Hard_Configurator - Windows Hardening Configurator

[JordanMason8]

Edge sends billions of signals every day to Microsoft. This Big data can be hardly usable for spying on consumers. It is used to enhance the customers' security and personalize the browsing. It could be used for spying if Microsoft had external information that someone is dangerous or very interesting for some particular reason. So, if the FBI or CIA could force Microsoft to filter the Big data for specific criminal activity, then your privacy could be exposed. So the terrorists, American dissidents, etc. would like to avoid Edge + SmartScreen.
Anyway, much more dangerous for consumers can be DNS providers, Google search, social media, etc.

I am not sure, if a few billions URL's plus ID's plus metadata per day will inherently be a protection to your data, just because of the size. Doesn't seem too much for modern data science in my limited experience. (I am into data science, but not big data, so take this with a grain of salt.)

This is a very strong setup.

How does this compare to the security of popular Linux distros, let's say Ubuntu or Fedora?

 

[MIDave]

If the LOLBin is blocked by <Blocked Sponsors>, then it will not run at all, so the Windows Firewall (with FirewallHardening settings) will not be bothered. The exception could be when the malware might exploit something, get high privileges and then use LOLBins. But such a scenario is unlikely at home on the well-patched Windows with well-patched software.



SwitchDefaultDeny can switch off/on all H_C restrictions visible on the left H_C panel. So <Blocked Sponsors> are also switched off/on. If you want to switch non-SRP restrictions visible on the left H_C panel, then you must run H_C and use <Switch OFF/ON Restrictions>. The ConfigureDefender and FirewallHardening restrictions cannot be switched off/on.

Thank you for the explanation, Andy!

 

[Andy Ful]

I am not sure, if a few billions URL's plus ID's plus metadata per day will inherently be a protection to your data, just because of the size.

Yes, generally it is not sufficient protection.
But, hiding in the crowd can be a very successful method when it is also supported by the law and trust. Microsoft must take care to be trustworthy and follow the law. So, creating billion personal profiles or selling Big data with personal fingerprints is not profitable for Microsoft. Of course, the situation would be different if you would use ChinaScreen made by Chinasoft.

How does this compare to the security of popular Linux distros, let's say Ubuntu or Fedora?

There is no real data to make any reliable comparison.

 

[Prince Blitzen Jr]

When I enable Run By Smartscreen and when I go back into the Hard Configurator I get a Configuration error like in this picture. Is that supposed to happen?

 

[Andy Ful]

When I enable Run By Smartscreen and when I go back into the Hard Configurator I get a Configuration error like in this picture. Is that supposed to happen?

The standalone version of RunBySmartscreen is removed by H_C and this alert is shown. The H_C uses Forced SmartScreen which is an extended version of RunBySmartscreen. RunBySmartScreen is equivalent to <Forced SmartScreen> = "Standard User" and can be used with the H_C Basic_Recommended_Settings. With the SRP settings visible on your screenshot you should set <Forced SmartScreen> = Administrator.
Your H_C settings are similar to the H_C Strict_Recommended_Settings, this will require attention when installing /updating applications on SUA. Please, read carefully the FAQ in the H_C manual.
Did you consider using the H_C Recommended Settings?

 

[Prince Blitzen Jr]

I use the recommended settings and thanks for helping me.

 

[Burrito]

Another compliment.... Great product Andy.

Thank you for all your hard work on this.

I have two relatives using H_C at default configuration. They are both semi-illiterate with computer security --- and both have not screwed it up or abandoned it yet.

Bravo.

 

[Andy Ful]

Another compliment.... Great product Andy.

Thank you for all your hard work on this.

I have two relatives using H_C at default configuration. They are both semi-illiterate with computer security --- and both have not screwed it up or abandoned it yet.

Bravo.

Do not worry. Sooner or later they may need some help from you.

 

[outlawxtorn]

I agree, H_C is awesome. I use the avast profile with avg set to hardened on my pc.

 

[Andy Ful]

I am finishing the new version of DocumentsAntiExploit tool.

Now it can display the Hard_Configurator settings, for example, the setting "Adobe + VBA" looks like:

When the Hard_Configurator setting is OFF and the "Current user restrictions" are enabled, we can see:

The PV setting (Adobe Reader) means that the documents will be opened always in the "Protected View", and the ON setting is without "Protected View".
The settings for MS Office did not change. For Adobe, some new settings were added:

• bDisablePDFHandlerSwitching - disables the ability to change the specified default handler (PDF viewer).
• bDisableTrustedSites - disables and locks the ability to add privileged locations by users.
• bEnable3D - blocks 3D content.
• bEnableFlash - blocks Flash content
• iFileAttachmentPerms - prevents users from opening or launching file types other than PDF.
• iUnknownURLPerms - blocks opening URLs embedded in the PDF document.

 

[ForgottenSeer 94654]

I am finishing the new version of DocumentsAntiExploit tool.

Now it can display the Hard_Configurator settings, for example, the setting "Adobe + VBA" looks like:

View attachment 265263

When the Hard_Configurator setting is OFF and the "Current user restrictions" are enabled, we can see:

View attachment 265264

The PV setting (Adobe Reader) means that the documents will be opened always in the "Protected View", and the ON setting is without "Protected View".
The settings for MS Office did not change. For Adobe, some new settings were added:

• bDisablePDFHandlerSwitching - disables the ability to change the specified default handler (PDF viewer).
• bDisableTrustedSites - disables and locks the ability to add privileged locations by users.
• bEnable3D - blocks 3D content.
• bEnableFlash - blocks Flash content
• iFileAttachmentPerms - prevents users from opening or launching file types other than PDF.
• iUnknownURLPerms - blocks opening URLs embedded in the PDF document.

Looks great

 

[ForgottenSeer 94654]

Are you also going to add to Sponsors ?

pwsh.exe ?

 

[Andy Ful]

Are you also going to add to Sponsors ?

pwsh.exe ?

I did not plan to add this one, but I may do it in the future. This is for the PowerShell version which is not installed with Windows. It is used sometimes in targeted attacks on Enterprises. But, H_C is intended for home users and very small businesses (no client-server network).

 

[ItsReallyMe]

is there any problem of Blocking windows script host? What problems it could arise in future?

 

[ItsReallyMe]

What sponsors are safe to block?

 

[Andy Ful]

is there any problem of Blocking windows script host? What problems it could arise in future?

That fully depends on what is installed on your computer. No one can tell you until you block it and see the result. Of course, the computer will not blow up, and the Windows system should work without issues.

What sponsors are safe to block?

In most cases, there is no need to block them.

Anyway, you can probably block safely everything available in H_C (my wife uses such a setup for years). But, some applications may refuse to work (rarely) and most applications will not autoupdate. So, one must adjust the setup by inspecting the H_C <Blocked Events / Security Logs> to know what restrictions have to be removed and which programs must be whitelisted. Sometimes, one can replace the program with another one to solve the problem.

 

[Tiamati]

I updated H_C for v.6.0 yesterday. Fantastic job @Andy Ful

We are lucky to have you!

 

[ForgottenSeer 94654]

@Andy Ful

Users that want security do not like:

1. Complexity
2. Responsibility to make decisions (e.g. respond to alerts)
3. Inconvenience

Hard_Configurator's install mode permits installs, drivers and users can easily make allow exceptions.

 

[ForgottenSeer 94654]

@Andy Ful

Suggestions:

1. Add a search capability for Sponsor, File Type, File Path, File Hash, and Firewall rules.
2. Add the ability of a user to add a Sponsor to the Sponsor list manually.

As you already know, the list of LOLBins changes very little over time, but here and there we get new ones such as wsl.exe (already on your Sponsor list) and pwsh.exe (PowerShell 7; not on your Sponsor list).

 

[Andy Ful]

@Andy Ful

Suggestions:

1. Add a search capability for Sponsor, File Type, File Path, File Hash, and Firewall rules.

The Sponsors, File type, and Firewall rules are displayed in alphabetical order. Also, the paths added by users are displayed in (reverse) alphabetical order. So, one can access them very quickly.
Searching for them is needed only rarely. Adding too many features would make H_C too complex.

2. Add the ability of a user to add a Sponsor to the Sponsor list manually.

As you already know, the list of LOLBins changes very little over time, but here and there we get new ones such as wsl.exe (already on your Sponsor list) and pwsh.exe (PowerShell 7; not on your Sponsor list).

I was thinking about it many times and decided to skip this possibility and add to the current list of Sponsors, only LOLBins that are dangerous for home users.
There is a big difference in the H_C settings+ home environment as compared to the settings used in the Enterprise environment. The SRP bypasses via LOLBins in Enterprises, are not dangerous at home with the H_C settings.

The H_C can be improved in many ways, but usually, this would also make it more complex. So, I am not eager to make changes, except when they are necessary for security reasons (in the home environment).