Updates Hard_Configurator - Windows Hardening Configurator

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,056
Hi Andy,
an update on my last post: I rebooted the computer for the firewall rule changes to take effect and now I get a firewall log event like so:
Something blocks outbound connections of spoolsv.exe (but not H_C or FirewallHardening). This executable is related to printing. This block can be made by system/privacy settings or some other application. For example, on my computer, the svchost outbound connections are commonly blocked by system/privacy settings. FirewallHardening can block only the executables present on the FirewallHardening block list. The Log shows all blocked outbound connections (made by FirewallHardening and other processes). You can also see all FirewallHardening rules by opening Windows Firewall outbound rules. All FirewallHardening rules start with "H_C rule for:"
By the way, did you finally install the Dell driver on your computer?
 
Last edited:

mkoundo

Level 5
Verified
Jul 21, 2017
235
thanks for your advice Andy! no, the installation is still failing as before. Printing?? I don't have any other privacy software installed. microsoft shenanigans no doubt. (y) (y)


**update: the log entry DestAddress: 192.168.1.202 is the address of my printer. No idea why a graphics application is trying to connect to my printer

I'll file this one under "unexplained phenomena"
 

mkoundo

Level 5
Verified
Jul 21, 2017
235
its not really the driver but the intel graphics application that lets you adjust the graphics driver settings. Its a UWP application that looks like:


***
update: installed it directly from the microsoft store - no issues (y)
 
Last edited:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,056
ENFORCEMENT FOR "ALL USERS" (experimental feature) - it will be introduced in the new H_C beta version.

This enforcement can cause problems because it can have an impact on Windows administrative processes.

The enforcement for "All users" means that also users from the Administrator group (using high privileges) will be prevented from bypassing SRP restrictions.
Normally, the Hard_Configurator settings allow the users from the Administrator group to bypass SRP to avoid problems with blocking administrative tasks in UserSpace.

The enforcement for "All users" is sometimes used in Enterprises to prevent the malware introduced by elevated processes. For example, this can happen via exploit with privilege escalation or a worm spreading in the local network with high privileges.

In the Home environment, such vectors of attack are usually negligible. Furthermore, one can use the Standard User Account (SUA) to prevent privilege escalation. This is usually a more comprehensive solution as compared to enforcement for "All users".

This enforcement is not fully compatible with Strict_Recommended_Settings on Windows 8, 8.1, 10 or Recommended_Settings on Windows 7 (Vista). These setting profiles block execution in the whole UserSpace, so some actions related to software installation or Administrative tasks with high privileges can be blocked in ProgramData or User AppData folders. For example, the Windows built-in Disk Cleanup tool (cleanmgr.exe) will not work properly to clean system files - it uses dismhost.exe, which will be blocked in the Appdata\Local\Temp folder. Similar problems can happen sometimes for other Administrative tasks, depending on users' settings and installed software.

In the Home environment on Admin account, the expert users can apply the enforcement for "All users" (including Administrators) in some situations:
1. Extreme hardening (computer LockDown).
2. Support for older Windows versions.
3. Support for the H_C default-allow setup with some blocked Sponsors (LOLBins).

When using SUA, the enforcement for "All users" is not necessary (even for points 1, 2, and 3).


How to apply the enforcement for "All users".

It can be applied by running Hard_Configurator (SwitchDefaultDeny) with the switch -p, for example:
Hard_Configurator(x64).exe -p
When using Hard_Configurator with -p switch it is necessary to also run SwitchDefaultDeny with this switch. The most convenient way is to edit the commands in the shortcuts by adding -p switch.
When executing Hard_Configurator (SwitchDefaultDeny) without this switch, the default enforcement "All users except local Administrators" will be configured (Windows restart is required).

The enforcement for "All users" can be used with SRP default-allow setup or with some default-deny setting profiles, like:
Basic_Recommended_Settings,
Recommended_Settings (on Windows 8, 8.1, 10)
MT_Windows_Security_hardening,

Avast_Hardened_Mode_Aggressive.

When applying these setting profiles, the "Install By SmartScreen" ("Run By SmartScreen") can be used in most cases to install applications without switching OFF the SRP protection.
It is not recommended to apply enforcement for "All users" when using other setting profiles or custom settings. The common issue will be related to the "Install By SmartScreen" feature, which cannot work properly with default-deny setup, when <Update Mode> = OFF. Furthermore, due to blocking processes with high privileges, SRP restrictions cannot be bypassed in UserSpace when using the system "Run as administrator" feature.
 

Lenny_Fox

Level 22
Verified
Oct 1, 2019
1,146
@Andy Ful

Why did you introduce the "All Users" feature? Which problem does it solve? I know a lot of problems this can create for PC users.

Why not explain more about the standard user setup you have put together for your wife. That setup has all the benefits of blocking "All Users" without the risk of shooting yourself in the foot!

(n):unsure:
 
  • Like
Reactions: Correlate

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,056
@Andy Ful

Why did you introduce the "All Users" feature? Which problem does it solve? I know a lot of problems this can create for PC users.

Why not explain more about the standard user setup you have put together for your wife. That setup has all the benefits of blocking "All Users" without the risk of shooting yourself in the foot!

(n):unsure:
This enforcement will not be useful for most users. You probably missed this (from my previous post):
"In the Home environment on Admin account, the expert users can apply the enforcement for 'All users' (including Administrators) in some situations:
1. Extreme hardening (computer LockDown).
2. Support for older Windows versions.
3. Support for the H_C default-allow setup with some blocked Sponsors (LOLBins).

When using SUA, the enforcement for 'All users' is not necessary (even for points 1, 2, and 3)."

Most of the expert users would like to use SUA, but in some cases, it would be very inconvenient. Furthermore, one cannot choose this enforcement normally. It can be set only when executing H_C with a special switch. So there is no risk of an accidental shooting in the foot. One has to intentionally buy a gun and shoot.
 
Last edited:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,056
There is an open question if the enforcement for 'All users' could be useful with Basic_Recommended_Settings - this setup is probably most popular for experienced users who do not like SUA for some reason. But, I do not know for now. This will require a long time of testing, so I did not mention this possibility in my previous posts.

Generally, inexperienced users should use SUA (also recommended for anyone), and then the enforcement for 'All users' is not needed.(y)
 
Last edited:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,056
Why the enforcement for 'All users' can support Admin account on older Windows versions or with default-allow setup (blocked Sponsors, LOLBins)?

The older Windows versions can have unpatched privilege escalation exploits. The recommended way in such a case is using SUA. If one cannot use SUA then the enforcement for 'All users' is logical to prevent bypassing the H_C restrictions based on SRP. But, this solution requires extended knowledge about Windows. The more SRP restrictions, the more problems can arise with this enforcement. Only the expert users can evaluate the cons and pros of such solutions.

While using default-allow SRP setup with blocked LOLBins, the risk of problems is much lower compared to default-deny, but the attack surface is much greater. This can increase the chances of UAC bypass and high privileged malware will still be able to use all LOLBins. So, applying the enforcement for 'All users' is also logical. Blocking LOLBins for 'All users' can be useful only as one of the possible security layers - it can cover many fileless vectors of attack, even when the malware could elevate via UAC bypass.

When using the H_C Basic_Recommended_Settings the risk of problems with 'All users' enforcement can be (in theory) greater compared to default-allow setup. Also, on the well patched Windows 10 with these H_C restrictions + SmartScreen, the chances of privilege escalation via exploits or UAC bypasses are minimal. So probably, the support of 'All users' enforcement will be limited in this case to vulnerable systems (older Windows versions). Anyway, if the problems related to applying 'All users' enforcement will be negligible in the Home environment (we will see this after some extended testing), there will not be also serious contraindications for using it also on the well patched Windows 10.
 
Last edited:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,056
I tried to find the difference between using the enforcement for 'All users" and the default H_C enforcement (All users except Administrators). I examined the tests on MH made by @askalan. The tests were made with the H_C Strict_Recommended_Settings (with antivirus disabled), but the results would be the same in the Real-World Scenario with the H_C Basic_Recommended_Settings + SmartScreen (although they could be different for malware from USB drives).
After several months of testing, there was only one malware that could infect the system. This malware did not bypass directly the SRP restrictions, but it could infect the system when the user was tricked to install the malware as an application (malware had the ability to bypass SmartScreen and the user had to allow the malware elevation via UAC prompt).

The infection chain could be broken with 'All users' enforcement because the malware dropped/executed a script that would be blocked by SRP with this enforcement even when malware used high privileges. In the test with the default H_C enforcement, the malware was allowed to run with high privileges so SRP restrictions for Windows Script Host did not apply.

I suspect that this difference would be only theoretical, because most users would think that the file allowed by SmartScreen is most probably clean. Furthermore, such malware is used mostly in targeted attacks on enterprises, organizations, etc. Rarely, the targets can be the home users as in the case of IOBit malware (this one was blocked via anti-DLL-hijacking protection when InstallBySmartScreen or RunBySmartScreen was used).
Sometimes such malware can be reused in widespread attacks, but then most AVs will detect it as malware.
 
Last edited:

wat0114

Level 3
Apr 5, 2021
138
Hi Andy,

it looks like Hard_Configurator doesn't support SRP-enforcement of ALL file types, including DLL's. Is this right or am I missing something? Thanks.

EDIT

the reason I ask is because the only Enforcement settings available to me were:
No Enforcement & Skip DLL's
 
Last edited:

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,056
Hi Andy,

it looks like Hard_Configurator doesn't support SRP-enforcement of ALL file types, including DLL's. Is this right or am I missing something? Thanks.

EDIT

the reason I ask is because the only Enforcement settings available to me were:
No Enforcement & Skip DLL's
Yes. I removed this enforcement in the ver. 5.1.1.2.
 

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,946
In HardeningKitty i found the following Firewall rules, which aren't in your FirewallHardening tool:

IDNameTypeRule applies to ProtocolLocal portsIP addressesProfileAction
2307HardeningKitty-Block-calc-x64Custom Rule%SystemRoot%\System32\calc.exeAnyAny
Any

Block All
2308HardeningKitty-Block-calc-x86Custom Rule%SystemRoot%\Syswow64\calc.exeAnyAnyAnyBlock All
2311HardeningKitty-Block-conhost-x64Custom Rule%SystemRoot%\System32\conhost.exeAnyAnyAnyBlock All
2312HardeningKitty-Block-conhost-x86Custom Rule%SystemRoot%\Syswow64\conhost.exeAnyAnyAnyBlock All
2317HardeningKitty--Block-notepad-x64Custom Rule%SystemRoot%\System32\notepad.exeAnyAnyAnyBlock All
2318HardeningKitty--Block-notepad-x86Custom Rule%SystemRoot%\Syswow64\notepad.exeAnyAnyAnyBlock All
2319HardeningKitty--Block-RunScriptHelper-x64Custom Rule%SystemRoot%\System32\RunScriptHelper.exeAnyAnyAnyBlock All
2320HardeningKitty--Block-RunScriptHelper-x86Custom Rule%SystemRoot%\Syswow64\RunScriptHelper.exeAnyAnyAnyBlock All

What did you think @Andy Ful ?

Also, i still wonder why "finger.exe" isn't included
C:\Windows\System32\finger.exe C:\Windows\SysWOW64\finger.exe
 
Top