Update Hard_Configurator - Windows Hardening Configurator

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
He is still having issues

I updated the post. Renaming the shortcut worked for me (I tested it after installing 8GadgetPack / Sidebar on my testing computer). We are in email contact with Krusty. After renaming the shortcut the Sidebar thinks that it does not have to start with Windows, but the renamed shortcut starts it anyway.

The Sidebar issue showed the limitation of the combined Disalowed/Unrestricted rules with wildcards.
In the H_C Recommended settings the SRP makes several actions for files in the user Startup folder :
  1. Disallowed Default Security Level (blocks files by default).
  2. Unrestricted rules for EXE and MSI files in user AppData subfolders.
  3. Disallowed rule for files (blocks also EXE and MSI) in the user Startup folder (it is a subfolder of AppData).
  4. Unresctricted rule for a shortcut file.
All four SRP actions are done at the same time for files located in the startup folder. The two last rules work differently for paths with wildcards. Without wildcards the last take precedence over the second last. For paths with wildcards in the filename, the opposite is true.

Edit.
The rule from point 3 is unnecessarily restrictive it should block only EXE and MSI files instead of all files - other files are already blocked by point 1. I could solve the issue by making it less restrictive. This would require removing 20 rules and adding 40 new rules. There is also a possibility to extend whitelisting by hash to include shortcuts - this would be probably the best solution for shortcuts with randomly changing file names in the user Startup folder.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
Hi Andy,

sorry if this has been answered already elsewhere and I couldn't find the answer in the documentation, but why is it possible, at least in my case, to launch an executable file under:

C:\Users\myname\AppData\Local\Temp

I have SRP enabled with Default Security Level at "Disallowed", Enforcement: Skip DLL's

I have not added any paths to the default ones included. Using Windows 10 v21H1, 19043.1202
In the H_C Recommended Settings, two hidden folders are whitelisted for EXE and MSI files: user Appdata and Program Data (other files are still forbidden). This is controlled by SmartScreen and H_C settings:
<Update Mode> = ON
<Harden Archivers> = ON
<Harden Email Clients> = ON

So, all software auto-updates can be made without issues via EXE or MSI updaters, and "Install By SmartScreen" can work without forcing high privileges. Also, there will be no problems with applications that install in UserSpace (most such installations are made by default in user AppData or ProgramData subfolders).

Users normally do not see these folders (they are hidden in the default Explorer settings). Some web browsers can drop & execute files from user AppData, but this is controlled by SmartScreen (block alert prompts after executing unsafe files). The archive applications and email clients can also do it, but this will be blocked by H_C (<Harden Archivers> and <Harden Email Clients>). Other H_C settings prevent malware files and CmdLines, so there is no direct attack vector that could drop into & run EXE or MSI files from user Appdata and Program Data.

These settings can hardly be bypassed in the home environment except if something is exploited. But even in such a case, the attack will be usually prevented because exploits often use scripting methods that are still blocked.

The Recommended Settings on Windows 10, <Update Mode>, <Harden Archivers>, and <Harden Email Clients> are explained in the help files and H_C manual.
If the user wants to update applications manually, then Strict_Recommended_Settings can be used instead of Recommended_Settings. In Strict_Recommended_Settings all protected files (also EXE and MSI) are blocked also in the user Appdata and Program Data folders. Most software auto-updates will be blocked (except for updates made via scheduled tasks with high privileges) and all applications installed in %UserProfile% will require additional whitelisting.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
Post edited.

It is worth remembering that whitelisting EXE and MSI files in user AppData and ProgramData folders can be done safely in H_C settings (in the home environment), but not when using a similar setup via Applocker or Defender Application Control (WDAC/MDAC). Both Applocker and Application Control cannot block shortcuts and many unsafe file extensions (like CHM, HTA, etc.), so one has to block many LOLBins (Sponsors) instead. WDAC/MDAC cannot also block BAT and CMD extensions (Applocker can do it). This can be very inconvenient because blocking unsafe files by LOLBins does not allow whitelisting.

For example, when using SRP, one usually blocks by default BAT and CMD scripts and can whitelist some of them in selected locations. The user can still run cmd.exe and use CMD commands from the CMD console. Also, the hacker could use this, but this would require using remote features (blocked by H_C), or CmdLine access (blocked by H_C), or sophisticated exploit (no scripting, hardly possible in the home environment on Windows 10).

When blocking LOLBins via WDAC/MDAC the scripting LOLBin cmd.exe must be blocked for BAT or CMD scripts, and then all BAT and CMD scripts will be blocked (cannot be selectively whitelisted). Furthermore, the CMD console will be blocked too. Such strict restrictions follow from the fact that in an Enterprise environment the remote features are enabled and one has to assume that some parts of the local network can be possibly compromised by hackers. Generally, the Enterprise environment has far more attack vectors so it requires different protection layers compared to the home environment.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,152
Windows 11 is coming, so would like to recall how to transfer the H_C settings and Whitelist from older OS to fresh installed one.
First, it is necessary to save the actual config:
  1. Save the current settings profile into the default settings folder:

    1631890976700.png



    1631891223013.png


    As an example I saved the settings as MyCurrentSettings.
  2. Save the current Whitelist profile:

    1631891519245.png


    1631891747033.png


    As an example, I saved the current Whitelist as MyCurrentWhitelist. This Whitelist is saved in the Windows Registry (for privacy reasons).
Now is the time to make a backup of all saved setting profiles and all saved Whitelists (Whitelist profiles)).

1631892065189.png


1631892158247.png


1631892664953.png


1631892905821.png


I saved all setting profiles and all Whitelists into one backup file MyCurrentBackup.hbp
That is all. This file can be used to restore settings and Whitelists in the future.

To restore the saved setting profiles and Whitelist profiles from the backup, the <Import Profiles> button has to be used ( <Tools> ---> <Manage Profiles BACKUP> ---> <Import Profiles> ).

After restoring the setting profiles will be placed into Hard_Configurator\Configuration folder and Whitelist will be imported to Windows Registry.
One can use the <Load Profile> button to apply the MyCurrentSettings and use <Save Load> button to apply MyCurrentWhitelist.

The details about saving/loading Whitelists also included in my old video clip:
Time 0-5min ---> saving/loading Whitelists.
 
Last edited:
Top