Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
Andy, only change the default action from Hide to Keep unhidden



So when a user just enters, the keep unhidden is selected. When a user wants to hide they have to click on the HIDE button

(that is why I thought you maybe did this on purpose, because a casual user would just click without reading and select the option which is best for them :) )

I agree with you that the real problem is not the text in the alert but the default button.

Your proposition is natural if one understands MAX settings to include <KEEP UNHIDDEN> as a default action. This would be natural for most MT members who want to configure their own computers and do not want to be home administrators (who configure computers of casual family members).

I intended MAX settings for home administrators to configure computers of children or casual family members. So the natural choice is using <HIDE> as the default action. For the users who want to configure their own computers, I do not want to recommend MAX settings but HIGH or INTERACTIVE settings.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
I have just read something surprising on the Wilderssecurity forum:

It seems that @Lucy is the same person who inspired me to create H_C several years ago by creating the thread about SRP (in the year 2006):
I do not know if she is going to like the H_C, but thanks again for the inspiration.:)(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
@Andy Ful Don't forget Sully he made Pretty Good Security (link) which automated TLU's and Lucy's reg hacks (y) and could be seen as the ancestor of H_C
Yes, this is the ancestor of H_C together with Simple Software Restriction Policies.
Before creating H_C, I was aware of Lucy's idea and SSRP. I also use similar SRP GUIDs as in SSRP, but I was not aware that SSRP is written in AutoIt.
When creating H_C, I tried to find Pretty Good Security but I could not. I found it on some Polish forum about two years later. Unfortunately, it was not fully compatible with Windows 7+.:unsure:
 
F

ForgottenSeer 92963

The basic user SRP changed from Vista to Windows7. On Windows7 running as basic user also was a deny in user folders. On Vista it was allowed to run in user space, but it blocked elevation (so every program which had a separate updater could run in a basic user container). That is did not run on Windows7 well anymore.

Many SRP users (like me) liked Vista because it had Integrity Levels (like Windows 7) and basic user container (like XP). When Joanna Rutkowska (leading force behind Qubes OS) posted a blog about isolating with Integrity Levels and different user roles, many of us copied her idea to use separaten users for mail and internet programs.

By using different users it was possible to run programs in a user rights - integrity level - data access control sandbox (e.g. the user which was used for the browser only had read access to all folders except download folder temporary folders used by the browser, it was even possible to block read access to System32 folder to prevent ring3 living of the land intrusion).

I am using your software in stead of Group Policy (because it is much easier to use) so the detailed knowledge has eroded also in regard to Integrity Levels-SRP-AppLocker-Protected Processes stuf.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
...many of us copied her idea to use separaten users for mail and internet programs.
I used this idea here:

Such Standard User account is protected by very restrictive SRP (similar to max H_C settings) and other accounts can still be unrestricted.
But, it is not compatible with default-deny H_C settings. One has to apply a systemwide default-allow SRP (via HKLM registry hive) and next apply a local default-deny SRP via HKCU registry hive (for the selected account(s) ).

Technically this can be done by using H_C and some quick registry editing. One has to transfer the system-wide SRP settings made by H_C from the HKLM registry hive to the registry hive related to SUA (HKCU hive cannot be used ---> the hive with user SID is required). Next, the system-wide SRP must be set to default-allow.
 
Last edited:

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,221
@Andy Ful, Can you elaborate on the usefulness of the "Disable cached logon" feature of Hard Configurator? From what I see is that, when cached logon is disabled, Windows don't load anything in the background till my user password is entered. While by default, things starts loading and even background apps starts working, downloading, etc. everything even before my password is entered at system startup. So system startup is a bit faster.
How useful is disabling this security wise for home users?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
@Andy Ful, Can you elaborate on the usefulness of the "Disable cached logon" feature of Hard Configurator? From what I see is that, when cached logon is disabled, Windows don't load anything in the background till my user password is entered. While by default, things starts loading and even background apps starts working, downloading, etc. everything even before my password is entered at system startup. So system startup is a bit faster.
How useful is disabling this security wise for home users?
This policy should not have an impact on home users and system startups. The difference can be if one uses a domain controller.
Normally when you attempt to logon to a Windows member computer with a domain account the computer verifies your credentials with a domain controller in real time over the network. But if no domain controller is available such as the when traveling with a laptop, Windows will still allow you to logon with domain credentials provided you have recently logged on with such credentials while the computer was still able to communicate with a domain controller. This is accomplished with cached credentials. By default Windows caches a hash of the credentials of the last 10 successful domain account logons. When you attempt to logon with a domain account and the computer cannot reach a domain controller it searches these cached credentials to see if you recently logged on and if so it can verify the user name and password you just entered without communicating with the domain controller.
 

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,221
This policy should not have an impact on home users and system startups. The difference can be if one uses a domain controller.

My bad. It was something else that caused what I described. Is there anything else on recommended HC settings that disables this feature?
1.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
My bad. It was something else that caused what I described. Is there anything else on recommended HC settings that disables this feature?
View attachment 262222
Nothing in H_C can change this setting.(y)
You can test it by applying temporarily the Windows_10_All_ON profile.
 

plat

Level 27
Verified
Top poster
Well-known
Sep 13, 2018
1,672
Look at these templates, wow! Indeed, very professional-looking. No wonder people are falling for these malicious docs. So glad I have the right security tools--anyone can make a mistake.

PS--there's a cookie notice at the bottom of the web-page, I had to zap it. Hmmm, might have to explore filter options in uBO again. :unsure::whistle::coffee:


Source
 

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,221
Look at these templates, wow! Indeed, very professional-looking. No wonder people are falling for these malicious docs. So glad I have the right security tools--anyone can make a mistake.

PS--there's a cookie notice at the bottom of the web-page, I had to zap it. Hmmm, might have to explore filter options in uBO again. :unsure::whistle::coffee:


Source
The art of seduction! 💘
Hard_Configurator is there for us if we get seduced by things like this. Even the name Hard_Configurator seems funny in this context, lol.
 

Marana

Level 1
Jan 21, 2018
37
Probably in January 2022. I plan to add several LOLBins, so the new version has to be tested for a few months.
Do you have plans to publish a new standalone version of FirewallHardening, too?

I have used the standalone version 2.0.0.0. Recently I checked H_C version 6 and noticed that it already contained FirewallHardening V2.0.0.1. So I did an experiment and extracted FH out of H_C and tried running it as a portable app, but obviously it was not meant to be used this way since it seemed to exit immediately...
 
  • Like
Reactions: plat and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060
Do you have plans to publish a new standalone version of FirewallHardening, too?

Yes.

I have used the standalone version 2.0.0.0. Recently I checked H_C version 6 and noticed that it already contained FirewallHardening V2.0.0.1.

The new FirewallHardening (ver.2.0.1.0) is here:

So I did an experiment and extracted FH out of H_C and tried running it as a portable app, but obviously it was not meant to be used this way since it seemed to exit immediately...

Yes, it is. Anyway, the new standalone version can be renamed to replace the version used by H_C.(y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,060

some.jimmy

New Member
Dec 5, 2021
2
Hi,
just a quick question, where I can find the checksums for the newset version of Hard_Conficurator (ver. 6.0.0.0). On homepage there are only checksums for version 5.1.1.2, but on Github and Sofpedia there are the newest ones available.
Thanks!
 
  • Like
Reactions: Andy Ful