Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Hi,
just a quick question, where I can find the checksums for the newset version of Hard_Conficurator (ver. 6.0.0.0). On homepage there are only checksums for version 5.1.1.2, but on Github and Sofpedia there are the newest ones available.
Thanks!

Look into the Virustotal.txt file on GitHub:

Hard_Configurator/Virustotal.txt at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

There are links to VirusTotal for the last few H_C versions. The hashes can be found in the VirusTotal DETAILS tab.

 

[some.jimmy]

Thank you very much Andy!
Lesson learned
SJ

 

[shmu26]

Hi Andy I updated to Windows 11 and I am getting some blocks logged by firewall. Are these worth unblocking, and how? My firewall rules are "Recommended H_C"

Event[0]:
Local Time:  2021/12/08 07:34:57
ProcessId:  8772
Application:  C:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\searchhost.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53307
DestAddress:  13.107.21.200
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  75410
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[1]:
Local Time:  2021/12/08 07:34:57
ProcessId:  8772
Application:  C:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\searchhost.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53314
DestAddress:  204.79.197.222
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  75410
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[2]:
Local Time:  2021/12/08 07:34:57
ProcessId:  8772
Application:  C:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\searchhost.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53306
DestAddress:  51.89.182.69
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  75410
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[3]:
Local Time:  2021/12/08 07:34:16
ProcessId:  13624
Application:  C:\program files\windowsapps\microsoft.todos_2.57.43142.0_x64__8wekyb3d8bbwe\todo.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53841
DestAddress:  40.101.92.194
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  71899
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[4]:
Local Time:  2021/12/08 04:11:36
ProcessId:  10576
Application:  C:\windows\system32\rundll32.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  52924
DestAddress:  51.11.168.232
DestPort:  443
Protocol:  6
FilterOrigin:  {f016bbe0-a716-428b-822e-5E544B6A3136}
FilterRTID:  70770
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

 

[Andy Ful]

Hi Andy I updated to Windows 11 and I am getting some blocks logged by firewall. Are these worth unblocking, and how? My firewall rules are "Recommended H_C"

Event[0]:
Local Time:  2021/12/08 07:34:57
ProcessId:  8772
Application:  C:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\searchhost.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53307
DestAddress:  13.107.21.200
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  75410
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[1]:
Local Time:  2021/12/08 07:34:57
ProcessId:  8772
Application:  C:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\searchhost.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53314
DestAddress:  204.79.197.222
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  75410
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[2]:
Local Time:  2021/12/08 07:34:57
ProcessId:  8772
Application:  C:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\searchhost.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53306
DestAddress:  51.89.182.69
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  75410
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[3]:
Local Time:  2021/12/08 07:34:16
ProcessId:  13624
Application:  C:\program files\windowsapps\microsoft.todos_2.57.43142.0_x64__8wekyb3d8bbwe\todo.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  53841
DestAddress:  40.101.92.194
DestPort:  443
Protocol:  6
FilterOrigin:  UWP Default Outbound Block Rule
FilterRTID:  71899
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

Event[4]:
Local Time:  2021/12/08 04:11:36
ProcessId:  10576
Application:  C:\windows\system32\rundll32.exe
Direction:  Outbound
SourceAddress:  10.0.0.2
SourcePort:  52924
DestAddress:  51.11.168.232
DestPort:  443
Protocol:  6
FilterOrigin:  {f016bbe0-a716-428b-822e-5E544B6A3136}
FilterRTID:  70770
LayerName:  %%14611
LayerRTID:  48

**************************************
**************************************

The first 4 events are not related to FirewallHardening BlockList. You have probably some default block rules for UWP apps (FilterOrigin: UWP Default Outbound Block Rule).

The last is probably a Microsoft telemetry blocked by FirewallHardening. You can check it by time correlation with performed telemetry tasks related to the Microsoft Customer Experience Improvement program. These tasks can be seen in the Task Scheduler:
\Microsoft\Windows\Application Experience
Some of them use rundll32 (like PcaPatchDbTask or StartupAppTask). Normally, these tasks are not necessary.

What is the customer experience improvement program? The Windows Customer Experience Improvement Program (CEIP) is a voluntary program that collects information about how people use Windows. The information that is collected helps Microsoft improve the features that are used most often and create solutions to common issues.

 

[shmu26]

The first 4 events are not related to FirewallHardening BlockList. You have probably some default block rules for UWP apps

It seems like Windows is shooting itself in the foot. First it makes default firewall block rules, and then it tries to update apps in violation of its own rules. Is there any sense to this?

 

[Andy Ful]

It seems like Windows is shooting itself in the foot. First it makes default firewall block rules, and then it tries to update apps in violation of its own rules. Is there any sense to this?

I do not think that such a setting is a default Windows setting. It is probably a setting made by something else (or via user privacy settings) as the default action for UWP apps. The updates are not affected because they are not done by the apps, but via Microsoft Sore service.

 

[shmu26]

I do not think that such a setting is a default Windows setting. It is probably a setting made by something else (or via user privacy settings) as the default action for UWP apps. The updates are not affected because they are not done by the apps, but via Microsoft Sore service.

Thanks, Andy. I restored Windows firewall settings to default. I will see what happens. Not sure how those rules got in there.

 

[Andy Ful]

It seems like Windows is shooting itself in the foot. First it makes default firewall block rules, and then it tries to update apps in violation of its own rules. Is there any sense to this?

I installed Microsoft To Do. It created the firewall rule that allows all outbound connections. Next, I restored Firewall default settings and this rule was removed (this should not block outbound connections).

Edit.
Anyway, blocking outbound connections of UWP apps is not a bad idea. 'Microsoft To do' uses connections for sending SMS, MMS, and sending diagnostic telemetry to Microsoft.

 

[shmu26]

I installed Microsoft To Do. It created the firewall rule that allows all outbound connections. Next, I restored Firewall default settings and this rule was removed (this should not block outbound connections).

Edit.
Anyway, blocking outbound connections of UWP apps is not a bad idea. 'Microsoft To do' uses connections for sending SMS, MMS, and sending diagnostic telemetry to Microsoft.

So if I love Microsoft and I want to give them as much info as I can, I should uninstall ToDo and reinstall it, and then it will probably recreate its firewall rules.

 

[Andy Ful]

So if I love Microsoft and I want to give them as much info as I can, I should uninstall ToDo and reinstall it, and then it will probably recreate its firewall rules.

Yes - especially for inbound rules. Normally, Windows Firewall allows outbound rules by default. So, "Microsoft To do" might eventually require an inbound rule.

 

[Moonhorse]

What is this 30 free spins about?



Btw could edit 6.0.0.0 to site as version number

 

[Gandalf_The_Grey]

View attachment 262709

What is this 30 free spins about?

And it is not the latest version 6.0.0.0...

 

[Andy Ful]

View attachment 262709

What is this 30 free spins about?



Btw could edit 6.0.0.0 to site as version number

Thanks. I will contact @askalan who is a creator of Homepage - Hard_Configurator
I forgot to ask him to update the website.

 

[Anton-V-K]

Can Hard_Configurator help with seting up different applications whitelists for different users?
I'd like to establish a kind of Classical Parental Control in Windows 10 Home for Local Accounts: i.e allow running only whitelisted applications for some user accounts. So children will be able to run only limited set of applications, while other users (without admin rights) can run applications from "trusted locations", and administrators can run everything.
From the documentation I got that Hard_Configurator internally distinguishes only between administrators and ordinary users (this separation is probably hardcoded). So further tuning should be probably done through registry (or secpool.msc).
Any ideas how this can be achieved?

 

[Andy Ful]

Can Hard_Configurator help with seting up different applications whitelists for different users?
...

On one machine, this would be possible only for applications installed in the user AppData folder. Each account uses a different location for the user AppData folder (in the "c:\Users" folder) and users cannot access the AppData folder of another user. I assume that your family members work on Standard User accounts and only you can use the default admin account.
You can also create an empty folder in the user profile for example "c:\Users\Alice\xxx" (Alice is one of your users) and copy it to another disk while preserving the NTFS permissions. Then you can use this folder similarly (and alongside) to "c:\Users\Alice". The same can be done for other users.

 

[ForgottenSeer 92963]

@Andy Ful

Because Oldschool runs as basic/standard user, I tried a setup on my Windows10 Pro desktop (with Configure Defender like HIGH settings through GPO) which copied your H_C rules with protect Windows folder rules and allowing shortcuts only from safe places with a default ALLOW for all and Standard User DENY for all user folders which the Standard User has write access to. This is as easy as UAC on admin (because admin is allowed to run everything in user folders), but with the added security benefit of a SRP deny execute in user folders.

I know you have a Standard User setup for your wife. Would it be possible for H_C to add deny rules for folders/partitions? I realize this stretches the intended use of H_C but until now this default allow-deny standard user seems to be the best of both worlds.I understand that you reject this feature request because it is a really an odd/awkward use of SRP. Maybe you could give it a spin on your wife's PC before you decide?

regards

Kees

 

[Andy Ful]

@Andy Ful

Because Oldschool runs as basic/standard user, I tried a setup on my Windows10 Pro desktop (with Configure Defender like HIGH settings through GPO) which copied your H_C rules with protect Windows folder rules and allowing shortcuts only from safe places with a default ALLOW for all and Standard User DENY for all user folders which the Standard User has write access to. This is as easy as UAC on admin (because admin is allowed to run everything in user folders), but with the added security benefit of a SRP deny execute in user folders.

I know you have a Standard User setup for your wife. Would it be possible for H_C to add deny rules for folders/partitions? I realize this stretches the intended use of H_C but until now this default allow-deny standard user seems to be the best of both worlds.I understand that you reject this feature request because it is a really an odd/awkward use of SRP. Maybe you could give it a spin on your wife's PC before you decide?

regards

Kees

Do you have in mind the setup that applies SRP default-deny only on the particular SUA and on other accounts SRP is default-allow?

 

[ForgottenSeer 92963]

Do you have in mind the setup that applies SRP default-deny only on the particular SUA and on other accounts SRP is default-allow?

Correct, but I use only 1 admin and 1 standard user. Adding a deny-execute on the userland folders to which that specific Standard User has write access to. Only for USB I have added the deny-execute access through Group Policy for all users (but this is a precaution which has reported issues with Windows updates, although it never caused any troubles on my desktop PC)

 

[Andy Ful]

Do you have in mind the setup that applies SRP default-deny only on the particular SUA and on other accounts SRP is default-allow?

This is possible, but you already have a very similar ability with the current H_C. Just use SwitchDefaultDeny when working on the Admin account. Applying SRP locally is slightly less secure and you can gain about 10 seconds compared to the current setup.

 

[ForgottenSeer 92963]

This is possible, but you already have a very similar ability with the current H_C. Just use SwitchDefaultDeny when working on the Admin account. Applying SRP locally is slightly less secure and you can gain about 10 seconds compared to the current setup.

Not the same. The advantage of the my current setup, is that it works unattended. Also SRP on admin with Admin excluded is just UAC plus, running SUA is a security border (according to Microsoft). So I think running SUA and SRP for SUA user is stronger than SRP for all excluding Admins running on Admin account.

You mean switching off srp cost about 10 seconds? Really are you that slow? How much time does it take you to sign off from the standard account, sign in to the Admin account and disable SRP, 10 minutes?