Andy Ful

Level 63
Verified
Trusted
Content Creator
...
*Edit - Ahhh nevermind I will just use simple hardening for her. I do not think it will interfere with anything she is doing. She pretty much just browses, email, and uses her nursing software.
You can use SWH and FirewallHardening ("Recommended H_C" block rules). (y)
This should work well with many AVs. I would also recommend for her the Edge Chromium web browser with enabled SmartScreen and PUA.
 
You can use SWH and FirewallHardening ("Recommended H_C" block rules). (y)
This should work well with many AVs. I would also recommend for her the Edge Chromium web browser with enabled SmartScreen and PUA.
Thanks for your reply. I really appreciate it as I am new to using this. I just have a few questions. For my moms computer when I download hard_configuartor there is a separate folder called simple Simple Windows Hardening. That is where I enabled it. Then I saved the SWH folder under my doc incase in the future there is a conflict. Now to use the firewall settings I have to install hard config right? Once installed just click firewall hardening and add recommended HC. Then I can click close and apply at the main screen and she's done right?

On my gaming PC should I use LOL Bins for Windows Firewall too? On SwitchDefaultDeny do I want Validate Adim Code Sigs?
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
...
Now to use the firewall settings I have to install hard config right? Once installed just click firewall hardening and add recommended HC. Then I can click close and apply at the main screen and she's done right?
...
You do not need to install H_C. There is a standalone portable version of FirewallHardening available:
You can download it and keep it together with SWH. Next, the "C:\Windows|Hard_Configurator" folder can be deleted to remove the H_C files. The SWH and H_C are not fully compatible, so run SWH again to see if everything is OK.

On my gaming PC should I use LOL Bins for Windows Firewall too? On SwitchDefaultDeny do I want Validate Adim Code Sigs?
I would recommend you to stop the hardening for a while and use the current setup (SWH + FirewallHardening). This reduces the attack surface significantly without losing usability. If there will not be the issues, then after a month or two you can go further (this will require some learning).
Please remember, that custom hardening will require looking at the SWH and FirewallHardening Logs (from time to time) to see for the possible block events.
You can use in SWH the option <Elevation of unsigned executables> = Restricted, if you mostly use digitally signed applications. If not then some unsigned applications will be blocked by this setting.
 
Last edited:
You do not need to install H_C. There is a standalone portable version of FirewallHardening available:
You can download it and keep it together with SWH. Next, the "C:\Windows|Hard_Configurator" folder can be deleted to remove the H_C files. The SWH and H_C are not fully compatible, so run SWH again to see if everything is OK.


I would recommend you to stop the hardening for a while and use the current setup (SWH + FirewallHardening). This reduces the attack surface significantly without losing usability. If there will not be the issues, then after a month or two you can go further (this will require some learning).
Please remember, that custom hardening will require looking at the SWH and FirewallHardening Logs (from time to time) to see for the possible block events.
You can use in SWH the option <Elevation of unsigned executables> = Restricted, if you mostly use digitally signed applications. If not then some unsigned applications will be blocked by this setting.
Thanks a lot for breaking it down for me. I am pretty computer savvy. However, I am new to hardening. The setup you recommended sounds exactly like what I am after. Something to help out that does not get too crazy lol. I was not aware of the standalone firewallhardening. Thanks again and keep up the good work.
 

aldist

Level 1
I was not aware of the standalone firewallhardening.
Windows firewall has the concept of "what is not explicitly allowed is forbidden", or "if there is no explicit permission rule, then Internet access is prohibited", therefore the use of firewallhardening from H_C is optional and has more psychological effect than practical. But you can use firewallhardening to at least see how many rules it will create in Windows Firewall, or save the rules to a file.
You should also know that the fewer rules in the Windows Firewall, the faster it processes them.
 
  • Like
Reactions: Correlate

Andy Ful

Level 63
Verified
Trusted
Content Creator
Windows firewall has the concept of "what is not explicitly allowed is forbidden", or "if there is no explicit permission rule, then Internet access is prohibited", therefore the use of firewallhardening from H_C is optional and has more psychological effect than practical. ..
You are wrong. Any predefined FirewallHardening rule blocks something that is allowed by default in Windows Firewall. Of course, one can block all outbound connections, but this would require much work to allow all needed processes and applications.
 

aldist

Level 1
Any predefined FirewallHardening rule blocks something that is allowed by default in Windows Firewall.
Correct firewall configuration starts with removing all pre-installed Windows firewall rules, outgoing and incoming. After that, the minimum required rules are created. After that, the FirewallHardening rules, if used, will be redundant, since there is no need to prohibit what is not allowed.
 
  • Like
Reactions: Correlate

Andy Ful

Level 63
Verified
Trusted
Content Creator
Correct firewall configuration starts with removing all pre-installed Windows firewall rules, outgoing and incoming.
I am curious, why Microsoft insist to do it "incorrectly"? Are they stupid or mean? Who decided that your "correct" way is the correct one? :unsure:

After that, the FirewallHardening rules, if used, will be redundant, since there is no need to prohibit what is not allowed.
Of course. They are only useful when one uses the "incorrect" rules applied by Microsoft by default ( = most users in the world). (y)
 
Last edited:

ErzCrz

Level 7
Verified
Just my two pence here. Most people aren't likely to go manually removing firewall rules after a program has been uninstalled and Firewall Hardening at least blocks the LOLBins that are often exploited which you would be unlikely to see a Windows Firewall alert for. It's the default deny approach which is what I love about H_C and FH.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Desire to be able to control your computer, receive maximum telemetry as well.
How allowing LOLBins can be related to the above? They are not used by MS to control the computer and receive telemetry. Furthermore, MS guys could easily do it with disabled outbound connections in Windows Firewall (if they want).

Experience.
Windows is also available for people who do not have your Experience.
I do not say that your way is wrong. Simply, using default-deny both for executing files and for outbound connections is too much for most users. Furthermore, when you use default-deny for executing files, the default-deny Firewall is not so useful anymore (except maybe in the enterprises).
 

security123

Level 26
Verified
Furthermore, when you use default-deny for executing files, the default-deny Firewall is not so useful anymore (except maybe in the enterprises).
Agree!

I even move from default-deny firewall with Simplewall, then TinyWall to Windows default without any external tool.
The default-deny for execution is enough for 99% malware. Other 1% isn't consumer related and needs specific attacks.

This is also thankfully to Microsoft as they do many great improvements in past so even the default Windows security is very good (y)
 

JohnB

New Member
Developer website:

The dedicated website (thanks to @askalan):
Hard Configurator


Hard_Configurator was created after a discussion on the below treads:
Secure Windows - Software restriction Policies to Windows Home
Windows Pro owner? Use Software Restriction Policies!
Poll - Do you use security reg tweaks?
Run by Smartscreen utility


What it can do?

This program can configure Windows built-in security to harden the system. When you close Hard_Configurator it closes all its processes. The real-time protection comes from the reconfigured Windows settings. Hard_Configurator can be seen as a Medium Integrity Level smart default-deny setup, which is based on SRP + Application Reputation Service (forced SmartScreen) + Windows hardening settings (restricting vulnerable features).
Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:
  1. Enabling Software Restriction Policies (SRP) in Windows Home editions.
  2. Changing SRP Security Levels, Enforcement options, and Designated File Types.
  3. Whitelisting files in SRP by path (also with wildcards) and by hash.
  4. Blocking the vulnerable system executables via SRP.
  5. Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
  6. Restricting shortcut execution to some folders only (via SRP).
  7. Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
  8. Blocking outbound connections of many LOLBins and user applications.
  9. Filtering Windows Event Log for blocked outbound connections.
  10. Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
  11. Disabling PowerShell script execution (Windows 7+).
  12. Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
  13. Disabling execution of scripts managed by Windows Script Host.
  14. Removing "Run as administrator" option from the Explorer right-click context menu.
  15. Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
  16. Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
  17. Disabling execution of 16-bit applications.
  18. Securing Shell Extensions.
  19. Disabling SMB protocols.
  20. Disabling program elevation on Standard User Account.
  21. Disabling Cached Logons.
  22. Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
  23. Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
  24. Turning ON/OFF all the above restrictions.
  25. Restoring Windows Defaults.
  26. Making System Restore Point.
  27. Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
  28. Saving the chosen restrictions as a profile, and restoring when needed.
  29. Backup management for Profile Base (whitelist profiles and setting profiles).
  30. Changing GUI skin.
  31. Updating application.
  32. Uninstalling application (Windows defaults restored).

Many of the above tasks can be made by using Windows RegEdit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
This program was created for advanced users to secure inexperienced users. :)
This looks great. I will try it on my kids computer to protect them from themselves.
 

ColonelMal

Level 2
I would like to add Hard_Configurator to my system. However, I have a couple of questions for which it was difficult to find answers in this long thread.

I already use ReHIPS and Malwarebytes Windows Firewall Control and ideally I want to continue using these programs. I don't have an antivirus program installed and I let Windows Defender take care of this.

Is there anything in particular that I should do concerning Hard_Configurator in relation to the programs that I mentioned?
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
I would like to add Hard_Configurator to my system. However, I have a couple of questions for which it was difficult to find answers in this long thread.

I already use ReHIPS and Malwarebytes Windows Firewall Control and ideally I want to continue using these programs. I don't have an antivirus program installed and I let Windows Defender take care of this.

Is there anything in particular that I should do concerning Hard_Configurator in relation to the programs that I mentioned?
Hard_Configurator has been made to simplify the security config. You will not simplify anything by adding H_C to this setup. I would recommend you to master the ReHIPS for more protection and maybe add ConfigureDefender (HIGH Protection Level).
Hard_Configurator can be used with your setup after some ReHIPS tweaking, but I do not think that it would be necessary for most users.
 

ColonelMal

Level 2
Thank you for the reply. At least it's comforting to learn that I don't have to do anything immediately, other than adding ConfigureDefender.
EDIT: For clarification, the ConfigureDefender information states that "If an administrator applied or changed Defender policies manually, he must first ensure that they are changed back to 'Not configured' before using the ConfigureDefender utility. Those settings can be found in Group Policy Management Console". I found all these except for any entry for Spynet.
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
Thank you for the reply. At least it's comforting to learn that I don't have to do anything immediately, other than adding ConfigureDefender.
EDIT: For clarification, the ConfigureDefender information states that "If an administrator applied or changed Defender policies manually, he must first ensure that they are changed back to 'Not configured' before using the ConfigureDefender utility. Those settings can be found in Group Policy Management Console". I found all these except for any entry for Spynet.
That is OK. Just check if the GPO settings are set to "Not configured".(y)
 

ColonelMal

Level 2
Thank you. I used the Group Policy Editor as administrator in order to see the settings. I hope it's the same as what you say about the Group Policy Management Console. Anyway I'm the only user on my PC and in this regard I'm sure that I didn't deliberately change any default Windows Defender settings.
 
Top