Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

Level 75
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,452
wat0114 said:
Hi Andy,

for Documents Anti-Exploit I have I changed the initial setting of "Partial" to "ON1", and then attempted to switch back to "Partial", but I get the pop-up as attached:

View attachment 259972

There seems no way to revert to the initial setting "Partial".
Click to expand...
Yes. Your previous settings were replaced (and not remembered). If you want to change current settings, then you can do it from MS Office applications. Look into the H_C manual to see what settings are hardened.
 
  • Like
Reactions: Nevi, oldschool and Gandalf_The_Grey
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,127
Andy Ful said:
I think that you could simply apply the profile Windows_10_Basic_Recommended_Settings and additionally:
  • Enhanced Sponsors + CMD
  • Validate Admin C.S. = ON
  • Block Windows Script Host = ON
  • Disable SMB = ON123
Besides your current protection, this would protect also shortcuts and prevent the user from opening files with non-safe extensions.

Edit.
If you remove the file extensions from the Designated File Types, then you will get the equivalent of the settings from your previous post (*.bat and *.cmd scripts will be protected).
Click to expand...
Not when the default policy is allow
 
  • Like
Reactions: Nevi
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,127
Andy Ful said:
In your H_C setup, the scripting is restricted except *.bat and *.cmd scripts that can still be run. These scripts are blocked in H_C only in the default-deny setup. Blocking the Sponsor c-m-d.exe blocks only the command lines that use c-m-d.exe (that is how Microsoft created CMD). Anyway, you have written "I disabled command and scripts with registry editor", so I assume that you have applied the right reg tweak:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
DisableCMD REG_DWORD 1
This has to be repeated on each user account where CMD is going to be blocked.
Click to expand...
Yes I have done that true regedit. THX
 
  • Like
Reactions: Nevi
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,127
@andy thanks for all you answers. I decided to de-install Syshardener and implement those changes through regedit
 
  • Like
Reactions: Nevi
Andy Ful

Andy Ful

Level 75
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,452
Lenny_Fox said:
Not when the default policy is allow
Click to expand...
Lenny_Fox said:
Because default SRP is allow. I think we crossed talked on this which fueled the misunderstanding. I used H_C as replacement for SysHardener
Click to expand...
You can get an exact equivalent of your default-allow settings by using modified default-deny setup:

1627915957105.png


The *.bat and *.cmd files will be blocked. The PowerShell & Windows Script Host scripts will be blocked, and chosen sponsors will be blocked, too. Anything else will be allowed.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, silversurfer, oldschool and 1 other person
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,127
Andy Ful said:
You can get an exact equivalent of your default-allow settings by using modified default-deny setup:

View attachment 259975

The *.bat and *.cmd files will be blocked. The PowerShell & Windows Script Host scripts will be blocked, and chosen sponsors will be blocked, too. Anything else will be allowed.
Click to expand...
Thanks, what does setting designated file types to zero do? Could you please explain, should not file types be listed to be blocked? I already found out that removing EXE from the designated file type, still blocks exe files in user space when applying a default deny. Does Microsoft uses some other internal list when there are no designated filetypes on which SRP should apply?
 
  • Like
Reactions: Nevi, Andy Ful and oldschool
Andy Ful

Andy Ful

Level 75
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,452
Lenny_Fox said:
Thanks, what does setting designated file types to zero do? Could you please explain, should not file types be listed to be blocked? I already found out that removing EXE from the designated file type, still blocks exe files in user space when applying a default deny. Does Microsoft uses some other internal list when there are no designated filetypes on which SRP should apply?
Click to expand...
The details are explained in the H_C manual: How SRP can control file execution/opening (page 24)
From table 3 it follows that after removing all entries from Designated File Types, some files are still blocked by default (EXE, MSI, COM, SCR, scripts) in the default-deny setup. In my proposition, EXE and MSI are globally whitelisted, so only COM, SCR, and scripts are blocked.

1627919899549.png
 
Last edited:
  • Thanks
  • Like
Reactions: Nevi, silversurfer and Lenny_Fox
VecchioScarpone

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
286
Installed Configured Defender on HIGH setting today. I noticed that two of Windows Defender Microsoft SpyNet settings in O&O Shut Up 10, where enabled . Would disable those setting again interfere with CD?:unsure:

EDIT. :oops: I Misread the Title Thread. Maybe a mod could please redirect it to a Configure Defender Thread?
 

Attachments

  • CD & O&O.png
    CD & O&O.png
    12.3 KB · Views: 108
Last edited:
  • Like
Reactions: Nevi, plat1098 and oldschool
oldschool

oldschool

Level 65
Verified
Top poster
Well-known
Mar 29, 2018
5,413
VecchioScarpone said:
So CD is a little compromise of Privacy for Security. I may be able to live with it, maybe.
I know it is a cliché' but I have nothing to worry about my online activities. Just that, my Italian blood mix with the Australian larrikin way of life, I can't help but stick it to the man...
Click to expand...
I'm not familiar with O&O Shutup but someone else will know for sure.
 
  • Like
Reactions: Nevi
Andy Ful

Andy Ful

Level 75
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
6,452
VecchioScarpone said:
@oldschool. Thanks.
It must be related to CD Cloud-delivered Protection = ON and Automatic Sample Submission = Send requirements.
Click to expand...
Yes. Did you read ConfigureDefender help? Disabling Cloud-delivered protection is not a little compromise of Privacy for Security. I would rather say that disabling it is a serious security compromise for nothing. The metadata sent to Microsoft is interesting only to the Machine Learning engine.:)(y)
 
Last edited:
  • Like
  • +Reputation
  • Haha
Reactions: Nevi, Azure, vaccineboy and 8 others
VecchioScarpone

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
286
@Andy Ful. Thanks much appreciated
<The metadata sent to Microsoft is interesting only to the Machine Learning engine.>
I get your gist. It not easy for a non tech savvy person to fully valuate benefits or detriment of enable or disable certain settings.
 
  • Like
Reactions: Nevi, oldschool and Andy Ful
You must log in or register to reply here.

Similar threads

Andy Ful
Q&A Simple Windows Hardening
Replies
378
Views
48,012
Hard_Configurator Tools
Andy Ful
Andy Ful
Kees1958
Advanced Plus Security Kees1958 Security Config 2022
Replies
15
Views
1,046
Computer Security Configuration
Kees1958
Kees1958
LASER_oneXM
  • Article
Malware Alert Malicious PowerPoint files used to push remote access trojans
Replies
0
Views
67
Security News
LASER_oneXM
LASER_oneXM
silversurfer
Hackers Deploy ELF on Windows Loaders to Exploit WSL Features
Replies
0
Views
361
News Archive
silversurfer
silversurfer
LASER_oneXM
Microsoft asks admins to patch PowerShell to fix WDAC bypass
Replies
6
Views
739
News Archive
Kees1958
Kees1958
Top