Hard_Configurator - Windows Hardening Configurator

  • Like
Reactions: [correlate], Protomartyr, AlanOstaszewski and 2 others
@Andy Ful I have a question regarding this snippet:

"... Summing up. SRP (block as standard user) + some Windows hardening can be more preventive (larger blocking area) but other programs (block also as admin) can have larger mitigation area.
The first is (in my opinion) better suited for home users, and the second is better in Enterprises (or maybe for advanced users). Here is a simple example:
When the user is going to open the downloaded CHM file it will be immediately blocked by SRP (the first scenario). In the second scenario, Windows will try to execute the sponsor hh.exe and this can be allowed/mitigated/blocked by the security program (Excubits drivers, AppGuard). ..."

What does "some Windows hardening" refer to specifically? I haven't found a clear list in any of the relevant threads. Thanks in advance, as always. :)(y)
 
  • Like
Reactions: SeriousHoax, Protomartyr, ErzCrz and 1 other person
oldschool said:
What does "some Windows hardening" refer to specifically?
Click to expand...
Blocking sponsors & scripts, Defender ASR, SmartScreen, ...
All that hardening stuff is good for normal/ admin account while in a restricted (with SRP) it's not so important as the execution is always blocked.
In normal account the restrictions aren't so high and windows try to open more files like in the chm example you quoted. Hope that helps and I hope I wrote that fine @andy :D
 
  • Like
  • Thanks
Reactions: Protomartyr, Andy Ful, ErzCrz and 2 others
oldschool said:
@Andy Ful I have a question regarding this snippet:
"...
When the user is going to open the downloaded CHM file it will be immediately blocked by SRP (the first scenario). In the second scenario, Windows will try to execute the sponsor hh.exe and this can be allowed/mitigated/blocked by the security program (Excubits drivers, AppGuard). ..."
Click to expand...
Not exactly. The H_C can block in the home environment also the second scenario via blocking the .chm Sponsor hh.exe. The difference between SRP settings in H_C and for example Excubits driver (Bouncer) is that the second can block also processes started with Admin rights. In the enterprise environment, malware can exploit unpatched vulnerabilities (privilege escalation) or attack the computer from the local network with high privileges.
I could implement SRP also for Admin processes, but this would be probably risky in the home environment with default-deny settings and much less useful than in the enterprise environment. For this reason, Bouncer driver has also the option to block only standard processes.
In enterprises, Administrators can delay updates for a long time so they can use the security which can block Admin processes. If they plan to update something, then they simply can turn off the security. That is not possible in the home environment on Windows 10 (especially on the computers of inexperienced users, when these computers are maintained occasionally by an advanced user).

oldschool said:
I have a question regarding this snippet:
What does "some Windows hardening" refer to specifically? I haven't found a clear list in any of the relevant threads. Thanks in advance, as always. :)(y)
Click to expand...
Look at the H_C right panel options + FirewallHardening (also WD advanced options if WD real-time protections is ON + DocumentsAntiExploit tool if required).:)
 
Last edited:
  • Like
  • +Reputation
  • Thanks
Reactions: simmerskool, Protomartyr, oldschool and 3 others
HarborFront said:
Any ETA for v6.x?
Click to expand...
Today, I am going to push the stable version 5.1.1.1. It is functionally the same as beta 5.1.1.1 but with updated ConfigureDefender, FirewallHardening, and DocumentAntiExploit (these updated versions have only minor GUI changes). Furthermore, all executables are signed with the new certificate valid until June 2021.(y)
The beta version 6.0.0.0 will be pushed soon, but for now, it contains only some GUI improvements.
 
  • Like
  • Thanks
  • Applause
Reactions: simmerskool, Protomartyr, oldschool and 8 others
Hard_Configurator ver. 5.1.1.1 (stable version)
github.com

AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
github.com github.com

The update can be done without uninstalling the older version. After the update, it is required to press <Recommended Settings> or load any predefined setting profile - this will update the Registry entries (not required if the update is from beta 5.1.1.1).

On H_C ver. 5.0.0.0 (and prior) the new version can be updated via the <Update> button.
For other versions (beta versions 5.0.0.1, 5.0.1.1, and 5.1.1.1) the new installer has to be downloaded and executed.
 
  • Like
  • Thanks
  • +Reputation
Reactions: simmerskool, plat, Azure and 13 others
Andy Ful said:
Hard_Configurator ver. 5.1.1.1 (stable version)
github.com

AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
github.com github.com

The update can be done without uninstalling the older version. After the update, it is required to press <Recommended Settings> or load any predefined setting profile - this will update the Registry entries (not required if the update is from beta 5.1.1.1).

On H_C ver. 5.0.0.0 (and prior) the new version can be updated via the <Update> button.
For other versions (beta versions 5.0.0.1, 5.0.1.1, and 5.1.1.1) the new installer has to be downloaded and executed.
Click to expand...
Thanks! Really appreciate the hard work, Andy.
 
  • Like
  • Applause
Reactions: plat, silversurfer, South Park and 6 others
@Andy Ful
Just updated to 5.1.1.1 from 5.0.0.0 using the <Update> button. After installation, I loaded <Recommended Settings>, restarted the system, then loaded my custom profile.

When loading my custom profile I did get a few messages that read:
Wrong parameter. The <Update Mode> option will be set to 'OFF'.
Wrong parameter. The <Harden Archivers> option will be set to 'OFF'.
Wrong parameter. The <Harden Email Clients> option will be set to 'OFF'.
Wrong parameter. 'Allow MSI' will be set to 'OFF'.

I found where the first 3 mentioned options are in H_C but I can't find where 'Allow MSI' is.

My questions:
  • Where is the 'Allow MSI' setting located in H_C?
  • How can I tell what values I had regarding the mentioned options above in my previous setup? I have uploaded my profile (which was saved before updating to 5.1.1.1) to this post as a .txt since .hdc isn't an allowed extension to be uploaded to the forum.
Thank you for your hardwork! I absolutely enjoy using H_C.
 

Attachments

  • Like
Reactions: plat, Gandalf_The_Grey, silversurfer and 4 others
Andy Ful said:
Hard_Configurator ver. 5.1.1.1 (stable version)
github.com

AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
github.com github.com

The update can be done without uninstalling the older version. After the update, it is required to press <Recommended Settings> or load any predefined setting profile - this will update the Registry entries (not required if the update is from beta 5.1.1.1).

On H_C ver. 5.0.0.0 (and prior) the new version can be updated via the <Update> button.
For other versions (beta versions 5.0.0.1, 5.0.1.1, and 5.1.1.1) the new installer has to be downloaded and executed.
Click to expand...

Thanks, doing a fresh install of it after I finish doing the Windows 10 vs 2004 update :)
 
  • Like
Reactions: plat, silversurfer, oldschool and 2 others
Protomartyr said:
...
When loading my custom profile I did get a few messages that read:
Wrong parameter. The <Update Mode> option will be set to 'OFF'.
Wrong parameter. The <Harden Archivers> option will be set to 'OFF'.
Wrong parameter. The <Harden Email Clients> option will be set to 'OFF'.
Wrong parameter. 'Allow MSI' will be set to 'OFF'.

I found where the first 3 mentioned options are in H_C but I can't find where 'Allow MSI' is.
Click to expand...
These options are new (absent in ver. 5.0.0.0). When you have tried to download the old custom setting profile, the H_C could not find the right settings for these options. So, the OFF settings were applied and H_C does not use these new settings just like in ver. 5.0.0.0.
If you want to use your custom setup in ver. 5.1.1.1 without activating these settings, then simply save the profile (the OFF settings for the new options will be added to the profile).
[/QUOTE]

My questions:
  • Where is the 'Allow MSI' setting located in H_C?
[/QUOTE]
Use <Whitelist By Path>

EXEMSI.png
 
  • Like
  • +Reputation
  • Thanks
Reactions: simmerskool, plat, Gandalf_The_Grey and 5 others
Back3 said:
You also can download it from majorgeeks
www.majorgeeks.com

Download Hard_Configurator - MajorGeeks

Hard_Configurator is a graphical user interface for advanced users only to manage Software Restriction Policies (SRP) and harden Windows Home editions from Vista up.
www.majorgeeks.com
Click to expand...
Prefer directly from GitHub .
But nice to see it included there!
 
  • Like
Reactions: plat, Andy Ful, Back3 and 1 other person
Ok, just downloaded the v5.1.1.1. Didn't touch any settings except enabling 'HIGH' in WD

I noticed there are 2 icons on my tablet. One is the H_C and the other is the Switch Default Deny.

What is the latter button for? If I press it what will happen? Press once means switch to Default Deny? Press again will revert its action?

Thanks
 
Last edited:
  • Like
Reactions: Protomartyr and Andy Ful
Just installed on a fresh installation of Win10 2004 and everything is working like a charm.
I was waiting for the Basic Recommended settings profile ;).
Kudos for the excellent work Andy.

p.s. I still insist on the 'donate' option, good work has to be rewarded in ways other than a simple thank you too.
 
  • Like
Reactions: simmerskool, Protomartyr, plat and 4 others

You may also like...