Hard_Configurator - Windows Hardening Configurator

[aldist]

But, it is probably only a choice based on taste.

Yes, it is possible, but usually the color of anxiety is red, and it is associated with the fact that something needs to be done. Whichever color you set, any will do, it's better than no indication at all.

The Registry protection you think of will require a 3rd party, real-time driver.

Optionally, you can make "work as a service", GUI may be closed. I will not ask any more questions about this.

 

[ForgottenSeer 85179]

Optionally, you can make "work as a service",

Which only add more code / attack surface

 

[aldist]

Which only add more code / attack surface

More code - yes, моre attack surface - no. On the contrary, it will be another layer of protection. Even if the H_C service is killed, the protection that has been implemented to date will continue to work. But I don't insist

 

[Andy Ful]

More code - yes, моre attack surface - no. On the contrary, it will be another layer of protection. Even if the H_C service is killed, the protection that has been implemented to date will continue to work. But I don't insist

Do not insist, please. The idea of H_C is not using 3rd party drivers, not using 3rd party real-time protection, and disappear from the system after initial configuration. Introducing any 3rd party driver will make the H_C another type of application. It will become not a configurator but real-time security related application. If I have to use 3rd party driver then it should do much more than protecting SRP Registry keys, that are already protected by Windows integrity levels.

I wrote this a year or two ago. Worrying about changing SRP Registry keys by malware (with H_C settings) would be like worrying that the coffin will be too small for you, after your death. The H_C is made to keep you alive, and is useless as an after life feature.

Edit.
Protecting the SRP settings would be more justified in Enterprises, where SRP is often configured to block also elevated processes. Such additional protection is welcome due to much bigger attack surface area (not patched systems and applications). Microsoft solved this by introducing Applocker (and later WD Application Control) which uses kernel driver.

 

[aldist]

Do not insist, please.

But I don't insist

It's just an exchange of views.
I respect your work, and simplicity and ease of function are always worthy of respect

 

[Andy Ful]

It's just an exchange of views.
I respect your work, and simplicity and ease of function are always worthy of respect

Thanks.

 

[aldist]

The profile was exported via TOOLS ...
TOOLS -> Manage Profiles BACKUP -> Import Profiles -> Whitelist by path cannot be restored. I get a message ...

Separately saved Whitelist by path is restored normally via the Save Load button.

 

[Andy Ful]

The profile was exported via TOOLS ...
TOOLS -> Manage Profiles BACKUP -> Import Profiles -> Whitelist by path cannot be restored. I get a message ...
View attachment 244728
Separately saved Whitelist by path is restored normally via the Save Load button.

This message says that everything was successfully imported. So, the setting profile files were imported to the folder .\Hard_Configurator\Configuration and Whitelist Profiles (if were previously saved and exported) were imported to the Windows Registry (can be seen/load via <Save Load> button). Please look here how to save/load Whitelist Profile :



Normally, the Whitelist Profile base is empty. So one has to first save Whitelist Profile (one or more) into the base before exporting Setting & Whitelist Profiles.

 

[aldist]

Yavol, Thank!

 

[aldist]

Folk are looking forward to v6

 

[aldist]

@ Andy Ful
Please explain for inexperienced users.
I'm not using Windows Defender, and the SmartScreen process is being killed by the .bat file in startup.
When using "Install by SmartScreen" the application is checked in the cloud service, and depending on the reputation, is the installation allowed or denied?
What is the difference from "Run as SmartScreen"?

 

[ForgottenSeer 85179]

I'm not using Windows Defender, and the SmartScreen process is being killed by the .bat file in startup.

Why did you want then harden your PC if you already decrease the security a lot ?
Doesn't make sense

 

[aldist]

Why did you want then harden your PC if you already decrease the security a lot ?

Is SmartScreen disabled? So it doesn't affect SRP in any way. And why should I stream telemetry via SS?
Oh yeah, I'm not entirely dumb, so I use Eset AntiVirus and Windows Firewall Control.

 

[ForgottenSeer 85179]

Is SmartScreen disabled?

What? You said that you're disable it. Don't understand what you mean.

So it doesn't affect SRP in any way. And why should I stream telemetry via SS?
Oh yeah, I'm not entirely dumb, so I use Eset AntiVirus and Windows Firewall Control.

I will never understand that logic.
You only move the telemetry - which doesn't include personal info, from Microsoft to Eset. So you only increase the attack surface (external AV + more code) and reduce your privacy as you share your data with more companies instead of just one.
So if you doesn't trust Microsoft, why then use Windows?

 

[aldist]

Yes, SS is disabled.

So if you doesn't trust Microsoft, why then use Windows?

Because I disabled or blocked all telemetry. The question is drawn to the subject of "holy war", so there is no point in developing it in this topic

 

[SeriousHoax]

@ Andy Ful
Please explain for inexperienced users.
I'm not using Windows Defender, and the SmartScreen process is being killed by the .bat file in startup.
When using "Install by SmartScreen" the application is checked in the cloud service, and depending on the reputation, is the installation allowed or denied?
What is the difference from "Run as SmartScreen"?

Why even bother about "Run as SmartScreen" if you're turning off smartscreen at startup? It's the same smartscreen. This one just let you force smartscreen on every exe files. Set "Run as SmartScreen" to off in HC if that's how you wanna use your PC.

 

[Andy Ful]

@aldist,
Blocking the telemetry in Windows 10 is an illusion - it can be only reduced.
SmartScreen Application Reputation is the best-known file reputation service for application installers. It is also the best protection against the 0-day malware (EXE, MSI, ...) executed by the user after downloading the file from the Internet (via web browser and some online services like OneDrive). The SmartScreen telemetry includes the information from MOTW (Mark Of The Web) and information about the file.

How do you recognize that the application installer downloaded from the Internet is safe? VirusTotal will give you too many false positives. The installed AV or on-demand AV scanners are not especially useful for 0-day malware. Online sandbox analyses will give you many false positives and can take much time. Furthermore, they require some special knowledge.

SmartScreen Application Reputation will solve the problem in one second for about 75% of installers. So, you have a big advantage, because your problem is four times smaller. Do you believe that adding default-deny firewall rules can save you?

 

[aldist]

Guys, with all due respect to you, except for the stream of smart thoughts, nevertheless, someone will answer my question

When using "Install by SmartScreen" the application is checked in the cloud service, and depending on the reputation, is the installation allowed or denied?
What is the difference from "Run as SmartScreen"?

Or don't you know either?

 

[aldist]

Andy Full
Thanks, that's something. I am guided by the presence of a digital signature, a legal source, my antivirus, virustotal. But what's the difference between "Install by SmartScreen" and "Run as SmartScreen"?

 

[ErzCrz]

Andy Full
Thanks, that's something. I am guided by the presence of a digital signature, a legal source, my antivirus, virustotal. But what's the difference between "Install by SmartScreen" and "Run as SmartScreen"?

From the manual

" Recommended Settings on Windows 8+ How do they work? 1. Users can run the already installed applications in SystemSpace. 2. Any new file directly run by the user (executable, script, shortcut, file with unsafe extension) is blocked in UserSpace. This also works when the file is run from the archiver application or email client. 3. As an exception to point 2, the shortcuts (LNK files) can be run by users from Desktop, Start Menu, Power Menu, Task Bar, and Quick Launch. 4. As an exception to point 2, the standalone application installers (EXE or MSI files) can be run by users on-demand - Hard_Configurator adds the right-click Explorer context menu entry "Install by SmartScreen". It allows the user to safely install applications with forced SmartScreen check. This works well both on Administrator account and SUA. 5. Already running processes can run EXE (TMP) and MSI files in ProgramData or user AppData folders. An inexperienced user cannot run files directly from there, because these folders are hidden by default in Explorer. 6. The applications/processes running with standard rights cannot run other unsafe files (executables, scripts, files with unsafe extensions) in UserSpace, except some events when the command line can be accessed (some command lines with Sponsors). "

" The "Run By SmartScreen" entry in the Explorer context menu can be used to check the standalone application installers (EXE and MSI) by SmartScreen Application Reputation service. This entry should be also used for unsafe executables listed below: 1. Files downloaded from the Internet, especially email attachments and executables from the archives (7-zip, Zip, Arj, Rar, etc.). 2. Executables shared with other people via USB drives, Memory cards, etc. "