct? Do you have links to info sources on scope of WD Cloud where this is explained?
...

This setting is poorly documented. I think that it can work similarly to Intelligent Security Graph (ISG) integrated with WD Application Control. But, I never tested this. ISG allows application installers if they were checked by SmartScreen. But, in many cases the same application installers will be blocked if SmartScreen was not triggered. ISG uses SmartScreen when file has MOTW, and uses advanced heuristics in the cloud for other files.

 

[Step 1]

Hi, < @Andy Ful

First of all, thank you for your work and your time.

I would like to know how I can tweak the options to get Recommended Settings but without running as SmartScreen, to get what is, for me, a balance between protection and comfort.

Thank you in advance