Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

I use SysHardener outbound firewall rules. Are they about the same as Recommended H_C rules? Maybe I'm missing something? SysHardener added 71 rules to my firewall. SH is not on my PC anymore, but I kept its rules.

The SysHardener and FirewallHardening rules are similar. The FirewallHardening Blocklist has got some additional important rules, like blocking curl.exe. There are some advantages over SysHardener:

1. A few additional rules.
2. Log of all blocked outbound connections. This log shows the blocked entries from the FirewallHardening Blocklist + entries blocked by other rules made in Windows Firewall by other applications (also SysHardener).
3. The user can add custom rules to the FirewallHardening Blocklist.

 

[Back3]

My SysHardener firewall rules are already in my firewall. If I add H_C recommended firewall rules, I can see that all the rules from both apps are in my firewall. Is there a problem if some rules are duplicated? For instance, I have H_C Cscript.exe and NVTSYSH cscript.exe. It's easy with H_C to remove the duplicates, but I won't do it if I don't have to.

 

[Andy Ful]

My SysHardener firewall rules are already in my firewall. If I add H_C recommended firewall rules, I can see that all the rules from both apps are in my firewall. Is there a problem if some rules are duplicated? For instance, I have H_C Cscript.exe and NVTSYSH cscript.exe. It's easy with H_C to remove the duplicates, but I won't do it if I don't have to.

There is no problem, except when something will be blocked. In such a case you have to remove both SysHardener and FirewallHardening rules for the particular blocked item. Please remember, that changing the FirewallHardening rules require restarting Windows.

 

[Back3]

My goal was to enhance the protection I already had with Andy Ful recommended firewall hardening rules.

What I did: I installed Malwarebytes Windows Firewall Control on my PC. I counted again all the SysHardener rules that have been on my Windows firewall for the last two years. I had 67 outbound rules and no issues with them. Furthermore, I then checked those rules with the recommended list from H_C Firewall Hardening. I found 13 rules that were relevant to my PC and were not duplicates. I manually installed those rules and made a backup of all my rules with WFC. My Windows Firewall is now hardened with 80 outbound firewall rules. WFC is a good layer to work easily with Windows Firewall.

 

[Andy Ful]

My goal was to enhance the protection I already had with Andy Ful recommended firewall hardening rules.

What I did: I installed Malwarebytes Windows Firewall Control on my PC. I counted again all the SysHardener rules that have been on my Windows firewall for the last two years. I had 67 outbound rules and no issues with them. Furthermore, I then checked those rules with the recommended list from H_C Firewall Hardening. I found 13 rules that were relevant to my PC and were not duplicates. I manually installed those rules and made a backup of all my rules with WFC. My Windows Firewall is now hardened with 80 outbound firewall rules. WFC is a good layer to work easily with Windows Firewall.

You have to check if these rules (made in WFC) can block all available protocols.

 

[Lenny_Fox]

@Andy Ful

Any chance block sponsors (three options only: off - block scripts - enhanced) and Protect Windows Folders will be available on Simple Windows Hardening also?

 

[Andy Ful]

@Andy Ful

Any chance block sponsors (three options only: off - block scripts - enhanced) and Protect Windows Folders will be available on Simple Windows Hardening also?

I could do it, but I am afraid that this would make SWH overcomplicated. Furthermore, LOLBins are dangerous in the home environment when the user can accidentally run command-lines via shortcuts, scripts, scriptlets, macros, or files with active content. But, such actions are already prevented by SWH. The users who have MS Office installed can use ConfigureDefender HIGH Protection Level (or DocumentsAntiExploit tool) to prevent running LOLBins via weaponized documents.

Blocking LOLBins in Windows 10 could make sense when using MS Office with allowed macros and shortcuts - that is a common case in businesses. It could also make sense to prevent targeted attacks. That is why LOLBins are often blocked via SRP, Applocker, or Defender Application Control. For similar reasons, they are blocked/blacklisted when using business-oriented applications like AppGuard or VoodooShield (shortcuts and some files with active content are allowed).

 

[Tiamati]

@Andy Ful do you know if there is any test showing the benefit of setting configure defender to high or default?
I'd like to know how this could impact performance and detection/protection rate!

ty

 

[Andy Ful]

@Andy Ful do you know if there is any test showing the benefit of setting configure defender to high or default?
I'd like to know how this could impact performance and detection/protection rate!

ty

The detection/protection/performance is tested in AV-Test and AV-Comparatives tests for businesses.
The performance of Defender can be different on different machines. So, you have to try it by yourself.

AV-Comparatives
PUA Protection enabled, Cloud protection level set to “High”, Cloud-delivered protection set to “Advanced”. Google Chrome extension “Windows Defender Browser Protection” installed and enabled.

MRG Effitas
ASR rules enabled - other settings unknown (probably the same as for AV-Comparatives).

The cumulative statistics for AV-Comparatives:

AV-Comparatives - Business Security Test 2020 (August – November)

Introduction This is the second half-year report of our Business Main-Test Series of 2020, containing the results of the Business Real-World Protection Test (August-November), Business Malware Protection Test (September), Business Performance Test (November), as well as the Product Reviews...

malwaretips.com

The cumulative statistics for MRG Effitas:

MRG Effitas - MRG Effitas 360 Degree Assessment & Certification – Q3 2020

This Programme is called “360 Assessment & Certification” since it tests the security applications capabilities with a full spectrum of attack vectors. In the 360 Assessment, trojans, backdoors, spyware, financial malware, ransomware and “other” malicious applications are all used. Along side...

malwaretips.com

Normally the Defender default setup would probably score slightly worse than Avast Business Antivirus. After adding the advanced settings, the protection is much better (especially in Exploit/Fileless tests). You can see the difference when looking a the test where Defender was tested on default settings:

https://www.mrg-effitas.com/wp-content/uploads/2019/11/MRG_Effitas_2019Q3_360.pdf

 

[Tiamati]

@Andy Ful did you notice that softpedia version of H_C is different from the one offered with github?

Softpedia version:

GitHub version

Only the last one match the info you provided on your website

Version 5.1.1.2

• MD5: bce659dbbdd9c2da93df81ebbb728f00
• SHA-1: 2836d6d079cb04dbdce0f7c8f895b0afbc344856
• SHA-256: 8a2d4841345e98e2bc80d1ef02cae5a29d4db8484d9808dde19aff72dc651ea8

 

[Andy Ful]

It is OK. Look at the hashes included in the file Virustotal.txt on GitHub:

Hard_Configurator/Virustotal.txt at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

When you will update the H_C from version 5.1.1.2 (using the Update button in H_C) only the file Hard_Configurator_setup_5.1.1.2.exe will be used both for Windows 64-bit and 32-bit. For compatibility with older versions, I also uploaded to GitHub the files Hard_Configurator_setup(x64)_5.1.1.2.exe and Hard_Configurator_setup(x86)_5.1.1.2.exe that are used when updating from H_C ver. 5.0.0.0 and prior.

 

[Tiamati]

The rules are applied via Windows Policies. They cannot be removed/changed by using the Windows Firewall console. Binisoft Windows Firewall Control probably do not check firewall rules introduced via Windows Policies.

Dear @Andy Ful

About WFC doesn't recognizing the H_C rules. Those rules still work even WFC doesn't recognize them?
Ty!

BTW: for the 1st time i'm using all features from H_C. I guess you're tired of hearing this, but i'll say again, excellent work man!

 

[Marana]

Yes, those rules still work without any problem!
It is only a "limitation" of WFC that it cannot display firewall rules introduced via group policy.

 

[Back3]

Two years ago, I installed SysHardener on my PC to get the outbound firewall rules. After a few months, I uninstalled SH but kept the firewall rules. A month ago, I checked the firewall rules of H_C and manually installed with Firewall App Blocker 13 rules that were not duplicates (on my PC) of SH. I uninstalled WFC that I had on my PC then made a backup of my rules with FAB and another backup with Windows Firewall. Five days ago, I had to use Macrium. After that, it took me a few seconds with FAB to get my rules back. And WFC can display those rules.
What I want to say: the firewall rules of H_C are very good and became a permanent fixture of my firewall with no issues at all.

 

[ForgottenSeer 85179]

Is that true, @Andy Ful ?

also best to enable block remote connections in H_C
reboot
and then apply SRP
otherwise SRP blocks the disable script (it basically runs a powershell script to block remote access)

 

[Andy Ful]

Is that true, @Andy Ful ?
also best to enable block remote connections in H_C
reboot
and then apply SRP
otherwise SRP blocks the disable script (it basically runs a powershell script to block remote access)

Not true.

1. SRP configured by H_C does not block any H_C actions (also ConfigureDefender and FirewallHardening actions).
2. H_C also does not use PowerShell to configure H_C settings, except for ConfigureDefender.

 

[mkoundo]

Hi Andy,

If you have a few minutes can you please look into this: I'm using H_C 5.1.1.2 with basic recommended profile in a SUA. I am trying to install a Dell graphics application, which I downloaded directly from dell. The first time I ran it, the installer failed and the H_C tools/log showed that poweshell was restricted.

Spoiler: log_PS_Restricted

So i used Switchdefault deny to turn off SRP and logged out/in again. I also turned off the block powershell scripts. Like so:

Spoiler: H_C Settings

I then re-tried installing (run by smartscreen, prompted for admin elevation) but failed again. This time the log output from H_C tools showed the following and the log output from the installer is listed below:

Spoiler: H_C log 2

Spoiler: installer_log

਍਍[Sun May 2 09:40:01 2021] Update Package Execution Started
[Sun May 2 09:40:01 2021] Original command line: "D:\tmp\Intel-Graphics-User-Interface-Application_CK8J4_WIN64_1.100.2727.0_A05.EXE"
[Sun May 2 09:40:01 2021] DUP Framework EXE Version: 4.6.2.52
[Sun May 2 09:40:01 2021] DUP Release: CK8J4A05
[Sun May 2 09:40:01 2021] Initializing framework...
[Sun May 2 09:40:01 2021] Data in smbios table is (hex)value = a , Chasis type (hex)value = a , System type is : Client
[Sun May 2 09:40:01 2021] logo.png
[Sun May 2 09:40:21 2021] User Command: attended
[Sun May 2 09:40:21 2021] DUP Capabilities Value: 35651583 (0x21FFFFF)
[Sun May 2 09:40:21 2021] DUP Vendor Software Version: 1.100.2727.0
[Sun May 2 09:40:21 2021] Local System/Model Compatible with this Package? Yes
[Sun May 2 09:40:21 2021] Local System OS Version: 10.0.0.0
[Sun May 2 09:40:21 2021] OS Compatible with this Package? Yes
[Sun May 2 09:40:21 2021] Local System OS Language: EN
[Sun May 2 09:40:21 2021] Language Compatible with this Package? Yes
[Sun May 2 09:40:21 2021] Identified Behavior : attended
[Sun May 2 09:40:21 2021] Extraction-miniunz path: c:\PROGRA~3\dell\drivers\8C6E4C~1\miniunz.exe
[Sun May 2 09:40:21 2021] Extraction-arguments: -x D:\tmp\Intel-Graphics-User-Interface-Application_CK8J4_WIN64_1.100.2727.0_A05.EXE -o -d c:\PROGRA~3\dell\drivers\8C6E4C~1
[Sun May 2 09:40:22 2021] Extraction-GetExitCode: 0
[Sun May 2 09:40:22 2021] Temporary payload log file name: C:\ProgramData\dell\drivers\8c6e4c71-d3fa-4641-adcc-c7fb0e740fd0\DUPD9B3.tmp
[Sun May 2 09:40:22 2021] payloadExe: InstallApp.bat
[Sun May 2 09:40:22 2021] payloadArgs:
[Sun May 2 09:40:22 2021] payloadDir: C:\ProgramData\dell\drivers\8c6e4c71-d3fa-4641-adcc-c7fb0e740fd0
[Sun May 2 09:40:22 2021] MUP Spec version is less than 3 or Not a DCH Package.
[Sun May 2 09:40:22 2021] Legacy installation is selected. Calling Vendor Installer...
[Sun May 2 09:40:23 2021] Appending Vendor Software Log.
[Sun May 2 09:40:23 2021]
--- Start of Vendor Software Log ---

[Sun May 2 09:40:23 2021]
--- End of Vendor Software Log ---

[Sun May 2 09:40:23 2021] Vendor Software Return Code: 1
[Sun May 2 09:40:23 2021] logo.png
[Sun May 2 09:40:23 2021] Name of Exit Code: ERROR
[Sun May 2 09:40:23 2021] Exit Code set to: 1 (0x1)
[Sun May 2 09:40:23 2021] Result: FAILURE
[Sun May 2 09:40:25 2021] Open file: C:\ProgramData\Dell\UpdatePackage\Log\Intel-Graphics-User-Interface-Application_CK8J4_WIN64_1.100.2727.0_A05.txt

Any hint/tips what might be the issue?


thank you for your help Andy

 

[Andy Ful]

I then re-tried installing (run by smartscreen, prompted for admin elevation) but failed again. This time the log output from H_C tools showed the following and the log output from the installer is listed below:

Spoiler: H_C log 2

View attachment 257654

There is a problem with the PowerShell cmdlet Add-AppxProvisionedPackage. It probably wants to download something from Microsoft Store. Please, check if PowerShell outbound connections are blocked by FirewallHardening - if this is the issue it should be visible in the FirewallHardening Log.

 

[mkoundo]

There is a problem with the PowerShell cmdlet Add-AppxProvisionedPackage. It probably wants to download something from Microsoft Store. Please, check if PowerShell outbound connections are blocked by FirewallHardening - if this is the issue it should be visible in the FirewallHardening Log.

I've removed all the H_C firewall rules and the installation still fails. The firewall log doesn't show any events.

Spoiler

 

[mkoundo]

Hi Andy,
an update on my last post: I rebooted the computer for the firewall rule changes to take effect and now I get a firewall log event like so:

Event[0]:
Local Time: 2021/05/02 14:48:14
ProcessId: 4016
Application: C:\windows\system32\spoolsv.exe
Direction: Outbound
SourceAddress: 192.168.1.107
SourcePort: 57732
DestAddress: 192.168.1.202
DestPort: 80
Protocol: 6
FilterRTID: 66249
LayerName: %%14611
LayerRTID: 48

**************************************