Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,088
wat0114 said:
Hi Andy,

for Documents Anti-Exploit I have I changed the initial setting of "Partial" to "ON1", and then attempted to switch back to "Partial", but I get the pop-up as attached:

View attachment 259972

There seems no way to revert to the initial setting "Partial".
Click to expand...
Yes. Your previous settings were replaced (and not remembered). If you want to change current settings, then you can do it from MS Office applications. Look into the H_C manual to see what settings are hardened.
 
  • Like
Reactions: Nevi, oldschool and Gandalf_The_Grey
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Andy Ful said:
I think that you could simply apply the profile Windows_10_Basic_Recommended_Settings and additionally:
  • Enhanced Sponsors + CMD
  • Validate Admin C.S. = ON
  • Block Windows Script Host = ON
  • Disable SMB = ON123
Besides your current protection, this would protect also shortcuts and prevent the user from opening files with non-safe extensions.

Edit.
If you remove the file extensions from the Designated File Types, then you will get the equivalent of the settings from your previous post (*.bat and *.cmd scripts will be protected).
Click to expand...
Not when the default policy is allow
 
  • Like
Reactions: Nevi
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Andy Ful said:
In your H_C setup, the scripting is restricted except *.bat and *.cmd scripts that can still be run. These scripts are blocked in H_C only in the default-deny setup. Blocking the Sponsor cmd.exe blocks only the command lines that use cmd.exe (that is how Microsoft created CMD). Anyway, you have written "I disabled command and scripts with registry editor", so I assume that you have applied the right reg tweak:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
DisableCMD REG_DWORD 1
This has to be repeated on each user account where CMD is going to be blocked.
Click to expand...
Yes I have done that true regedit. THX
 
  • Like
Reactions: Nevi
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,088
Lenny_Fox said:
Not when the default policy is allow
Click to expand...
Lenny_Fox said:
Because default SRP is allow. I think we crossed talked on this which fueled the misunderstanding. I used H_C as replacement for SysHardener
Click to expand...
You can get an exact equivalent of your default-allow settings by using modified default-deny setup:

1627915957105.png


The *.bat and *.cmd files will be blocked. The PowerShell & Windows Script Host scripts will be blocked, and chosen sponsors will be blocked, too. Anything else will be allowed.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, silversurfer, oldschool and 1 other person
Lenny_Fox

Lenny_Fox

Level 22
Verified
Top poster
Well-known
Oct 1, 2019
1,126
Andy Ful said:
You can get an exact equivalent of your default-allow settings by using modified default-deny setup:

View attachment 259975

The *.bat and *.cmd files will be blocked. The PowerShell & Windows Script Host scripts will be blocked, and chosen sponsors will be blocked, too. Anything else will be allowed.
Click to expand...
Thanks, what does setting designated file types to zero do? Could you please explain, should not file types be listed to be blocked? I already found out that removing EXE from the designated file type, still blocks exe files in user space when applying a default deny. Does Microsoft uses some other internal list when there are no designated filetypes on which SRP should apply?
 
  • Like
Reactions: Nevi, Andy Ful and oldschool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,088
Lenny_Fox said:
Thanks, what does setting designated file types to zero do? Could you please explain, should not file types be listed to be blocked? I already found out that removing EXE from the designated file type, still blocks exe files in user space when applying a default deny. Does Microsoft uses some other internal list when there are no designated filetypes on which SRP should apply?
Click to expand...
The details are explained in the H_C manual: How SRP can control file execution/opening (page 24)
From table 3 it follows that after removing all entries from Designated File Types, some files are still blocked by default (EXE, MSI, COM, SCR, scripts) in the default-deny setup. In my proposition, EXE and MSI are globally whitelisted, so only COM, SCR, and scripts are blocked.

1627919899549.png
 
Last edited:
  • Thanks
  • Like
Reactions: Nevi, silversurfer and Lenny_Fox
VecchioScarpone

VecchioScarpone

Level 6
Verified
Well-known
Aug 19, 2017
288
Installed Configured Defender on HIGH setting today. I noticed that two of Windows Defender Microsoft SpyNet settings in O&O Shut Up 10, where enabled . Would disable those setting again interfere with CD?:unsure:

EDIT. :oops: I Misread the Title Thread. Maybe a mod could please redirect it to a Configure Defender Thread?
 

Attachments

  • CD & O&O.png
    CD & O&O.png
    12.3 KB · Views: 138
Last edited:
  • Like
Reactions: Nevi, plat and oldschool
oldschool

oldschool

Level 68
Verified
Top poster
Well-known
Mar 29, 2018
5,701
VecchioScarpone said:
So CD is a little compromise of Privacy for Security. I may be able to live with it, maybe.
I know it is a cliché' but I have nothing to worry about my online activities. Just that, my Italian blood mix with the Australian larrikin way of life, I can't help but stick it to the man...
Click to expand...
I'm not familiar with O&O Shutup but someone else will know for sure.
 
  • Like
Reactions: Nevi
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,088
VecchioScarpone said:
@oldschool. Thanks.
It must be related to CD Cloud-delivered Protection = ON and Automatic Sample Submission = Send requirements.
Click to expand...
Yes. Did you read ConfigureDefender help? Disabling Cloud-delivered protection is not a little compromise of Privacy for Security. I would rather say that disabling it is a serious security compromise for nothing. The metadata sent to Microsoft is interesting only to the Machine Learning engine.:)(y)
 
Last edited:
  • Like
  • +Reputation
  • Haha
Reactions: Nevi, Azure, vaccineboy and 8 others

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
FirewallHardening tool
Replies
22
Views
3,505
Hard_Configurator Tools
Andy Ful
Andy Ful
Trooper
    • Like
    • +Reputation
NSA shares tips on securing Windows devices with PowerShell
Replies
0
Views
466
News Archive
Trooper
Trooper
TutorailBoy
    • Like
How to Fix MSDT Vulnerability using SCCM and Intune | CVE-2022-30190
Replies
1
Views
538
Online Privacy & Security Guides
Trooper
Trooper
Top Bottom