Update Hard_Configurator - Windows Hardening Configurator

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
maybe this is interesting for you, @andy:
Yes, it is still very interesting to me. I inspected LOLBins when creating FirewallHardening to see which LOLBins can be used to download/execute something from the Internet.

I noticed the LOLBAS on GitHub about two years ago:
This website was next transferred to the new website:
LOLBAS-Project/LOLBAS
and to the new web portal:
LOLBAS
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
Is Mac and Linux affected by LOLBins, LOLLibs, LOLScripts etc?
Unix:

LOLBins were used in the wild also on Linux and Mac:

Lazarus APT campaign targetted both macOS and Windows users via Word documents:
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
Sorry if its answered in the thread (I searched but may not have used the right terms) but is there a way to donate to @Andy Ful to help a little with the costs of maintaining H_C?
He has said that he does not want any donations. Too bad, I was going to donate $100,000. ;)
Ha, ha - there are so many people involved in this project that it would be hard to split the money.:)
But seriously, there is no need to donate H_C. I can manage the current costs related to buying digital certificate. Furthermore, there is nothing new in Windows (for a long time) which would make me to do important changes in the code.

Anyway, there is another project made by @askalan (MT member) who created the website dedicated to H_C.
Homepage - Hard_Configurator (hard-configurator.com)
Some MT members supported this project by translating the texts or donating. It would be great to support his project (just PM to the author for details).:)(y)
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
How do you exclude programs from default deny?
As @oldschool has already mentioned:

Hard_Configurator002.png


1. Checking the Log ---> use <Tools> <Blocked Events / Security Logs>

Hard_Configurator10.png


2. Use <Whitelist By Path> to exclude/whitelist Folders or Files by path or <Whitelist By Hash> to exclude/whitelist files by hash.

Hard_Configurator04.png
 

SecurityNightmares

Level 31
Verified
Jan 9, 2020
2,083
With my new pc I found a bug with "block powershell scripts":
If it's disabled, the powershell policy is still on "restricted" like it is with protection on.

This means script execution is never possible. It's not a bug in H_C I guess but a feature from Windows which set the policy to restricted by default.
Anyway H_C should change the policy to "bypass" if protection is disabled.

I test this with powershell command
Get-ExecutionPolicy
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
I noticed that saving a profile doesn't include the firewall rules. Is there another way to export and import those rules in H_C?
The FirewallHardening and ConfigureDefender are external applications integrated into the H_C GUI. For now, they do not support exporting/importing the settings. Anyway, the configuration is usually quick and simple.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
With my new pc I found a bug with "block powershell scripts":
If it's disabled, the powershell policy is still on "restricted" like it is with protection on.

This means script execution is never possible. It's not a bug in H_C I guess but a feature from Windows which set the policy to restricted by default.
Yes, it is not a bug. Microsoft chose "Restricted" as the default setting - it is not an Administrator Policy. This setting can be bypassed with standard rights to run scripts by a command-line without user interaction. So, any malware can run PowerShell scripts without a problem, and the PowerShell scripts can be accidentally run by the user via BAT, CMD, Windows Script Host, shortcuts, etc.
Anyway H_C should change the policy to "bypass" if protection is disabled.

I test this with powershell command
Get-ExecutionPolicy
Let's suppose that you use Windows standard settings + the H_C setting <Block PowerShell Scripts> = ON. When you will run the command get-executionpolicy -list in the Powershell console, then you will see the full list of PowerShell restrictions, like the below:

Scope ExecutionPolicy
----- ---------------
MachinePolicy Restricted <--------------- This comes from the H_C setting
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Restricted <---------------- This is the default Windows setting

As it can be seen the H_C setting does not overwrite the default Windows setting, but only overrides it.
When you set <Block PowerShell Scripts> = OFF in H_C, then the settings will look like (PowerShell console has to be closed and run again):

Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined <--------------- This comes from the H_C setting
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Restricted <---------------- This is the default Windows setting
 

nadis

New Member
Apr 21, 2020
9
The FirewallHardening and ConfigureDefender are external applications integrated into the H_C GUI. For now, they do not support exporting/importing the settings. Anyway, the configuration is usually quick and simple.
I see. I have lots of custom entries, so that would be nice to have. Also nice would be the ability to select multiple files at once (with Ctrl) or even folders for the firewall list.


BTW, there's a bug/annoyance: if SmartScreen is disabled in Windows before H_C is installed/run, the "Install by SmartScreen" entry stays in the context menu and can't be removed without enabling SmartScreen in Windows first. It also stays there after uninstalling H_C.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
I see. I have lots of custom entries, so that would be nice to have. Also nice would be the ability to select multiple files at once (with Ctrl) or even folders for the firewall list.


BTW, there's a bug/annoyance: if SmartScreen is disabled in Windows before H_C is installed/run, the "Install by SmartScreen" entry stays in the context menu and can't be removed without enabling SmartScreen in Windows first. It also stays there after uninstalling H_C.
I have a problem to reproduce your issue. I disabled SmartScreen for Explorer from Windows Security Center. Next installed H_C ver. 5.1.1.2 and applied the Recommended Settings. The alert was shown and SmartScreen was automatically enabled. Next uninstalled H_C. No "Install By SmartScreen" in the context menu.

Edit.1
I noticed that the option <Forced SmartScreen> is grayed (it should not), but this issue disappears after running H_C again.

Edit.
When H_C is installed with disabled SmartScreen without choosing the "Recommended Settings", the option <Forced SmartScreen> is grayed and it cannot be changed manually or by loading a predefined setting profile. In this case, the "Install By SmartScreen" entry is not added to the Explorer context menu.
 
Last edited:

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
@nadis,

Finally, I figured out how this issue can occur. If one disables SmartScreen not from Windows Security Center but via GPO or another way that changes the SmartScreen Policy, then H_C thinks initially that the SmartScreen is enabled. So, the "Install By SmartScreen" entry is added. After running H_C again, it recognizes that SmartScreen is disabled, but does not remove the "Install By SmartScreen" entry from the registry. I will think about what to do with it. I can force the H_C to remove the Policy or show the alert that SmartScreen is disabled by the Administrator.
 
Last edited:

nadis

New Member
Apr 21, 2020
9
Yeah, sorry, I should have made it clear that it was disabled via GP. I don't think disabling it via "Windows Security" is permanent, at least not on the latest version of Windows.

Regarding the "Install by SmartScreen" functionality in general: It's a significant change of the UI, so I would only add/enable it with explicit user consent. Whatever you decide, as long as the user gets an option it's good enough I think.
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
Regarding the "Install by SmartScreen" functionality in general: It's a significant change of the UI, ...
This is the most innocent change that H_C makes in the Registry and Windows functionality. Furthermore, "Install By SmartScreen" is the heart of most H_C setting profiles and applying any setting profile already requires user consent.
Anyway, the fact that "Install By SmartScreen" is not fully removed when uninstalling H_C is a bug. I simply did not take into account that someone could first disable SmartScreen by Admin Policies and next would want to use H_C which is based mostly on SmartScreen. Thanks for pointing it out - I will fix it in the next version of H_C. (y) :)
Unfortunately, the H_C settings are not compatible with GPO restrictions due to the GPO refresh feature (this is noted in the H_C help and manual). So, GPO restrictions can spoil some functions of H_C.

By the way, you can simply use the Windows Security Center to disable SmartScreen. It will remain disabled (not a part of WD Tamper Protection).
 
Last edited:

Nagisa

Level 6
Verified
Jul 19, 2018
286
Hey @Andy Ful

It seems like I'm not able to whitelist only specific file types that are present in subfolders, but not the main folder. Like the below:

Code:
C:\EEK\*\*.exe




C:\EEK\executable.exe  --> should be blocked
C:\EEK\folder\executable.exe ---> should not be blocked
C:\EEK\folder\folder2\executable.exe ---> should be blocked
C:\EEK\folder\executable.msi ---> should be blocked


is this a bug or something H_C lacks off?
 

Andy Ful

Level 67
Verified
Trusted
Content Creator
Dec 23, 2014
5,607
Hey @Andy Ful

It seems like I'm not able to whitelist only specific file types that are present in subfolders, but not the main folder. Like the below:

Code:
C:\EEK\*\*.exe




C:\EEK\executable.exe  --> should be blocked
C:\EEK\folder\executable.exe ---> should not be blocked
C:\EEK\folder\folder2\executable.exe ---> should be blocked
C:\EEK\folder\executable.msi ---> should be blocked


is this a bug or something H_C lacks off?
I am not sure what you want to do. If you applied the rule which whitelists:
C:\EEK\*\*.exe
Then all *.exe files will be allowed in C:\EEK\folder\, but not in the C:\EEK\ , C:\EEK\folder\folder2\ , and not in the deeper subfolders. When whitelisting a specific filetype in the particular folder, Windows built-in SRP forbids replacing the asterisk with a string that includes a backslash.
For whitelisting details, please look at the examples in the article: "Part 3 - How do Software Restriction Policies work.pdf " included in the Hard_Configurator folder.

If you want to whitelist only a specific file type in a particular folder and its nested subfolders, then you have to use several rules:
C:\EEK\*\*.exe
C:\EEK\*\*\*.exe
C:\EEK\*\*\*\*.exe
etc.(y)
 
Last edited:
Top