Hard_Configurator - Windows Hardening Configurator

[simmerskool]

Took the plunge last night and installed H_C 5.0.0.0 to run with WD. I removed an long favorite app to avoid any potential conflict. So far so good. This approach to security making sense to me as I read thru the FAQ and I'll start tweaking from default if needed, but guessing default is sufficient. I try the beta when I understanding the app better. Thanks Andy!!

 

[Andy Ful]

Took the plunge last night and installed H_C 5.0.0.0 to run with WD. I removed an long favorite app to avoid any potential conflict. So far so good. This approach to security making sense to me as I read thru the FAQ and I'll start tweaking from default if needed, but guessing default is sufficient. I try the beta when I understanding the app better. Thanks Andy!!

You are welcome.
The Recommended Settings in the newest beta version are more convenient (much less whitelisting required).

 

[Gandalf_The_Grey]

You are welcome.
The Recommended Settings in the newest beta version are more convenient (much less whitelisting required).

Even whitelisting is easier. No need to logout. When I whitelisted 2 exes by path and applied settings the SRP rules were refreshed and that's it.
Worked immediately after that
So, the new beta 5.1.1.1 is highly recommended.

EDIT: Wanted to add that Andy did a fantastic job on the manual.
IMO a must read for anyone using his software.

 

[Back3]

EDIT: Wanted to add that Andy did a fantastic job on the manual.
IMO a must read for anyone using his software.
[/QUOTE]

True. When I was looking to install H_C, I read the manuals. I also looked on YouTube to find videos about it. I found none in English but a good one in French. I watched it twice and it helped me a lot to understand how to setup H_C. I hope someone will post a good tutorial in English....

 

[Andy Ful]

...
When I was looking to install H_C, I read the manuals. I also looked on YouTube to find videos about it. I found none in English but a good one in French. I watched it twice and it helped me a lot to understand how to setup H_C. I hope someone will post a good tutorial in English....

The simplest method of installing H_C.
1. Run the installer and press <Enter> for any new window.
2. Run H_C and press <Enter> to start Restore Point (wait a while as asked), next press <Enter> a few times for each MessageBox, until Log Off.

Anyway, the video would be more appealing.

 

[Andy Ful]

I would like to mention the difference in using CMD or PowerShell as Administrator on Windows 8+ with H_C beta 5.1.1.1 as compared to the stable ver. 5.0.0.0. If the user wants to run something as Administrator (force Administrator privileges), then he/she has to choose "Keep 'Run as administrator'" when applying the Recommended Settings or set <Hide 'Run As Administrator'> = OFF.

This follows from the fact that in the new H_C beta, the "Install By SmartScreen" entry in the right-click Explorer context menu can install/run applications with standard rights, so it will also run CMD or PowerShell with standard rights. Such a situation is present in Recommended Settings. It is related to the setting <More SRP ...><Update Mode> = ON.

Shortly (in beta 5.1.1.1):

1. Recommended Settings ---> "Install By SmartScreen" cannot force Admin rights, because <More SRP ...><Update Mode> = ON
2. Strict Recommended Settings ---> "Install By SmartScreen" forces Admin rights, because <More SRP ...><Update Mode> = OFF
3. Basic Recommended Settings ---> "Run By SmartScreen" entry is used, which never forces Admin rights independently of other settings.

 

[simmerskool]

Even whitelisting is easier. No need to logout. When I whitelisted 2 exes by path and applied settings the SRP rules were refreshed and that's it.
Worked immediately after that
So, the new beta 5.1.1.1 is highly recommended.

EDIT: Wanted to add that Andy did a fantastic job on the manual.
IMO a must read for anyone using his software.

I've read many of the posts on the 133 pages of this thread and in some other threads (downloaded FAQ and read them), but overtime and I forgot some finer points, as I was not using H_C daily. Will 5.1.1.1 install over 5.0.0.0 or do I need to uninstall 5.0 first, reboot, etc... before installing 5.1.
I had previously installed and run ConfigureDefender as standalone. Did installing H_C 5.0 change the CD settings, and if so, I assume that's fine as Recommended settings are most likely aok for this win10_vm.
PS I saw Total Commander mentioned in FAQ, is that suggested? I've been more or less keeping this win10_vm system "pristine." I've used xplorer2 and some other file managers but not on this setup, yet.

EDIT: installed 5.1.1.1 over 5.0.0.0. Read just enough to know that I could do an uninstall and a fresh install, but sensed I could drop 5.1 on top of 5.0. Not sure that was the best or better way to run 5.1 beta, but nothing seems broken, yet. I opened H_C and clicked the Recommended Settings | Apply | Logoff | Logon, and I think I'm ok, so far. I also read enough to know best NOT to start tweaking too much stuff. Keeping it simple and Recommended, as and until I learn the nuances. Will say, just how the H_C 5.1 ran during the update, a pleasure to work with, very polished!

 

[South Park]

Is it normal for the firewall rules to be duplicated (appearing up to 4 times)? I have only the recommended FW rules enabled.

Edit: I found the answer by examining closely the list of rules within the H-C interface. Each rule blocks a different path of the same executable (e.g., different .NET versions).

 

[Gandalf_The_Grey]

I've read many of the posts on the 133 pages of this thread and in some other threads (downloaded FAQ and read them), but overtime and I forgot some finer points, as I was not using H_C daily. Will 5.1.1.1 install over 5.0.0.0 or do I need to uninstall 5.0 first, reboot, etc... before installing 5.1.
I had previously installed and run ConfigureDefender as standalone. Did installing H_C 5.0 change the CD settings, and if so, I assume that's fine as Recommended settings are most likely aok for this win10_vm.
PS I saw Total Commander mentioned in FAQ, is that suggested? I've been more or less keeping this win10_vm system "pristine." I've used xplorer2 and some other file managers but not on this setup, yet.

EDIT: installed 5.1.1.1 over 5.0.0.0. Read just enough to know that I could do an uninstall and a fresh install, but sensed I could drop 5.1 on top of 5.0. Not sure that was the best or better way to run 5.1 beta, but nothing seems broken, yet. I opened H_C and clicked the Recommended Settings | Apply | Logoff | Logon, and I think I'm ok, so far. I also read enough to know best NOT to start tweaking too much stuff. Keeping it simple and Recommended, as and until I learn the nuances. Will say, just how the H_C 5.1 ran during the update, a pleasure to work with, very polished!

From the manual:

Updating from previous versions.
Because of several important changes in version 5.0.1.0, it is recommended
(just after update) to load one of the predefined setting profiles or simply apply first the Recommended Settings and next adjust the restrictions. This will properly activate the new features. The whitelisted entries will not be changed, except adjusting the Unrestricted and Disallowed rules for EXE (TMP) and MSI files.
If the user wants to globally allow EXE (TMP) and MSI files, then the profile "Windows_*_Basic_Recommended_Settings.hdc" can be applied (* denotes the Windows version). This setting profile requires an antivirus with strong proactive protection for EXE and MSI files.
If the user wants to block also EXE (TMP) and MSI files in UserSpace, then the profile "Windows_*_Strict_Recommended_Settings.hdc" can be applied.

So, you did it the right way.

If you also use ConfigureDefender there is a new version 3.0.0.0 not (yet) included in H_C:

GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings.

Utility for configuring Windows 10 built-in Defender antivirus settings. - AndyFul/ConfigureDefender

github.com

I would use that standalone instead of the older version included in the latest H_C beta.

Total Commander is indeed mentioned in the manual:

Elevated Shell
Normally, the user on AA or SUA may initiate applications only with standard rights. However, this can be changed by accessing an elevated shell: PowerShell (Administrator), Command Prompt (Administrator), etc. An alternative solution is to run Total Commander via "Run as administrator". The user who wants to access the elevated shell must first accept the UAC prompt. As long as the applications are initiated from the elevated shell, SRP (configured by H_C) and UAC will ignore them (i.e., no UAC alerts or SRP restrictions).
This can be useful when doing administrative tasks on the computer.

I see no use for that personally, maybe @Andy Ful can give us more details?

 

[jerzy601]

I just installed version 5.1.1.1 on version 5.0.0.0, everything works great.
Andy did a great job

 

[Andy Ful]

...
PS I saw Total Commander mentioned in FAQ, is that suggested? I've been more or less keeping this win10_vm system "pristine." I've used xplorer2 and some other file managers but not on this setup, yet.

...
Total Commander is indeed mentioned in the manual:

I see no use for that personally, maybe @Andy Ful can give us more details?

You can run Total Commander (via 'Run as Administrator') as an elevated shell when you have to do many administrative tasks. This saves you many UAC prompts. Normally, on Windows 10, Explorer cannot be run as an elevated shell via 'Run as administrator', but I did not test it for other file explorers.

EDIT: installed 5.1.1.1 over 5.0.0.0. Read just enough to know that I could do an uninstall and a fresh install, but sensed I could drop 5.1 on top of 5.0. Not sure that was the best or better way to run 5.1 beta, but nothing seems broken, yet. I opened H_C and clicked the Recommended Settings | Apply | Logoff | Logon, and I think I'm ok, so far. I also read enough to know best NOT to start tweaking too much stuff. Keeping it simple and Recommended, as and until I learn the nuances. Will say, just how the H_C 5.1 ran during the update, a pleasure to work with, very polished!

You did it well. You probably read the information displayed after finishing the H_C installation:

QUICK CONFIGURATION (after the fresh installation).

1. Run Hard_Configurator and follow the instructions which are displayed on the first run.
2. It is recommended to allow Hard_Configurator making the System Restore Point, whitelisting the autoruns, and applying Recommended Settings. The restore point can be skipped when the kind of rollback software was installed.
3. After those actions, Windows restart will be required.
4. If Windows Defender is primary real-time protection, then <ConfigureDefender> option in Hard_Configurator (left violet button) can be used to activate advanced Windows Defender settings. It is recommended to apply <HIGH> Protection Level. The Windows restart is required to apply the new settings.
5. The firewall hardening is also possible by using <FirewallHardening> option (right violet button). It is recommended to apply 'Recommended H_C' rules and turn ON "Start logging events'. The Windows restart is required to apply the new settings.
6. If you want to use Command Prompt or PowerShell with Administrator rights, then the option <Hide 'Run As Administrator'> should be set to OFF.
7. Please update your archiver application and email client. In the Recommended Settings the below applications are supported:
   Archivers: Windows built-in Zip archiver, 7-Zip, ALZip, Bandizip, B1 Free Archiver, Explzh, ExpressZip, IArc, PeaZip, PKZip, PowerArchiver, WinRar, WinZip.
   EmailClients: Mail for Windows 10 (Windows app), Outlook, Claws-mail, eM Client, Foxmail, Hiri, Mailspring, PostBox, Spike, Thunderbird, and any online email client.
8. Please read the help files to get info about Hard_Configurator options.
   Full information about the program and SRP can be accessed by using <Documentation> button, available after pressing <General Help> button.
   It is recommended to visit hard-configurator.com website for detailed information.

Updating from previous versions.
Because of several important changes in version 5.0.1.1, it is recommended (just after update) to load one of the predefined setting profiles or simply apply first the Recommended Settings and next adjust the restrictions. This will properly activate the new features. The whitelisted entries will not be changed, except adjusting the Unrestricted and Disallowed rules for EXE (TMP) and MSI files.
...

 

[simmerskool]

From the manual:

So, you did it the right way.

If you also use ConfigureDefender there is a new version 3.0.0.0 not (yet) included in H_C:

GitHub - AndyFul/ConfigureDefender: Utility for configuring Windows 10 built-in Defender antivirus settings.

Utility for configuring Windows 10 built-in Defender antivirus settings. - AndyFul/ConfigureDefender

github.com

I would use that standalone instead of the older version included in the latest H_C beta.

Total Commander is indeed mentioned in the manual:

I see no use for that personally, maybe @Andy Ful can give us more details?

I gave myself a gold star for intuiting (or vaguely recalling) the right way to do it.
I did put TC on this win10_vm. Not sure I like it? -- probably because I don't know how to take advantage of its features... yet.
For now I re-used CD in H_C 5.1.1.1 and put it on High (not max)
I also muddled around with Firewall, that's the config I'm least confident in using. I think I just added what was offered, assuming LOLBins were ok by selecting the green add button, and Recommended H_C from firewall selection.
win10_vm seems to be running AOK, in fact, I get the sense that webpages are loading faster in vm than in the host.
The MORE I use and learn about H_C the more I LIKE it.

 

[simmerskool]

I was talking with IT at work today, and he opined that WD does not have ransomware protection. I recall seeing on WD dashboard "Ransomware Protection" no action needed. But when I click manage ransomware protection it shows controlled folder access OFF (& I'm not using Onedrive). Dashboard is correct in that I did not specifically turn ON controlled folder access. H_C+CD is set to HIGH. What's the status of this win10_vm ransomware protection?
IT at work runs both WD and Avast Enterprise because he can monitor Avast on 80 pc from his desk, and says Avast has the ransomware protection.
Not intending to start a thread about Avast, just what is the ransomware protection using WD @ CD_high? My goal is not to add 3d-party app protection unless really needed.
PS I just modified the H_C firewall by removing the LOLBin rules (for now), but do have Recommended H_C firewall settings enabled with the log On.

 

[ForgottenSeer 85179]

I was talking with IT at work today, and he opined that WD does not have ransomware protection. I recall seeing on WD dashboard "Ransomware Protection" no action needed. But when I click manage ransomware protection it shows controlled folder access OFF (& I'm not using Onedrive). Dashboard is correct in that I did not specifically turn ON controlled folder access. H_C+CD is set to HIGH. What's the status of this win10_vm ransomware protection?
IT at work runs both WD and Avast Enterprise because he can monitor Avast on 80 pc from his desk, and says Avast has the ransomware protection.
Not intending to start a thread about Avast, just what is the ransomware protection using WD @ CD_high? My goal is not to add 3d-party app protection unless really needed.
PS I just modified the H_C firewall by removing the LOLBin rules (for now), but do have Recommended H_C firewall settings enabled with the log On.

Sounds like your IT disable Windows ransomware protection because of Avast.

But he is wrong. Windows has the protection and it's nice and natively protections are always the best solution

 

[Gandalf_The_Grey]

I was talking with IT at work today, and he opined that WD does not have ransomware protection. I recall seeing on WD dashboard "Ransomware Protection" no action needed. But when I click manage ransomware protection it shows controlled folder access OFF (& I'm not using Onedrive). Dashboard is correct in that I did not specifically turn ON controlled folder access. H_C+CD is set to HIGH. What's the status of this win10_vm ransomware protection?
IT at work runs both WD and Avast Enterprise because he can monitor Avast on 80 pc from his desk, and says Avast has the ransomware protection.
Not intending to start a thread about Avast, just what is the ransomware protection using WD @ CD_high? My goal is not to add 3d-party app protection unless really needed.
PS I just modified the H_C firewall by removing the LOLBin rules (for now), but do have Recommended H_C firewall settings enabled with the log On.

As @SeriousHoax posted, with CFA MS has one of the best ransomware protections, but for a reason it's off by default:

In my experience CFA blocks everything trusted or not. It blocks mspaint, snipping tools like system apps too. They follow a default deny approach here. You may have seen F-Secure's test done by MacDefender where F-Secure failed even though protected folders was enabled because it trusts 7zip.exe. So tbh, Microsoft's approach is safer and less prone to failure. Also, they don't enable it by default so those who enables, Microsoft expect them to whitelist their required programs.

IMO if using WD a user should enable Controlled Folder Access, but you must think about it before whitelisting some programs when prompted.

 

[Andy Ful]

I was talking with IT at work today, and he opined that WD does not have ransomware protection. I recall seeing on WD dashboard "Ransomware Protection" no action needed. But when I click manage ransomware protection it shows controlled folder access OFF (& I'm not using Onedrive). Dashboard is correct in that I did not specifically turn ON controlled folder access. H_C+CD is set to HIGH. What's the status of this win10_vm ransomware protection?
IT at work runs both WD and Avast Enterprise because he can monitor Avast on 80 pc from his desk, and says Avast has the ransomware protection.
Not intending to start a thread about Avast, just what is the ransomware protection using WD @ CD_high? My goal is not to add 3d-party app protection unless really needed.
PS I just modified the H_C firewall by removing the LOLBin rules (for now), but do have Recommended H_C firewall settings enabled with the log On.

There is no protection against ransomware In WD default settings. To get it you have to activate:

1. ASR rules, WD Network Protection and FirewallHardening rules that can prevent many ransomware attacks,
2. Controlled Folder Access, which is strictly anti-ransomware protection. It has to be properly configured, because only the folders added to CFA will be protected.

If you use WD + H_C Recommended Settings on Windows 10 + ConfigureDefender HIGH Protection level + FirewallHardening (Recommended H_C rules), then 0-day malware (including ransomware) and most exploits are prevented from running, so you do not need additional anti-ransomware protection (except backups).

Please note, that Hard_Configurator design is intended to protect the computers in the home environment. If the computer is connected to the enterprise network, the H_C settings for SRP can be bypassed by the high privileged worms from the local network. In such attacks, the only protection will come from WD ASR rules, WD Network Protection, and FirewallHardening rules (if Windows Firewall is not turned off by 3rd party firewall).

 

[Gandalf_The_Grey]

There is no protection against ransomware In WD default settings. To get it you have to activate:

1. ASR rules, WD Network Protection and FirewallHardening rules that can prevent many ransomware attacks,
2. Controlled Folder Access, which is strictly anti-ransomware protection. It has to be properly configured, because only the folders added to CFA will be protected.

If you use WD + H_C Recommended Settings on Windows 10 + ConfigureDefender HIGH Protection level + FirewallHardening (Recommended H_C rules), then 0-day malware (including ransomware) and most exploits are prevented from running, so you do not need additional anti-ransomware protection (except backups).

Please note, that Hard_Configurator design is intended to protect the computers in the home environment. If the computer is connected to the enterprise network, the H_C settings for SRP can be bypassed by the high privileged worms from the local network. In such attacks, the only protection will come from WD ASR rules, WD Network Protection, and FirewallHardening rules (if Windows Firewall is not turned off by 3rd party firewall).

What is your opinion on Controlled Folder Access?

 

[Andy Ful]

What is your opinion on Controlled Folder Access?

It is OK. It requires maintenance and it can be inconvenient like all anti-ransomware modules.
If the user needs only a few applications to access the protected folders and does not change these applications, then CFA can be the useful protection layer.

 

[oldschool]

It is OK. It requires maintenance and it can be inconvenient like all anti-ransomware modules.
If the user needs only a few applications to access the protected folders and does not change these applications, then CFA can be the useful protection layer.

Coincidentally I got an alert that CFA blocked cleanmgr.exe after installing Windows updates but cleanmgr still executed successfully without whitelisting. My view is that CFA alerts are not always accurate and can be sometimes be ignored.

 

[Gandalf_The_Grey]

Coincidentally I got an alert that CFA blocked cleanmgr.exe after installing Windows updates but cleanmgr still executed successfully without whitelisting. My view is that CFA alerts are not always accurate and can be sometimes be ignored.

That makes it even worse....