Hard_Configurator - Windows Hardening Configurator

[calliope]

Hi, how to make it so qihoo360 autostarts
only one module starts on restart after hard configurator has been installed
how to whitelist an AV like Qihoo360

 

[Andy Ful]

Hi, how to make it so qihoo360 autostarts
only one module starts on restart after hard configurator has been installed
how to whitelist an AV like Qihoo360

Did you look into the H_C log (<Tools><Blocked Events / Security Logs>)?
Could you post here the screenshot of the H_C window with applied settings?

Edit.
Qihoo360 allows running H_C but prevents the registry changes required to apply the H_C settings. So, all H_C executables have to be added to the Trusted group. I installed a free version of Qihoo 360 Total Security (Essential) and the H_C Recommended Settings did not block anything related to it.

 

[calliope]

I downloaded settings from the Internet , from malweretips forums, pre-made hardened rules
I try another AV maybe, don't know yet
ie my goal is to keep hardened rules by somebody else and perhaps find an AV that works out of the bat with it

 

[shmu26]

I downloaded settings from the Internet , from malweretips forums, pre-made hardened rules
I try another AV maybe, don't know yet
ie my goal is to keep hardened rules by somebody else and perhaps find an AV that works out of the bat with it

First try recommended settings. See if that works. If it does, then go on to more advanced settings.
Are you on Windows 10? Other?

 

[Andy Ful]

I downloaded settings from the Internet , from malweretips forums, pre-made hardened rules
I try another AV maybe, don't know yet
ie my goal is to keep hardened rules by somebody else and perhaps find an AV that works out of the bat with it

Can you post here the screenshot of the main H_C window? You should use Recommended Settings or Basic_Recommended_Settings which do not require much whitelisting. You should not use the custom settings, except when you understand well what they do.
Do you have a problem with using <Blocked Events / Security Logs> to identify what has been blocked?

 

[mkoundo]

Hi Andy, I want to run VS Code and ran into an issue with H_C (H_C 5.1.1.2 with recommended settings).
VS Code installed fine via "install by smartscreen". When i try to run python code, vs code gives the following error:

The terminal process failed to launch: a native exception occurred during launch (cannot launch conpty)

Inspection of H_C tools> Blocked events shows:

Access to \\?\C:\Windows\system32\conhost.exe has been restricted by your Administrator by the default software restriction policy level.

I whitelisted conhost.exe but it's still being blocked. Please advise.
thanks

 

[Andy Ful]

Hi @mkoundo,
The VS Code uses EXE or TPM files in an unusual way when running Python, so it will probably work with Avast profile (Windows_10_Avast_Hardened_Mode_Aggressive) which globally whitelists EXE and TMP files.
Anyway, you can also use the Recommended Settings and run VS Code with elevation (via the "Run as administrator" entry on the right-click Explorer context menu). You can force the VS Code shortcut to automatically elevate by using shortcut Properties >> Advanced to tick the Run as administrator option.

 

[mkoundo]

thanks Andy, running as admin via the program shortcut did the trick.

 

[Andy Ful]

thanks Andy, running as admin via the program shortcut did the trick.

This will work on Admin account. When VS Code is run from SUA, then both VS Code and Python have to be installed for all users (not in c:\Users but rather in c:\ProgramData folder). If not then the application running with admin privileges will seek some application files in the wrong User Profile.

 

[mkoundo]

This will work on Admin account. When VS Code is run from SUA, then both VS Code and Python have to be installed for all users (not in c:\Users but rather in c:\ProgramData folder). If not then the application running with admin privileges will seek some application files in the wrong User Profile.

Yes, running from sua is definitely the preferred option. With vscode you need to download a different installer to create a system wide installation. I've done that and it is OK now. Thanks again.

 

[Andy Ful]

Yes, running from sua is definitely the preferred option. With vscode you need to download a different installer to create a system wide installation. I've done that and it is OK now. Thanks again.

Using SUA is always safer, but with H_C Recommended settings the difference is not important in the home environment on Windows 10. Generally, the SUA can be used without problems with applications that do not require elevation to run properly (may require elevation to install/update). If the applications require elevation to run properly, then the user on SUA has to remember about some things:

1. All these applications should be installed for all users in the "Program Files ...." or "ProgramData" folder (in our case both VS Code and Python).
2. If the user has two or more accounts (for example Admin --> Alice and SUA --> Bob, etc.) then running application with standard privileges from the Bob account will put the user-dependent files in the Bob user profile (that is OK).
   When starting the application from the Bob account via "Run as administrator" then the user-dependent files will be put in the Alice user profile (requires attention).
3. The Bob user profile folder is usually c:\Users\Bob, and the Alice user profile folder is usually c:\Users\Alice.
4. When using Explorer or any application from the Bob account the files on the Alice user profile cannot be accessed with standard rights - accessing the files on another user profile requires admin privileges.

So, one can use H_C Recommended Settings + VS Code + Python from SUA, but when running VS Code + Python with Admin privileges, many files will be put on Admin account, anyway. This requires attention from the user.
The less troublesome way is using Admin account for applications that require elevation. Still, installing them in the "Program Files ..." folder is the preferred way, except if several users share the same computer.
The Python can be installed for all users, in "Program Files (x86)" folder, by choosing "Customize installation" and ticking "Install for all users" in the second option window (Advanced options).

 

[mkoundo]

Very much appreciate your detailed response Andy.
thank you

 

[jetman]

For 99% of the time I use a standard user account. I also have an Admin account which I rarely log into.

Just to be clear, if I run Hard Configurator in my standard user account will everything be OK ?

Also, I'm not an advanced Windows user. I like the idea of better security but don't want to break anything or stop software from working properly. Many of the questions asked in this thread are beyond my understanding. Would people recommend that I use Hard Configurator ?

 

[Andy Ful]

For 99% of the time I use a standard user account. I also have an Admin account which I rarely log into.

Just to be clear, if I run Hard Configurator in my standard user account will everything be OK ?

Also, I'm not an advanced Windows user. I like the idea of better security but don't want to break anything or stop software from working properly. Many of the questions asked in this thread are beyond my understanding. Would people recommend that I use Hard Configurator ?

Running H_C on SUA is OK. You should not use H_C - the H_C requires occasional help from the advanced user ("family administrator"). You can try Simple Windows Hardening to support your AV.

New Update - Simple Windows Hardening

Post updated in September 2024. SWH works with Windows 10 and 11 (all versions including 24H2) SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver...

malwaretips.com

 

[jetman]

Thanks. The simplified version seems like the way to go for me

 

[pxxb1]

Running H_C on SUA is OK. You should not use H_C - the H_C requires occasional help from the advanced user ("family administrator"). You can try Simple Windows Hardening to support your AV.

New Update - Simple Windows Hardening

Post updated in September 2024. SWH works with Windows 10 and 11 (all versions including 24H2) SWH ver. 2.1.1.1 - July 2023 (added support for Windows 11 ver. 22H2) https://github.com/AndyFul/Hard_Configurator/raw/master/Simple%20Windows%20Hardening/SimpleWindowsHardening_2111.zip SWH ver...

malwaretips.com

How do i donate to your work?

 

[Andy Ful]

How do i donate to your work?

Thanks.
For now, the development of the H_C code does not cost me too much, so donations are not required. But, it would be great if you could help to develop the H_C website created and maintained by @askalan with the help of some MT members.

Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows

hard-configurator.com

You can PM @askalan, he is also MT member.

 

[pxxb1]

Thanks.
For now, the development of the H_C code does not cost me too much, so donations are not required. But, it would be great if you could help to develop the H_C website created and maintained by @askalan with the help of some MT members.

Hard_Configurator – GUI to manage Software Restriction Policy (SRP) and harden Windows

hard-configurator.com

You can PM @askalan, he is also MT member.

I will do that, but i did not mean just that site i meant your work in general. So, how do i donate to YOU?

 

[Andy Ful]

I will do that, but i did not mean just that site i meant your work in general. So, how do i donate to YOU?

You are donating well enough by testing H_C which will help to improve H_C. Please, post if you will encounter incompatibilities, bugs, or serious problems.

 

[shmu26]

Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges. But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.