Hard_Configurator - Windows Hardening Configurator

F

ForgottenSeer 94654

I have in mind that its management can be simplified by some developers (like me). Microsoft did not simplify the management of SRP and Applocker, so it is probable that WDAC will share a similar fate.
What I meant is that WDAC will be abandoned, the same as Desired State Configuration (DCS).

Some of the team developers left Microsoft and these feature development have essentially come to a stop.
 

ErzCrz

Level 12
Verified
Top poster
Well-known
Aug 19, 2019
559
Silly question but I installed a game on the D: Partition of my drive (1TB split in two) and I see SRP blocking access. Is the simpliest option to whitelist Launcher.exe or the game folder?

1652985828317.png
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
View attachment 266837

@Andy Ful this screen is not clear to me. The text seems to indicate that the program may be run (as "the file will be executes from another location without loading dll") but the "run anyway" indicates the opposite (as the the file would be executed without Install by Smartscreen).
Yes, it should be clearer.
<RUN ANYWAY> means that the file will be run safely without loading some DLLs. In the case when these DLLs are a part of installation, it can fail. The "Warning" informs that one has to be cautious when trying to run the file normally (without using "Install By SmartScreen").
What is your suggestion?
 

Tiamati

Level 11
Verified
Top poster
Well-known
Nov 8, 2016
530
Yes, it should be clearer.
<RUN ANYWAY> means that the file will be run safely without loading some DLLs. In the case when these DLLs are a part of installation, it can fail. The "Warning" informs that one has to be cautious when trying to run the file normally (without using "Install By SmartScreen").
What is your suggestion?
Exactly. I imagined that but i wasn't sure. Maybe because i'm not a native English speaker 😅
What is your suggestion?
Maybe "run with Smart Screen anyway" or " run with Dll restrictions".

Edit: btw, i could use the software that popped up that message worked just fine. It's good to know i could run a questionable program relatively safe.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Exactly. I imagined that but i wasn't sure. Maybe because i'm not a native English speaker 😅

Maybe "run with Smart Screen anyway" or " run with Dll restrictions".

Edit: btw, i could use the software that popped up that message worked just fine. It's good to know i could run a questionable program relatively safe.

It seems that I already solved this problem in RunBySmartscreen, so it can be implemented in H_C:

1653472053563.png
 
Last edited:

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Andy, is it possible to add MOTW to a file without executing it?
Yes. I usually use "Run By SmartScreen" with disconnected Internet. You will see the SmartScreen alert that it cannot access the SmartScreen filter, and then choose "Don't run".

You can also manually add the Alternate Data Stream. Suppose that you want to add MOTW to the file: FIle.exe
1. Create a Zone.txt file with notepad, with the content as follows (fake MOTW):
[ZoneTransfer]
ZoneId=3
2. Put the Zone.txt and File.exe to the same folder, for example, folder c:\Zone
3. Open CMD and use the CmdLine:
more c:\Zone\Zone.txt>c:\Zone\File.exe:Zone.Identifier
4. You can test if MOTW has been added by executing the file with a disabled Internet connection.
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Hard_Configurator ver. 6.0.1.0 beta:

Version 6.0.1.0
  1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats.
    New default extensions: ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM.
    New Paranoid extensions: ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ.
    Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not by Windows built-in handler).
  2. Added new versions of DocumentsAntiExploit, RunBySmartscreen, and FirewallHardening.
  3. Improved policies for Adobe Acrobat Reader XI/DC.
  4. Corrected some minor bugs.
  5. Updated H_C manual and some help files.
 

pxxb1

Level 6
Jan 17, 2018
275
Hard_Configurator ver. 6.0.1.0 beta:

Version 6.0.1.0
  1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats.
    New default extensions: ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM.
    New Paranoid extensions: ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ.
    Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not by Windows built-in handler).
  2. Added new versions of DocumentsAntiExploit, RunBySmartscreen, and FirewallHardening.
  3. Improved policies for Adobe Acrobat Reader XI/DC.
  4. Corrected some minor bugs.
  5. Updated H_C manual and some help files.

Reinstall or overwrite?
 

Andy Ful

Level 81
Thread author
Verified
Helper
Top poster
Developer
Well-known
Dec 23, 2014
7,005
Reinstall or overwrite?
Close H_C if running. Run the H_C_6010_beta1.exe via "Install by SmartScreen".
After finishing the update several TXT files are displayed. Read carefully the displayed "Quick Configuration.txt". It includes the actions that should be taken when updating from previous versions.
 

Infinityx

Level 1
Dec 23, 2017
15
Developer website:

The dedicated website (thanks to @askalan):
Hard Configurator


Hard_Configurator was created after a discussion on the below treads:
https://www.wilderssecurity.com/thr...ith-lua-and-srp-even-without-ultimate.232857/
Secure Windows - Software restriction Policies to Windows Home
Windows Pro owner? Use Software Restriction Policies!
Poll - Do you use security reg tweaks?
Run by Smartscreen utility

Microsoft documentation for Software Restriction Policies (July 2021):
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This documentation was made for Windows Server (2012, 2016, 2019, and 2022), but SRP works the same on Windows 7, 8, 8.1, and 10.

What it can do?

This program can configure Windows built-in security to harden the system. When you close Hard_Configurator it closes all its processes. The real-time protection comes from the reconfigured Windows settings. Hard_Configurator can be seen as a Medium Integrity Level smart default-deny setup, which is based on SRP + Application Reputation Service (forced SmartScreen) + Windows hardening settings (restricting vulnerable features).
Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:
  1. Enabling Software Restriction Policies (SRP) in Windows Home editions.
  2. Changing SRP Security Levels, Enforcement options, and Designated File Types.
  3. Whitelisting files in SRP by path (also with wildcards) and by hash.
  4. Blocking the vulnerable system executables via SRP.
  5. Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
  6. Restricting shortcut execution to some folders only (via SRP).
  7. Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
  8. Blocking outbound connections of many LOLBins and user applications.
  9. Filtering Windows Event Log for blocked outbound connections.
  10. Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
  11. Disabling PowerShell script execution (Windows 7+).
  12. Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
  13. Disabling execution of scripts managed by Windows Script Host.
  14. Removing "Run as administrator" option from the Explorer right-click context menu.
  15. Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
  16. Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
  17. Disabling execution of 16-bit applications.
  18. Securing Shell Extensions.
  19. Disabling SMB protocols.
  20. Disabling program elevation on Standard User Account.
  21. Disabling Cached Logons.
  22. Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
  23. Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
  24. Turning ON/OFF all the above restrictions.
  25. Restoring Windows Defaults.
  26. Making System Restore Point.
  27. Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
  28. Saving the chosen restrictions as a profile, and restoring when needed.
  29. Backup management for Profile Base (whitelist profiles and setting profiles).
  30. Changing GUI skin.
  31. Updating application.
  32. Uninstalling application (Windows defaults restored).

Many of the above tasks can be made by using Windows RegEdit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
This program was created for advanced users to secure inexperienced users. :)

Wasn't aware this specific tool existed. Thanks for the share!
 

mkoundo

Level 6
Verified
Well-known
Jul 21, 2017
297
Hi Andy, I installed beta 6.0.1.0 over the top of beta 6.0.0.1. I am running the basic recommended profile. Now i can't open a spreadsheet by double-clicking on it. If i open excel and then open file it works fine. The message i'm getting is:

Untitled.png


Please advise how to unlock this.

thanks