Update Hard_Configurator - Windows Hardening Configurator

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,265
42,669
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,265
42,669
Andy, only change the default action from Hide to Keep unhidden



So when a user just enters, the keep unhidden is selected. When a user wants to hide they have to click on the HIDE button

(that is why I thought you maybe did this on purpose, because a casual user would just click without reading and select the option which is best for them :) )

I agree with you that the real problem is not the text in the alert but the default button.

Your proposition is natural if one understands MAX settings to include <KEEP UNHIDDEN> as a default action. This would be natural for most MT members who want to configure their own computers and do not want to be home administrators (who configure computers of casual family members).

I intended MAX settings for home administrators to configure computers of children or casual family members. So the natural choice is using <HIDE> as the default action. For the users who want to configure their own computers, I do not want to recommend MAX settings but HIGH or INTERACTIVE settings.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,265
42,669
I have just read something surprising on the Wilderssecurity forum:

It seems that @Lucy is the same person who inspired me to create H_C several years ago by creating the thread about SRP (in the year 2006):
I do not know if she is going to like the H_C, but thanks again for the inspiration.:)(y)
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,265
42,669
@Andy Ful Don't forget Sully he made Pretty Good Security (link) which automated TLU's and Lucy's reg hacks (y) and could be seen as the ancestor of H_C
Yes, this is the ancestor of H_C together with Simple Software Restriction Policies.
Before creating H_C, I was aware of Lucy's idea and SSRP. I also use similar SRP GUIDs as in SSRP, but I was not aware that SSRP is written in AutoIt.
When creating H_C, I tried to find Pretty Good Security but I could not. I found it on some Polish forum about two years later. Unfortunately, it was not fully compatible with Windows 7+.:unsure:
 

Kees1958

Level 4
Verified
Sep 5, 2021
157
849
The basic user SRP changed from Vista to Windows7. On Windows7 running as basic user also was a deny in user folders. On Vista it was allowed to run in user space, but it blocked elevation (so every program which had a separate updater could run in a basic user container). That is did not run on Windows7 well anymore.

Many SRP users (like me) liked Vista because it had Integrity Levels (like Windows 7) and basic user container (like XP). When Joanna Rutkowska (leading force behind Qubes OS) posted a blog about isolating with Integrity Levels and different user roles, many of us copied her idea to use separaten users for mail and internet programs.

By using different users it was possible to run programs in a user rights - integrity level - data access control sandbox (e.g. the user which was used for the browser only had read access to all folders except download folder temporary folders used by the browser, it was even possible to block read access to System32 folder to prevent ring3 living of the land intrusion).

I am using your software in stead of Group Policy (because it is much easier to use) so the detailed knowledge has eroded also in regard to Integrity Levels-SRP-AppLocker-Protected Processes stuf.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,265
42,669
...many of us copied her idea to use separaten users for mail and internet programs.
I used this idea here:

Such Standard User account is protected by very restrictive SRP (similar to max H_C settings) and other accounts can still be unrestricted.
But, it is not compatible with default-deny H_C settings. One has to apply a systemwide default-allow SRP (via HKLM registry hive) and next apply a local default-deny SRP via HKCU registry hive (for the selected account(s) ).

Technically this can be done by using H_C and some quick registry editing. One has to transfer the system-wide SRP settings made by H_C from the HKLM registry hive to the registry hive related to SUA (HKCU hive cannot be used ---> the hive with user SID is required). Next, the system-wide SRP must be set to default-allow.
 
Last edited:

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,788
23,030
@Andy Ful, Can you elaborate on the usefulness of the "Disable cached logon" feature of Hard Configurator? From what I see is that, when cached logon is disabled, Windows don't load anything in the background till my user password is entered. While by default, things starts loading and even background apps starts working, downloading, etc. everything even before my password is entered at system startup. So system startup is a bit faster.
How useful is disabling this security wise for home users?
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,265
42,669
@Andy Ful, Can you elaborate on the usefulness of the "Disable cached logon" feature of Hard Configurator? From what I see is that, when cached logon is disabled, Windows don't load anything in the background till my user password is entered. While by default, things starts loading and even background apps starts working, downloading, etc. everything even before my password is entered at system startup. So system startup is a bit faster.
How useful is disabling this security wise for home users?
This policy should not have an impact on home users and system startups. The difference can be if one uses a domain controller.
Normally when you attempt to logon to a Windows member computer with a domain account the computer verifies your credentials with a domain controller in real time over the network. But if no domain controller is available such as the when traveling with a laptop, Windows will still allow you to logon with domain credentials provided you have recently logged on with such credentials while the computer was still able to communicate with a domain controller. This is accomplished with cached credentials. By default Windows caches a hash of the credentials of the last 10 successful domain account logons. When you attempt to logon with a domain account and the computer cannot reach a domain controller it searches these cached credentials to see if you recently logged on and if so it can verify the user name and password you just entered without communicating with the domain controller.
 

SeriousHoax

Level 38
Verified
Mar 16, 2019
2,788
23,030
This policy should not have an impact on home users and system startups. The difference can be if one uses a domain controller.

My bad. It was something else that caused what I described. Is there anything else on recommended HC settings that disables this feature?
1.png
 
Top