You can use SWH and FirewallHardening ("Recommended H_C" block rules).
Thanks for your reply. I really appreciate it as I am new to using this. I just have a few questions. For my moms computer when I download hard_configuartor there is a separate folder called simple Simple Windows Hardening. That is where I enabled it. Then I saved the SWH folder under my doc incase in the future there is a conflict. Now to use the firewall settings I have to install hard config right? Once installed just click firewall hardening and add recommended HC. Then I can click close and apply at the main screen and she's done right?You can use SWH and FirewallHardening ("Recommended H_C" block rules).
This should work well with many AVs. I would also recommend for her the Edge Chromium web browser with enabled SmartScreen and PUA.
You do not need to install H_C. There is a standalone portable version of FirewallHardening available:
github.com
I would recommend you to stop the hardening for a while and use the current setup (SWH + FirewallHardening). This reduces the attack surface significantly without losing usability. If there will not be the issues, then after a month or two you can go further (this will require some learning).
Thanks a lot for breaking it down for me. I am pretty computer savvy. However, I am new to hardening. The setup you recommended sounds exactly like what I am after. Something to help out that does not get too crazy lol. I was not aware of the standalone firewallhardening. Thanks again and keep up the good work.You do not need to install H_C. There is a standalone portable version of FirewallHardening available:
You can download it and keep it together with SWH. Next, the "C:\Windows|Hard_Configurator" folder can be deleted to remove the H_C files. The SWH and H_C are not fully compatible, so run SWH again to see if everything is OK.
ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
Utility for configuring Windows 10 built-in Defender antivirus settings. - ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
I would recommend you to stop the hardening for a while and use the current setup (SWH + FirewallHardening). This reduces the attack surface significantly without losing usability. If there will not be the issues, then after a month or two you can go further (this will require some learning).
Please remember, that custom hardening will require looking at the SWH and FirewallHardening Logs (from time to time) to see for the possible block events.
You can use in SWH the option <Elevation of unsigned executables> = Restricted, if you mostly use digitally signed applications. If not then some unsigned applications will be blocked by this setting.
Windows firewall has the concept of "what is not explicitly allowed is forbidden", or "if there is no explicit permission rule, then Internet access is prohibited", therefore the use of firewallhardening from H_C is optional and has more psychological effect than practical. But you can use firewallhardening to at least see how many rules it will create in Windows Firewall, or save the rules to a file.
You are wrong. Any predefined FirewallHardening rule blocks something that is allowed by default in Windows Firewall. Of course, one can block all outbound connections, but this would require much work to allow all needed processes and applications.
Correct firewall configuration starts with removing all pre-installed Windows firewall rules, outgoing and incoming. After that, the minimum required rules are created. After that, the FirewallHardening rules, if used, will be redundant, since there is no need to prohibit what is not allowed.
I am curious, why Microsoft insist to do it "incorrectly"? Are they stupid or mean? Who decided that your "correct" way is the correct one?
Of course. They are only useful when one uses the "incorrect" rules applied by Microsoft by default ( = most users in the world).
Desire to be able to control your computer, receive maximum telemetry as well.
Experience.
Realy? This isn't Reddit here.
How allowing LOLBins can be related to the above? They are not used by MS to control the computer and receive telemetry. Furthermore, MS guys could easily do it with disabled outbound connections in Windows Firewall (if they want).
Windows is also available for people who do not have your Experience.
Agree!
This looks great. I will try it on my kids computer to protect them from themselves.Developer website:
GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS
GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
The dedicated website (thanks to @askalan):
Hard Configurator
Hard_Configurator was created after a discussion on the below treads:
Secure Windows - Software restriction Policies to Windows Home
Windows Pro owner? Use Software Restriction Policies!
Poll - Do you use security reg tweaks?
Run by Smartscreen utility
What it can do?
This program can configure Windows built-in security to harden the system. When you close Hard_Configurator it closes all its processes. The real-time protection comes from the reconfigured Windows settings. Hard_Configurator can be seen as a Medium Integrity Level smart default-deny setup, which is based on SRP + Application Reputation Service (forced SmartScreen) + Windows hardening settings (restricting vulnerable features).
Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:
- Enabling Software Restriction Policies (SRP) in Windows Home editions.
- Changing SRP Security Levels, Enforcement options, and Designated File Types.
- Whitelisting files in SRP by path (also with wildcards) and by hash.
- Blocking the vulnerable system executables via SRP.
- Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
- Restricting shortcut execution to some folders only (via SRP).
- Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
- Blocking outbound connections of many LOLBins and user applications.
- Filtering Windows Event Log for blocked outbound connections.
- Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
- Disabling PowerShell script execution (Windows 7+).
- Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
- Disabling execution of scripts managed by Windows Script Host.
- Removing "Run as administrator" option from the Explorer right-click context menu.
- Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
- Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
- Disabling execution of 16-bit applications.
- Securing Shell Extensions.
- Disabling SMB protocols.
- Disabling program elevation on Standard User Account.
- Disabling Cached Logons.
- Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
- Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
- Turning ON/OFF all the above restrictions.
- Restoring Windows Defaults.
- Making System Restore Point.
- Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
- Saving the chosen restrictions as a profile, and restoring when needed.
- Backup management for Profile Base (whitelist profiles and setting profiles).
- Changing GUI skin.
- Updating application.
- Uninstalling application (Windows defaults restored).
Many of the above tasks can be made by using Windows RegEdit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
This program was created for advanced users to secure inexperienced users.
If your kids use Windows 10 and like games then start first from the Windows_10_Basic_Recommended_Settings (use <Load Profile> button).
Hard_Configurator has been made to simplify the security config. You will not simplify anything by adding H_C to this setup. I would recommend you to master the ReHIPS for more protection and maybe add ConfigureDefender (HIGH Protection Level).
That is OK. Just check if the GPO settings are set to "Not configured".
