Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

...
When using "Install by SmartScreen" the application is checked in the cloud service, and depending on the reputation, is the installation allowed or denied?

Yes, If the SmartScreen is not disabled.

What is the difference from "Run as SmartScreen"?

1. InstallBySmartscreen forces SmartScreen check (for files without MOTW - like files from a flash drive).
2. InstallBySmartscreen (in the H_C Recommended Settings) does not use Admin privileges if the application installer does not need them.

 

[Andy Ful]

Guys, with all due respect to you, except for the stream of smart thoughts, nevertheless, someone will answer my question Or don't you know either?

They tried to explain that your question does not make sense with disabled SmartScreen.
Please note, that most answers to your questions are already included in the help files.
Is there anything wrong with the information included there? Even more information is included in the H_C manual available via <General Help> button.

 

[aldist]

ErzCrz, Andy Ful
Thank you, this is already something, I will try to rethink and understand your information.

Please note, that most answers to your questions are already included in the help files:

Of course, I read Manual, but not always everything is clear from the first or second time.

 

[Andy Ful]

@aldist,

1. InstallBySmartscreen forces SmartScreen check (for files without MOTW - like files from a flash drive).
2. InstallBySmartscreen (in the H_C Recommended Settings) does not use Admin privileges if the application installer does not need them.

My answer was about the difference between "Install By Smartscreen" (H_C related feature) and "Run As Administrator" (standard Windows feature) entries in the right-click Explorer context menu. The "Run As SmartScreen" feature is not included in the latest H_C version. If you would be interested then "Run As SmartScreen" worked similar to "Install By SmartScreen" but always forced Admin privileges.

 

[aldist]

@Andy Ful
Thank! Then the quintessence turns out like this.
"Install By Smartscreen" enables SmartScreen checking and uses administrator rights only if the app installer needs them.
"Run As SmartScreen" works similarly to "Install By Smartscreen", but always requires administrator rights (like "Run As Admin").

 

[Andy Ful]

@Andy Ful
...
"Install By Smartscreen" enables SmartScreen checking ...

Not exactly. It forces SmartScreen check, under the assumption that SmartScreen is enabled in Windows. Forcing the SmartScreen check means that SmartScreen will check the files also if these files have no MOTW. You can read the PROGRAM DESCRIPTION info about when files are not checked by Windows SmartScreen, but they are checked by Forced SmartScreen:
https://github.com/AndyFul/Hard_Configurator

You can look at the @askalan tests to see how this work in practice, for example:

https://malwaretips.com/threads/28-01-2019-22.90052/post-794944

The tests were continued for a few months (until May 2019) without any AV protection (only H_C + SmartScreen).

 

[HarborFront]

@aldist,
Blocking the telemetry in Windows 10 is an illusion - it can be only reduced.
SmartScreen Application Reputation is the best-known file reputation service for application installers. It is also the best protection against the 0-day malware (EXE, MSI, ...) executed by the user after downloading the file from the Internet (via web browser and some online services like OneDrive). The SmartScreen telemetry includes the information from MOTW (Mark Of The Web) and information about the file.

How do you recognize that the application installer downloaded from the Internet is safe? VirusTotal will give you too many false positives. The installed AV or on-demand AV scanners are not especially useful for 0-day malware. Online sandbox analyses will give you many false positives and can take much time. Furthermore, they require some special knowledge.

SmartScreen Application Reputation will solve the problem in one second for about 75% of installers. So, you have a big advantage, because your problem is four times smaller. Do you believe that adding default-deny firewall rules can save you?

I may be wrong on the below. Correct me if I'm wrong

Windows Enterprise version can disable all telemetry. In fact, the latest news seems that it allows the IT to specify the telemtery requirements.

The chinese version of Windows sure to have no telemtery to MS

 

[South Park]

I may be wrong on the below. Correct me if I'm wrong

Windows Enterprise version can disable all telemetry. In fact, the latest news seems that it allows the IT to specify the telemtery requirements.

The chinese version of Windows sure to have no telemtery to MS

IIRC, the Enterprise version allows telemetry to be limited to "Security," which collects even less information than "Basic." "Security" obtains just enough information to run Windows Update, while "Basic" includes some data about app crashes and the like.

 

[ForgottenSeer 85179]

IIRC, the Enterprise version allows telemetry to be limited to "Security," which collects even less information than "Basic." "Security" obtains just enough information to run Windows Update, while "Basic" includes some data about app crashes and the like.

Correct and not even basic include any private data so it's ridiculous that user's or paranoid groups try to fix problems which aren't exist.

Of course such statements aren't welcomed in such groups as "anti-telemetry" is the new "tuning"-tool category.

 

[Andy Ful]

...
The chinese version of Windows sure to have no telemtery to MS

I do not know it, but I am not sure if it would be possible without breaking some Windows features. Anyway, it is not so important because any application which can connect to the Internet sends some telemetry. Usually, this is not related to personal information.
When one uses Forced SmartScreen in H_C, the telemetry is smaller because the real MOTW (which has information about the download) is replaced by a fake MOTW.

 

[SeriousHoax]

I think most people use this list for blocking telemetry. I've used this in the past but not using it at the moment.
crazy-max/WindowsSpyBlocker
It doesn't contain anything that makes Windows Defender to not collect required data so that's good.

 

[ForgottenSeer 85179]

I think most people use this list for blocking telemetry. I've used this in the past but not using it at the moment.
crazy-max/WindowsSpyBlocker

This project fall into the category about i wrote.

It doesn't contain anything that makes Windows Defender to not collect required data so that's good.

It still break other Windows features and users then blame Microsoft for broken Windows.

 

[SeriousHoax]

This project fall into the category about i wrote.


It still break other Windows features and users then blame Microsoft for broken Windows.

Right. Telemetry is very useful for fixing various bugs. Quite a few times I've read that Microsoft was able to troubleshoot issues thanks to their telemetry. This is true for all software. As long as personal information isn't collected for tracking and other similar purposes, everything is good.

 

[Jan Willy]

Right. Telemetry is very useful for fixing various bugs. Quite a few times I've read that Microsoft was able to troubleshoot issues thanks to their telemetry. This is true for all software. As long as personal information isn't collected for tracking and other similar purposes, everything is good.

I agree, but the question is how can we be sure that no personal information is collected? By the way, are we going to far of topic?

 

[ForgottenSeer 85179]

I agree, but the question is how can we be sure that no personal information is collected? By the way, are we going to far of topic?

Reading privacy police is the first step.
Yeah we should stop this off topic

 

[Marana]

Tried LTSC ver. 1809.
SRP did not work, both via GPO or H_C. The LTSC is not a complete Windows Enterprise edition.
SRP works well on Windows Home, Pro, Enterprise.

Well, this is interesting...

Namely, I have used 1607 LTSB since 2017 along with SPR (using SSRP at that time) without any problems whatsoever.

In late 2019 I migrated over to LTSC 1809 and continued with SPR (now using H_C) and again without any problems whatsoever. At the moment my strategy is to continue using LTSC 1809 in the foreseeable future. Everything just works, no forced feature updates etc...

I have been using Windows since 3.1 and I have to say that using Windows is nowadays a pretty smooth and enjoyable experience.

 

[aldist]

Tried LTSC ver. 1809.
SRP did not work, both via GPO or H_C.

No no no! LTSC v1809 SRP work well, both via GPO or H_C, or another instruments. LTSC is a full-fledged Enterprice Edition, its full name is Windows 10 Enterprise LTSC (Long Therm...). But this is not a reason for a "holy war"

 

[Andy Ful]

...
Namely, I have used 1607 LTSB since 2017 along with SPR (using SSRP at that time) without any problems whatsoever.
...

LTSC v1809 SRP work well, both via GPO or H_C, or another instruments.

Thanks, guys. This probably means that normally SRP indeed works on Windows LTSC, except some specific custom configurations.

LTSC (LTSB) is not a complete (including new features/updates) enterprise edition (like E3 or E5).
" We designed the LTSC with these types of use cases in mind, offering the promise that we will support each LTSC release for 10 years--and that features, and functionality will not change over the course of that 10-year lifecycle. "
"We create a new LTSC release approximately every three years, and each release contains all the new capabilities and support included in the Windows 10 features updates that have been released since the previous LTSC release. "

LTSC: What is it, and when should it be used?

Explore use cases for the Long-Term Servicing Channel (LTSC) and how it compares to other servicing options.

techcommunity.microsoft.com

Furthermore, some features are not installed at all in LTSC (can be probably installed manually). Anyway, this should not prevent SRP from working, because SRP did not change much over several years. But as we can see, on some LTSC versions / configs the SRP does not work for some reason.

Edit.
In my case, this could follow from many experiments that I made on Windows LTSC. The problem is that I do not remember in detail what I did over the last year. One thing that I noticed on all tested Windows versions is SRP incompatibility with Microsoft Child account. It turns off many SRP features permanently, even after removing that account.

 

[aldist]

Just a note. SRPPrevent is the simplest SRP management tool I know of, including for LTSC.

 

[Andy Ful]

Just a note. SRPPrevent is the simplest SRP management tool I know of, including for LTSC.

It is not the simplest. You can make many similar simple configurators by exporting the registry key of any H_C SRP setup:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers
You can make a simple BAT command and run it with Admin rights to delete this key and remove the restrictions.

The particular setup used in SRPPrevent is default allow, so it can only block specific files in specific locations and globally some files with double extensions (like *.mp4.exe). It is a kind of minimal hardening. Generally, such a setup does not prevent most malware from infecting the computer. The author did not probably make it stronger because the program does not allow whitelisting.