Update Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Hi Andy,

for Documents Anti-Exploit I have I changed the initial setting of "Partial" to "ON1", and then attempted to switch back to "Partial", but I get the pop-up as attached:

View attachment 259972

There seems no way to revert to the initial setting "Partial".

Yes. Your previous settings were replaced (and not remembered). If you want to change current settings, then you can do it from MS Office applications. Look into the H_C manual to see what settings are hardened.

 

[Lenny_Fox]

I think that you could simply apply the profile Windows_10_Basic_Recommended_Settings and additionally:

• Enhanced Sponsors + CMD
• Validate Admin C.S. = ON
• Block Windows Script Host = ON
• Disable SMB = ON123

Besides your current protection, this would protect also shortcuts and prevent the user from opening files with non-safe extensions.

Edit.
If you remove the file extensions from the Designated File Types, then you will get the equivalent of the settings from your previous post (*.bat and *.cmd scripts will be protected).

Not when the default policy is allow

 

[Lenny_Fox]

In your H_C setup, the scripting is restricted except *.bat and *.cmd scripts that can still be run. These scripts are blocked in H_C only in the default-deny setup. Blocking the Sponsor cmd.exe blocks only the command lines that use cmd.exe (that is how Microsoft created CMD). Anyway, you have written "I disabled command and scripts with registry editor", so I assume that you have applied the right reg tweak:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
DisableCMD REG_DWORD 1
This has to be repeated on each user account where CMD is going to be blocked.

Yes I have done that true regedit. THX

 

[Lenny_Fox]

Why do you keep unrestricted shortcuts?

Because default SRP is allow. I think we crossed talked on this which fueled the misunderstanding. I used H_C as replacement for SysHardener

 

[Lenny_Fox]

@andy thanks for all you answers. I decided to de-install Syshardener and implement those changes through regedit

 

[Andy Ful]

Not when the default policy is allow

Because default SRP is allow. I think we crossed talked on this which fueled the misunderstanding. I used H_C as replacement for SysHardener

You can get an exact equivalent of your default-allow settings by using modified default-deny setup:

The *.bat and *.cmd files will be blocked. The PowerShell & Windows Script Host scripts will be blocked, and chosen sponsors will be blocked, too. Anything else will be allowed.

 

[Lenny_Fox]

You can get an exact equivalent of your default-allow settings by using modified default-deny setup:

View attachment 259975

The *.bat and *.cmd files will be blocked. The PowerShell & Windows Script Host scripts will be blocked, and chosen sponsors will be blocked, too. Anything else will be allowed.

Thanks, what does setting designated file types to zero do? Could you please explain, should not file types be listed to be blocked? I already found out that removing EXE from the designated file type, still blocks exe files in user space when applying a default deny. Does Microsoft uses some other internal list when there are no designated filetypes on which SRP should apply?

 

[oldschool]

Can't @Lenny_Fox achieve most of his desired goals with SWH? At least it gives a newbie the chance to easily switch ON/OFF.

 

[Andy Ful]

Thanks, what does setting designated file types to zero do? Could you please explain, should not file types be listed to be blocked? I already found out that removing EXE from the designated file type, still blocks exe files in user space when applying a default deny. Does Microsoft uses some other internal list when there are no designated filetypes on which SRP should apply?

The details are explained in the H_C manual: How SRP can control file execution/opening (page 24)
From table 3 it follows that after removing all entries from Designated File Types, some files are still blocked by default (EXE, MSI, COM, SCR, scripts) in the default-deny setup. In my proposition, EXE and MSI are globally whitelisted, so only COM, SCR, and scripts are blocked.

 

[wat0114]

Yes. Your previous settings were replaced (and not remembered). If you want to change current settings, then you can do it from MS Office applications. Look into the H_C manual to see what settings are hardened.

Okay got it. Thanks Andy!

BTW, I really like the changes you made in the Beta.

 

[Lenny_Fox]

The details are explained in the H_C manual: How SRP can control file execution/opening (page 24)

Got it thanks, The table makes it very clear.

 

[Andy Ful]

Can't @Lenny_Fox achieve most of his desired goals with SWH? At least it gives a newbie the chance to easily switch ON/OFF.

You forgot about the SwitchDefaultDeny tool in H_C.

 

[VecchioScarpone]

Installed Configured Defender on HIGH setting today. I noticed that two of Windows Defender Microsoft SpyNet settings in O&O Shut Up 10, where enabled . Would disable those setting again interfere with CD?

EDIT. I Misread the Title Thread. Maybe a mod could please redirect it to a Configure Defender Thread?

 

[oldschool]

Would disable those setting again interfere with CD?

Probably.

 

[VecchioScarpone]

Probably.

So CD is a little compromise of Privacy for Security. I may be able to live with it, maybe.
I know it is a cliché' but I have nothing to worry about my online activities. Just that, my Italian blood mix with the Australian larrikin way of life, I can't help but stick it to the man...

 

[oldschool]

So CD is a little compromise of Privacy for Security. I may be able to live with it, maybe.
I know it is a cliché' but I have nothing to worry about my online activities. Just that, my Italian blood mix with the Australian larrikin way of life, I can't help but stick it to the man...

I'm not familiar with O&O Shutup but someone else will know for sure.

 

[VecchioScarpone]

@oldschool. Thanks.
It must be related to CD Cloud-delivered Protection = ON and Automatic Sample Submission = Send requirements.

 

[Andy Ful]

@oldschool. Thanks.
It must be related to CD Cloud-delivered Protection = ON and Automatic Sample Submission = Send requirements.

Yes. Did you read ConfigureDefender help? Disabling Cloud-delivered protection is not a little compromise of Privacy for Security. I would rather say that disabling it is a serious security compromise for nothing. The metadata sent to Microsoft is interesting only to the Machine Learning engine.

 

[VecchioScarpone]

@Andy Ful. Thanks much appreciated
<The metadata sent to Microsoft is interesting only to the Machine Learning engine.>
I get your gist. It not easy for a non tech savvy person to fully valuate benefits or detriment of enable or disable certain settings.

 

[Andy Ful]

@Andy Ful. Thanks much appreciated
<The metadata sent to Microsoft is interesting only to the Machine Learning engine.>
I get your gist. It not easy for a non tech savvy person to fully valuate benefits or detriment of enable or disable certain settings.

I know.