Update Hard_Configurator - Windows Hardening Configurator

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,273
42,756
He is still having issues

I updated the post. Renaming the shortcut worked for me (I tested it after installing 8GadgetPack / Sidebar on my testing computer). We are in email contact with Krusty. After renaming the shortcut the Sidebar thinks that it does not have to start with Windows, but the renamed shortcut starts it anyway.

The Sidebar issue showed the limitation of the combined Disalowed/Unrestricted rules with wildcards.
In the H_C Recommended settings the SRP makes several actions for files in the user Startup folder :
  1. Disallowed Default Security Level (blocks files by default).
  2. Unrestricted rules for EXE and MSI files in user AppData subfolders.
  3. Disallowed rule for files (blocks also EXE and MSI) in the user Startup folder (it is a subfolder of AppData).
  4. Unresctricted rule for a shortcut file.
All four SRP actions are done at the same time for files located in the startup folder. The two last rules work differently for paths with wildcards. Without wildcards the last take precedence over the second last. For paths with wildcards in the filename, the opposite is true.

Edit.
The rule from point 3 is unnecessarily restrictive it should block only EXE and MSI files instead of all files - other files are already blocked by point 1. I could solve the issue by making it less restrictive. This would require removing 20 rules and adding 40 new rules. There is also a possibility to extend whitelisting by hash to include shortcuts - this would be probably the best solution for shortcuts with randomly changing file names in the user Startup folder.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,273
42,756
Hi Andy,

sorry if this has been answered already elsewhere and I couldn't find the answer in the documentation, but why is it possible, at least in my case, to launch an executable file under:

C:\Users\myname\AppData\Local\Temp

I have SRP enabled with Default Security Level at "Disallowed", Enforcement: Skip DLL's

I have not added any paths to the default ones included. Using Windows 10 v21H1, 19043.1202
In the H_C Recommended Settings, two hidden folders are whitelisted for EXE and MSI files: user Appdata and Program Data (other files are still forbidden). This is controlled by SmartScreen and H_C settings:
<Update Mode> = ON
<Harden Archivers> = ON
<Harden Email Clients> = ON

So, all software auto-updates can be made without issues via EXE or MSI updaters, and "Install By SmartScreen" can work without forcing high privileges. Also, there will be no problems with applications that install in UserSpace (most such installations are made by default in user AppData or ProgramData subfolders).

Users normally do not see these folders (they are hidden in the default Explorer settings). Some web browsers can drop & execute files from user AppData, but this is controlled by SmartScreen (block alert prompts after executing unsafe files). The archive applications and email clients can also do it, but this will be blocked by H_C (<Harden Archivers> and <Harden Email Clients>). Other H_C settings prevent malware files and CmdLines, so there is no direct attack vector that could drop into & run EXE or MSI files from user Appdata and Program Data.

These settings can hardly be bypassed in the home environment except if something is exploited. But even in such a case, the attack will be usually prevented because exploits often use scripting methods that are still blocked.

The Recommended Settings on Windows 10, <Update Mode>, <Harden Archivers>, and <Harden Email Clients> are explained in the help files and H_C manual.
If the user wants to update applications manually, then Strict_Recommended_Settings can be used instead of Recommended_Settings. In Strict_Recommended_Settings all protected files (also EXE and MSI) are blocked also in the user Appdata and Program Data folders. Most software auto-updates will be blocked (except for updates made via scheduled tasks with high privileges) and all applications installed in %UserProfile% will require additional whitelisting.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,273
42,756
Post edited.

It is worth remembering that whitelisting EXE and MSI files in user AppData and ProgramData folders can be done safely in H_C settings (in the home environment), but not when using a similar setup via Applocker or Defender Application Control (WDAC/MDAC). Both Applocker and Application Control cannot block shortcuts and many unsafe file extensions (like CHM, HTA, etc.), so one has to block many LOLBins (Sponsors) instead. WDAC/MDAC cannot also block BAT and CMD extensions (Applocker can do it). This can be very inconvenient because blocking unsafe files by LOLBins does not allow whitelisting.

For example, when using SRP, one usually blocks by default BAT and CMD scripts and can whitelist some of them in selected locations. The user can still run cmd.exe and use CMD commands from the CMD console. Also, the hacker could use this, but this would require using remote features (blocked by H_C), or CmdLine access (blocked by H_C), or sophisticated exploit (no scripting, hardly possible in the home environment on Windows 10).

When blocking LOLBins via WDAC/MDAC the scripting LOLBin cmd.exe must be blocked for BAT or CMD scripts, and then all BAT and CMD scripts will be blocked (cannot be selectively whitelisted). Furthermore, the CMD console will be blocked too. Such strict restrictions follow from the fact that in an Enterprise environment the remote features are enabled and one has to assume that some parts of the local network can be possibly compromised by hackers. Generally, the Enterprise environment has far more attack vectors so it requires different protection layers compared to the home environment.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,273
42,756
Windows 11 is coming, so would like to recall how to transfer the H_C settings and Whitelist from older OS to fresh installed one.
First, it is necessary to save the actual config:
  1. Save the current settings profile into the default settings folder:

    1631890976700.png



    1631891223013.png


    As an example I saved the settings as MyCurrentSettings.
  2. Save the current Whitelist profile:

    1631891519245.png


    1631891747033.png


    As an example, I saved the current Whitelist as MyCurrentWhitelist. This Whitelist is saved in the Windows Registry (for privacy reasons).
Now is the time to make a backup of all saved setting profiles and all saved Whitelists (Whitelist profiles)).

1631892065189.png


1631892158247.png


1631892664953.png


1631892905821.png


I saved all setting profiles and all Whitelists into one backup file MyCurrentBackup.hbp
That is all. This file can be used to restore settings and Whitelists in the future.

To restore the saved setting profiles and Whitelist profiles from the backup, the <Import Profiles> button has to be used ( <Tools> ---> <Manage Profiles BACKUP> ---> <Import Profiles> ).

After restoring the setting profiles will be placed into Hard_Configurator\Configuration folder and Whitelist will be imported to Windows Registry.
One can use the <Load Profile> button to apply the MyCurrentSettings and use <Save Load> button to apply MyCurrentWhitelist.

The details about saving/loading Whitelists also included in my old video clip:
Time 0-5min ---> saving/loading Whitelists.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,273
42,756
Hi @Andy Ful , v6 is still in beta right?
If so, I'm not pushing, just curious, when do you plan to release the final version?
Thanks.
That will depend on the potential bugs and improvements reported by users. So far the beta version looks good. Probably in November, I will publish the stable version.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,273
42,756
Hard_Configurator ver. 6.0.0.0 (stable):

Changelog (changes from ver. 5.1.1.2):
  1. Introduced two color-changing buttons. When the restrictions are OFF, the buttons <Switch OFF/ON SRP> and <Switch OFF/ON Restrictions> change the background color from green to blue.
  2. Fixed some minor bugs.
  3. Added finger.exe to blocked sponsors and also to the H_C Enhanced profiles.
  4. Added some EXE files to FirewallHardening LOLBin Blocklist: csc, cvtres, CasPol, finger, ilasm, jsc, Microsoft.Workflow.Compiler, mscorsvw, ngen, ngentask, vbc.
  5. Added SLK and ELF file extensions to the default protected extensions in SRP and RunBySmartscreen.
  6. Added a switch -p to run H_C and SwitchDefaultDeny with SRP enforcement to block all users (including Administrators) - it can be used especially on the older Windows versions to improve post-exploitation protection on default Admin account. This switch should be used only by very experienced users.
  7. New version of ConfigureDefender:
    - Added some useful information to the Help and manual.
    - Added "Send All" setting to Automatic Sample Submission.
    - Updated ASR rules (1 new rule added).
    - Added the Warn mode to ASR rules.
    - Added INTERACTIVE Protection Level which uses ASR rules set to Warn.
    - Added the <Info> button next to the Protection Levels buttons. It displays information about which
    settings are enabled in DEFAULT, HIGH, INTERACTIVE, and MAX Protection Levels.
    - Redesigned slightly the layout of the Exploit Guard section.
    - Added support for event Id=1120.
    - Added CFA setting BDMO = Block Disk Modifications Only - folders will not be protected, but some
    important disk sectors will be still protected (Id = 1127).
  8. Added support for Windows 11.
 

plat1098

Level 25
Verified
Sep 13, 2018
1,493
12,979
Prob. a silly question but since Firewall Hardening was updated in this version, I installed this 6.0.0.0. Now then, does one need to manually re-do the Rules? I did just to be safe but does the act of simply installing the new H_C do this automatically?

I consider this an important part of my security setup and don't want to leave anything out.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,273
42,756
Prob. a silly question but since Firewall Hardening was updated in this version, I installed this 6.0.0.0. Now then, does one need to manually re-do the Rules? I did just to be safe but does the act of simply installing the new H_C do this automatically?

I consider this an important part of my security setup and don't want to leave anything out.

If these rules were already done manually (with the older version), then they will be accepted in the new version. If not, then the new FirewallHardening rules must be re-done.
Recommended H_C rules will automatically add: csc.exe, finger.exe, jsc.exe, vbc.exe (most important LOLBins).
 

South Park

Level 8
Verified
Jun 23, 2018
355
1,913
I updated to the new version, updated settings and firewall rules, and restarted. Similarly to when I installed the beta, the system crashed within one minute, with this error message:

error.png

I clean reinstalled 5.1.1.2, which I will probably use indefinitely, since my laptop seems to not get along with a setting in the newer versions.
 
Last edited by a moderator:

South Park

Level 8
Verified
Jun 23, 2018
355
1,913
Adding to my above post, I think the culprit is again an outdated driver, in this case an OEM graphics driver from 2018 that I can't readily update. (I'd have to rip it out and hope that a new but generic Intel driver would suffice.) I didn't change any settings in C_D during the H_C update, so I don't think the drivers ASR rule was a factor.
 
Top