Hard_Configurator - Windows Hardening Configurator

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,002
Not very often.

If you had installed MS Office in the system and would like to use another AV, then you have to be cautious with MS Office documents (especially Excel documents) or use additional H_C features:
  1. Use the DocumentsAntiExploit tool (from SwitchDefaultDeny) or at least block Excel macros without notifications.
  2. Apply "Paranoid Extensions" in H_C.
See also:
https://malwaretips.com/threads/simple-windows-hardening.102265/post-973123
https://malwaretips.com/threads/simple-windows-hardening.102265/post-973470
 

oldschool

Level 67
Verified
Top poster
Well-known
Mar 29, 2018
5,643
Does this mean that if I stay with WD with Configure defender, without enabling DocumentsAntiExploit and Paranoid Extensions, I will be safer?
As long as you use common sense when online you'll be fine. I run Office 2007 with ConfigureDefender @ modified Max and no problems. Like yourself, I hardly use Office.

Good internet hygiene goes a long way. Remember, with ConfigureDefender your security is light years ahead of the average user.

My motto: "Stay safe, not paranoid!" (y)(y):D
 

normalizerx

Level 2
Oct 9, 2012
124
As long as you use common sense when online you'll be fine. I run Office 2007 with ConfigureDefender @ modified Max and no problems. Like yourself, I hardly use Office.

Good internet hygiene goes a long way. Remember, with ConfigureDefender your security is light years ahead of the average user.

My motto: "Stay safe, not paranoid!" (y)(y):D
You are right. Just have a free subscription for ESET (AV) and I'm thinking of using it, so wanted to compare pros and cons.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,002
Thank you. Does this mean that if I stay with WD with Configure defender, without enabling DocumentsAntiExploit and Paranoid Extensions, I will be safer?

I am not an expert on Eset HIPS. It is possible that one can tweak HIPS settings to get similar protection as Defender's ASR rules (ConfigureDefender HIGH settings). But, Eset AV does not have Network Protection.
In practice, it would be hard to see the difference in the protection when the AVs are supported by the H_C with Recommended Settings + FirewallHardening. The malicious samples that could bypass the protection are very rare and mostly related to targeted attacks.

Using "Paranoid Extensions" is recommendable for casual users with any AV. These restrictions are whitelisted in the folders where most applications are installed/updated, so they rarely can be a problem.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,002
Hard_Configurator 6.0.0.1 beta1:

What is new:
1. Added <Block AppInstaller> option.
2. New FirewallHardening version 2.0.1.1.
  • added the options to load/save the external BlockLists.
  • added new LOLBins (EXE files): bitsadmin (blocked via Exploit Protection), calc, certoc, certreq, cmd, desktopimgdownldr, dllhost, ExtExport, findstr, ieexec (new path), notepad, pktmon, Register-cimprovider, verclsid, wsl, wuauclt.exe, xwizard.

Updating from the ver. 6.0.0.0
  • Set <MORE SRP ...><Block AppInstaller> = ON (new option).
  • Update the rules in FirewallHardening by using the <Load> option to load the file UpdateFirewallHardening2011.fwbl. Some new LOLBins will appear on the BlockList as Inactive - they can be activated by the user if necessary.
Edit.
The LOLBin DesktopImgDownldr is not currently fully blocked by FirewallHardening - the connections are blocked only if the code is injected into it for spying. If it will be used in the wild as a LOLBin downloader (can use BITS) then I will consider blocking it via Exploit Protection.
 
Last edited:

South Park

Level 9
Verified
Jun 23, 2018
402
Hard_Configurator 6.0.0.1 beta1:

What is new:
1. Added <Block AppInstaller> option.
2. New FirewallHardening version 2.0.1.1.
  • added the options to load/save the external BlockLists.
  • added new LOLBins (EXE files): bitsadmin (blocked via Exploit Protection), calc, certoc, certreq, cmd, desktopimgdownldr, dllhost, ExtExport, findstr, ieexec (new path), notepad, pktmon, Register-cimprovider, verclsid, wsl, wuauclt.exe, xwizard.

Updating from the ver. 6.0.0.0
  • Set <MORE SRP ...><Block AppInstaller> = ON (new option).
  • Update the rules in FirewallHardening by using the <Load> option to load the file UpdateFirewallHardening2011.fwbl. Some new LOLBins will appear on the BlockList as Inactive - they can be activated by the user if necessary.
Edit.
The LOLBin DesktopImgDownldr is not currently fully blocked by FirewallHardening - the connections are blocked only if the code is injected into it for spying. If it will be used in the wild as a LOLBin downloader (can use BITS) then I will consider blocking it via Exploit Protection.
Possible error with FWH 2011: a blank rule, which I marked with a red dot
 

Attachments

  • FW rule blank.jpg
    FW rule blank.jpg
    188.5 KB · Views: 54
  • FW rule on click.jpg
    FW rule on click.jpg
    14.6 KB · Views: 47

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,002
Possible error with FWH 2011: a blank rule, which I marked with a red dot

It is OK because it is a fake rule (for Bitsadmin). It has no name because Bitsadmin is not really blocked by the firewall, but by Exploit Protection - it blocks execution of Bitsadmin so the firewall will not ever use this fake rule.

Here how it looks in the Registry:
v2.29|Action=Block|Active=TRUE|Dir=Out|App=bitsadmin.exe (ExploitProtection)|Name=H_C rule for: |EmbedCtxt=H_C Firewall Rules|

Normally, the firewall rule should include the full file path in the place marked in red and the name in the place marked in blue. But when using Exploit Protection, the bitsadmin.exe is blocked everywhere. Windows Firewall does not support files without full paths.

1644671688212.png
 
Last edited:

Azure

Level 27
Verified
Top poster
Content Creator
Oct 23, 2014
1,618
Good day.

Andy, someone asked the following question

OK thanks does anyone know if h_c is compatable with nanominer gpu mining cryptocurrencies
 
  • Like
Reactions: Nevi and Andy Ful

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,002
  • Like
Reactions: Nevi and Mercenary

JordanMason8

New Member
Feb 19, 2022
2
Hi,

first of all thank you for providing HC. It's a wonderful tool and makes things a lot easier. I got a few questions, maybe someone can help me out.

I am trying to find a balance between privacy and security. Are there a any settings, which could be changed from the recommended settings, which increase privacy more, than they decrease security?

I am thinking about something like SmartScreen for MS Edge, which first checks URL's on a local list and if it's not found in the top visited websites, it will send the URL, infos about the website and a device ID to Microsoft. I wonder how much of my browsing history is being sent to Microsoft this way and if it is really worth using SmartScreen on Edge. What would you recommend? Is there also a possibility to only allow local checks?

I tried to use the Microsoft Diagnostic Data Viewer, to get a feeling about how much data is being sent to Microsoft, but somehow it always shows, that I don't have access to this data. Is this a known problem with HC?

What does "Edge (not Chromium)" under "Smartscreen" mean in the HC ConfigureDefender menu? I thought Edge is always based on Chromium? It is set to block, but I somehow can deactivate SmartScreen in the MS Edge settings. Is this a bug, or did I misunderstand the meaning of this setting?

My HC setup is: recommended settings in the main menu, ConfigureDefender on Max and FirewallHardening with all 4 available lists added to block.

Thanks in advance.
Best regards
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,002
Hi,

I am trying to find a balance between privacy and security. Are there a any settings, which could be changed from the recommended settings, which increase privacy more, than they decrease security?

I do not think so.

I am thinking about something like SmartScreen for MS Edge, which first checks URL's on a local list and if it's not found in the top visited websites, it will send the URL, infos about the website and a device ID to Microsoft. I wonder how much of my browsing history is being sent to Microsoft this way and if it is really worth using SmartScreen on Edge. What would you recommend? Is there also a possibility to only allow local checks?

Edge sends billions of signals every day to Microsoft. This Big data can be hardly usable for spying on consumers. It is used to enhance the customers' security and personalize the browsing. It could be used for spying if Microsoft had external information that someone is dangerous or very interesting for some particular reason. So, if the FBI or CIA could force Microsoft to filter the Big data for specific criminal activity, then your privacy could be exposed. So the terrorists, American dissidents, etc. would like to avoid Edge + SmartScreen.
Anyway, much more dangerous for consumers can be DNS providers, Google search, social media, etc.

I tried to use the Microsoft Diagnostic Data Viewer, to get a feeling about how much data is being sent to Microsoft, but somehow it always shows, that I don't have access to this data. Is this a known problem with HC?
No. I can use it without any problem with H_C, ConfigureDefender, and FirewallHardening all set to MAX settings.

What does "Edge (not Chromium)" under "Smartscreen" mean in the HC ConfigureDefender menu?

Edge was not based on Chromium for a few first years. In the year 2020, the old Edge was replaced by the Chromium version.

My HC setup is: recommended settings in the main menu, ConfigureDefender on Max and FirewallHardening with all 4 available lists added to block.

This is a very strong setup.
 

MIDave

Level 1
Dec 24, 2017
15
I have a couple of questions about H_C:

- If you block LOLBins in H_C, is there additional value in blocking them with the Firewall Hardening tool or is there overlap?

- In AppGuard, we have the option to allow installs or shut everything off if needed through the agent app in the tray. In H_C I know there is the app to quickly switch default deny off or on, but if there are other restrictions impacting a specific task or application it appears that I would have to open H_C to switch those off - is that correct? I have some apps that I occasionally use that require access to one of the blocked sponsors, and it's nice to just be able to quickly switch off all restrictions temporarily. I wouldn't be asking these questions if I was totally thrilled with AppGuard. :)
 
  • Like
Reactions: Nevi and Andy Ful

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,002
...
- If you block LOLBins in H_C, is there additional value in blocking them with the Firewall Hardening tool or is there overlap?

If the LOLBin is blocked by <Blocked Sponsors>, then it will not run at all, so the Windows Firewall (with FirewallHardening settings) will not be bothered. The exception could be when the malware might exploit something, get high privileges and then use LOLBins. But such a scenario is unlikely at home on the well-patched Windows with well-patched software.

- In AppGuard, we have the option to allow installs or shut everything off if needed through the agent app in the tray. In H_C I know there is the app to quickly switch default deny off or on, but if there are other restrictions impacting a specific task or application it appears that I would have to open H_C to switch those off - is that correct? I have some apps that I occasionally use that require access to one of the blocked sponsors, and it's nice to just be able to quickly switch off all restrictions temporarily. I wouldn't be asking these questions if I was totally thrilled with AppGuard. :)

SwitchDefaultDeny can switch off/on all H_C restrictions visible on the left H_C panel. So <Blocked Sponsors> are also switched off/on. If you want to switch non-SRP restrictions visible on the left H_C panel, then you must run H_C and use <Switch OFF/ON Restrictions>. The ConfigureDefender and FirewallHardening restrictions cannot be switched off/on.
 
  • Like
  • +Reputation
Reactions: Nevi and ErzCrz