Hard_Configurator - Windows Hardening Configurator

ErzCrz · Aug 19, 2020

shmu26 said:
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges. But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.

Most programs don't install in user-space but I always check "Advanced options" when installing anything new. You can swap over to the Recommended_Strict configuration profile which won't allow user-space executable to run and therefore you'll need manually whitelist them. I had to do that with Discord in versions prior to 5.x when the change was made to allow those by default. Anyway, I would always check where things are being installed via the installer or switch to the strict profile.

From the manual:
" Updating from previous versions. Because of several important changes in version 5.0.1.0, it is recommended (just after update) to load one of the predefined setting profiles or simply apply first the Recommended Settings and next adjust the restrictions. This will properly activate the new features. The whitelisted entries will not be changed, except adjusting the Unrestricted and Disallowed rules for EXE (TMP) and MSI files.

If the user wants to globally allow EXE (TMP) and MSI files, then the profile "Windows_*_Basic_Recommended_Settings.hdc" can be applied (* denotes the Windows version). This setting profile requires an antivirus with strong proactive protection for EXE and MSI files.

If the user wants to block also EXE (TMP) and MSI files in UserSpace, then the profile "Windows_*_Strict_Recommended_Settings.hdc" can be applied. "

Gangelo · Aug 19, 2020

Basic Recommended settings is your friend. Just set Configure Defender to HIGH and you are good to go.

mkoundo · Aug 19, 2020

shmu26 said:
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges. But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.

found in the FAQs:

How to install applications on SUA.
1. Run the application installer by using "Run As SmartScreen" option from the Explorer
right-click context menu.
2. Check the default installation folder.
3. If it is in the Administrator profile, then cancel the installation and continue with Steps
#4-7. If not, then continue with the installation and skip Steps #4-7.
4. Use “Switch Default-Deny“ to turn OFF the protection temporarily.
5. Install the application normally (by left mouse-click or pressing the Enter key).
6. Whitelist the application in the UserSpace.
7. Use “Switch Default-Deny“ to turn ON the protection.

ForgottenSeer 85179 · Aug 19, 2020

shmu26 said:
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges. But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.

Best install path for programs is in official programs folder which is protected by UAC.

So if a program doesn't need admin rights, it install in a insecure path like appdata, temp, documents, .. which should be avoided which is done by H_C.

shmu26 · Aug 19, 2020

Either you guys didn't understand my question, or I didn't understand your answers.
My problem is like this: I download app ZOMBIE. I have no clue where ZOMBIE wants to install, or with what privelages, or whatever. So how to proceed? Trial and error?

Andy Ful · Aug 19, 2020

shmu26 said:
Question about installing user-space programs: usually when I install a program, I right-click and choose the forced smartscreen option. This runs the installer with admin privileges.

That was changed in the ver. 5.1.1.2. In the Recommended Settings the Forced Smartscreen (""Install by Smartscreen" right-click entry) works with standard privileges. You can still use Forced Smartscreen with Admin privileges when applying the Strict_Recommended_Settings profile. Please, read the help about <More SRP ...><Update Mode> for more details.

shmu26 said:
But what if it is meant to install in user space with standard privileges, such as Zoom? Is there a way to know, before trying to install? If I install such a program with forced smartscreen, it goes into the admin account.

Solved with <Update Mode> feature introduced in the actual version.

shmu26 · Aug 19, 2020

Andy Ful said:
That was changed in the ver. 5.1.1.2. In the Recommended Settings the Forced Smartscreen (""Install by Smartscreen" right-click entry) works with standard privileges. You can still use Forced Smartscreen with Admin privileges when applying the Strict_Recommended_Settings profile. Please, read the help about <More SRP ...><Update Mode> for more details.

Solved with <Update Mode> feature introduced in the actual version.

Thanks, Andy!

Andy Ful · Aug 19, 2020

mkoundo said:
found in the FAQs:

How to install applications on SUA.
1. Run the application installer by using "Run As SmartScreen" option from the Explorer
right-click context menu.
2. Check the default installation folder.
3. If it is in the Administrator profile, then cancel the installation and continue with Steps
#4-7. If not, then continue with the installation and skip Steps #4-7.
4. Use “Switch Default-Deny“ to turn OFF the protection temporarily.
5. Install the application normally (by left mouse-click or pressing the Enter key).
6. Whitelist the application in the UserSpace.
7. Use “Switch Default-Deny“ to turn ON the protection.

This fragment is not from the actual manual, but from the older version.

In the actual version we have:

How to install applications on Windows 8+ with the H_C Recommended
Settings.
Forced SmartScreen feature is available only on Windows 8+.
In the Recommended Settings, the Forced SmartScreen feature is integrated
with <Update Mode> = ON. So, the "Install By SmartScreen" entry in the
right-click Explorer context menu can be used to install applications. This
works well for EXE and MSI standalone installers. When <Update Mode> is
set to ON, the installation process does not force high privileges and the application
always installs in the right user profile.
The "Install By SmartScreen" entry will not work for non-standalone installers,
for example when the installation must be done from CD/DVD drives,
CD/DVD images, archives containing the installation files copied from
CD/DVD, etc. In such cases, the user must disable default-deny protection
temporarily with SwitchDefaultDeny tool, and install the application normally
without using "Install By SmartScreen".

How to install applications on Windows 7 (Vista) with the H_C Recommended
Settings.
1.Use the SwitchDefaultDeny tool to turn OFF the protection temporarily
(SRP rules are automatically refreshed).
2. Install the application normally (by using left mouse-click or pressing the
Enter key).
3.Whitelist the application if it was installed in UserSpace.
4.Use the SwitchDefaultDeny tool again to turn ON the protection (SRP rules
are automatically refreshed).

How to update applications with the H_C Recommended Settings.
On Windows 8+ the applications usually can auto-update without problems.
The manual updates with standalone EXE or MSI installers can be done via
"Install By SmartScreen" entry in the right-click Explorer context menu.
If the Recommended Settings are applied on Windows 7 (Vista), then the
H_C protection should be temporarily turned off to allow software updates.
The user should be very cautious to run only safe executables.

How to update applications with H_C's custom default-deny settings.
1. Use the SwitchDefaultDeny tool to switch OFF the Default Deny Protection
temporarily (SRP rules are automatically refreshed).
2. Install the application normally.
3. Switch ON the Default Deny Protection (SRP rules are automatically refreshed).

mazskolnieces · Aug 19, 2020

@Andy Ful

Hard_Configurator needs a notification when the policy is disabled, but the user forgets to re-enable it after X minutes. Maybe even and auto-time out where policy is auto-renabled.

aldist · Aug 20, 2020

mazskolnieces said:
Hard_Configurator needs a notification when the policy is disabled, but the user forgets to re-enable it after X minutes.

It's too much. If there is no memory at all, then upon reboot, the SwitchDefaultDeny window will automatically open and show that protection is disabled. It's enough.

shmu26 · Aug 20, 2020

mazskolnieces said:
@Andy Ful

Hard_Configurator needs a notification when the policy is disabled, but the user forgets to re-enable it after X minutes. Maybe even and auto-time out where policy is auto-renabled.

H_C has no running processes so that kind of feature is hard to implement. It's a tweaking tool, not an active app.

Andy Ful · Aug 20, 2020

mazskolnieces said:
@Andy Ful

Hard_Configurator needs a notification when the policy is disabled, but the user forgets to re-enable it after X minutes. Maybe even and auto-time out where policy is auto-renabled.

This would require a scheduled task. I was thinking about it but finally decided to implement something similar in SwitchDefaultDeny via the autorun registry key.
As @aldist mentioned, when the protection is switched OFF by SwitchDefaultDeny, then SwitchDefaultDeny starts automatically after reboot (more precisely after each sign in).

Gangelo · Aug 20, 2020

I am having serious trouble updating Adguard for Windows and I cannot find a solution..

I have set up Hard Configurator to 'Basic Recommended Settings'.
Today, I saw Adguard notifying that there is a new update. I initiated the update but ASR blocked it as follows:

Mind you, this was an update from within the software, I did not download any installer myself.
Next step was to uninstall Adguard, download the installer, Switched Off SRP's, Switched Off Restrictions, Applied settings, Loged Off and On.
I run the installer 2 times. One by Smartscreen and one as Administrator, both times with no success (same block as above picture)...

What am I doing wrong here???

Andy Ful · Aug 21, 2020

Gangelo said:
I am having serious trouble updating Adguard for Windows and I cannot find a solution..

I have set up Hard Configurator to 'Basic Recommended Settings'.
Today, I saw Adguard notifying that there is a new update. I initiated the update but ASR blocked it as follows:

View attachment 245403

Mind you, this was an update from within the software, I did not download any installer myself.
Next step was to uninstall Adguard, download the installer, Switched Off SRP's, Switched Off Restrictions, Applied settings, Loged Off and On.
I run the installer 2 times. One by Smartscreen and one as Administrator, both times with no success (same block as above picture)...

What am I doing wrong here???

As you can see from the alert, the file is blocked by one of WD ASR rules - it is not blocked by the settings visible directly in the H_C window. The WD configuration depends on ConfigureDefender settings. So, simply open ConfigureDefender and disable this rule temporarily (reboot needed).

This update is blocked because it uses a method that is also used by some ransomware.
No worry, WD has probably got an update for ASR rules. Simply, wait one day (just in case) and follow the above. It is very probable that the false positive will be removed by Microsoft in the future because AdGuard is popular.

Gangelo · Aug 21, 2020

Andy Ful said:
As you can see from the alert, the file is blocked by one of WD ASR rules - it is not blocked by the settings visible directly in the H_C window. The WD configuration depends on ConfigureDefender settings. So, simply open ConfigureDefender and disable this rule temporarily (reboot needed).

This update is blocked because it uses a method that is also used by some ransomware.
No worry, WD has probably got an update for ASR rules. Simply, wait one day (just in case) and follow the above. It is very probable that the false positive will be removed by Microsoft in the future because AdGuard is popular.

Andy, many thanks for the reply, I suspected that it was irrelevant to the H_C visible settings but wanted to confirm in case I missed something.
I will try again as you instructed.

Cheers!

Gangelo · Aug 22, 2020

Update on the above:

Yesterday when I tried to update / install adguard on all my systems, everything went smooth as butter.
The latest defender definitions have probably sorted this out.

paulderdash · Sep 3, 2020

Another LOLbin for H_C to need to guard against?

Microsoft Defender can ironically be used to download malware

A recent update to Windows 10's Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

www.bleepingcomputer.com

Gandalf_The_Grey · Sep 3, 2020

paulderdash said:
Another LOLbin for H_C to need to guard against?

Microsoft Defender can ironically be used to download malware

A recent update to Windows 10's Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

www.bleepingcomputer.com

Seems not necessary:

No problem for H_C, VS, and SWH due to anti-script (command-line) protection.

Microsoft Defender can ironically be used to download malware

WD is probably the most targeted AV. Keep in mind, WD uses a KMD too. https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/

malwaretips.com

Andy Ful · Sep 3, 2020

paulderdash said:
Another LOLbin for H_C to need to guard against?

Microsoft Defender can ironically be used to download malware

A recent update to Windows 10's Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

www.bleepingcomputer.com

Normally it is not required to block LOLBins, because H_C blocks scrips. Blocking LOLBins is required when using not patched system/software or when applying the H_C custom settings (scripts allowed). If Microsoft does not secure the MpCmdRun.exe, then I can add it to blocked sponsors. But, it is easy for MS to secure this LOLBin by simply checking if the downloaded file is really the WD update.

grimreaper1014 · Sep 3, 2020

I am looking into using hard_configurator. I would like to use it on my gaming computer I just built as well as a laptop my mother is using. She is basically just knows how to browse the web and check her email. Therefore, I do not want to overwhelm her. Is there a user friendly way I can enable it on her computer? On my gaming pc I used the Windows 10 basic config file, HC firewall hardening, and Defender on high.

*Edit - Ahhh nevermind I will just use simple hardening for her. I do not think it will interfere with anything she is doing. She pretty much just browses, email, and uses her nursing software.

Hard_Configurator - Windows Hardening Configurator

Level 22

Level 6

Level 8

ForgottenSeer 85179

Level 85

From Hard_Configurator Tools

Level 85

From Hard_Configurator Tools

Level 3

Level 2

Level 85

From Hard_Configurator Tools

Level 6

From Hard_Configurator Tools

Level 6

Level 6

Level 6

Level 83

From Hard_Configurator Tools

Level 3

Similar threads