Hard_Configurator - Windows Hardening Configurator

F

ForgottenSeer 94654

I have in mind that its management can be simplified by some developers (like me). Microsoft did not simplify the management of SRP and Applocker, so it is probable that WDAC will share a similar fate.
What I meant is that WDAC will be abandoned, the same as Desired State Configuration (DCS).

Some of the team developers left Microsoft and these feature development have essentially come to a stop.
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
Silly question but I installed a game on the D: Partition of my drive (1TB split in two) and I see SRP blocking access. Is the simpliest option to whitelist Launcher.exe or the game folder?

1652985828317.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Silly question but I installed a game on the D: Partition of my drive (1TB split in two) and I see SRP blocking access. Is the simpliest option to whitelist Launcher.exe or the game folder?

View attachment 266761
The simplest solution will always be whitelisting the folder.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
View attachment 266837

@Andy Ful this screen is not clear to me. The text seems to indicate that the program may be run (as "the file will be executes from another location without loading dll") but the "run anyway" indicates the opposite (as the the file would be executed without Install by Smartscreen).
Yes, it should be clearer.
<RUN ANYWAY> means that the file will be run safely without loading some DLLs. In the case when these DLLs are a part of installation, it can fail. The "Warning" informs that one has to be cautious when trying to run the file normally (without using "Install By SmartScreen").
What is your suggestion?
 

Tiamati

Level 12
Verified
Top Poster
Well-known
Nov 8, 2016
574
Yes, it should be clearer.
<RUN ANYWAY> means that the file will be run safely without loading some DLLs. In the case when these DLLs are a part of installation, it can fail. The "Warning" informs that one has to be cautious when trying to run the file normally (without using "Install By SmartScreen").
What is your suggestion?
Exactly. I imagined that but i wasn't sure. Maybe because i'm not a native English speaker 😅
What is your suggestion?
Maybe "run with Smart Screen anyway" or " run with Dll restrictions".

Edit: btw, i could use the software that popped up that message worked just fine. It's good to know i could run a questionable program relatively safe.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Exactly. I imagined that but i wasn't sure. Maybe because i'm not a native English speaker 😅

Maybe "run with Smart Screen anyway" or " run with Dll restrictions".

Edit: btw, i could use the software that popped up that message worked just fine. It's good to know i could run a questionable program relatively safe.

It seems that I already solved this problem in RunBySmartscreen, so it can be implemented in H_C:

1653472053563.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Andy, is it possible to add MOTW to a file without executing it?
Yes. I usually use "Run By SmartScreen" with disconnected Internet. You will see the SmartScreen alert that it cannot access the SmartScreen filter, and then choose "Don't run".

You can also manually add the Alternate Data Stream. Suppose that you want to add MOTW to the file: FIle.exe
1. Create a Zone.txt file with notepad, with the content as follows (fake MOTW):
[ZoneTransfer]
ZoneId=3
2. Put the Zone.txt and File.exe to the same folder, for example, folder c:\Zone
3. Open CMD and use the CmdLine:
more c:\Zone\Zone.txt>c:\Zone\File.exe:Zone.Identifier
4. You can test if MOTW has been added by executing the file with a disabled Internet connection.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Hard_Configurator ver. 6.0.1.0 beta:

Version 6.0.1.0
  1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats.
    New default extensions: ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM.
    New Paranoid extensions: ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ.
    Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not by Windows built-in handler).
  2. Added new versions of DocumentsAntiExploit, RunBySmartscreen, and FirewallHardening.
  3. Improved policies for Adobe Acrobat Reader XI/DC.
  4. Corrected some minor bugs.
  5. Updated H_C manual and some help files.
 

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
484
Hard_Configurator ver. 6.0.1.0 beta:

Version 6.0.1.0
  1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats.
    New default extensions: ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM.
    New Paranoid extensions: ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ.
    Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not by Windows built-in handler).
  2. Added new versions of DocumentsAntiExploit, RunBySmartscreen, and FirewallHardening.
  3. Improved policies for Adobe Acrobat Reader XI/DC.
  4. Corrected some minor bugs.
  5. Updated H_C manual and some help files.

Reinstall or overwrite?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Reinstall or overwrite?
Close H_C if running. Run the H_C_6010_beta1.exe via "Install by SmartScreen".
After finishing the update several TXT files are displayed. Read carefully the displayed "Quick Configuration.txt". It includes the actions that should be taken when updating from previous versions.
 

Infinityx

Level 1
Verified
Dec 23, 2017
15
Developer website:

The dedicated website (thanks to @askalan):
Hard Configurator


Hard_Configurator was created after a discussion on the below treads:
https://www.wilderssecurity.com/thr...ith-lua-and-srp-even-without-ultimate.232857/
Secure Windows - Software restriction Policies to Windows Home
Windows Pro owner? Use Software Restriction Policies!
Poll - Do you use security reg tweaks?
Run by Smartscreen utility

Microsoft documentation for Software Restriction Policies (July 2021):
https://docs.microsoft.com/en-us/wi...iction-policies/software-restriction-policies
This documentation was made for Windows Server (2012, 2016, 2019, and 2022), but SRP works the same on Windows 7, 8, 8.1, and 10.

What it can do?

This program can configure Windows built-in security to harden the system. When you close Hard_Configurator it closes all its processes. The real-time protection comes from the reconfigured Windows settings. Hard_Configurator can be seen as a Medium Integrity Level smart default-deny setup, which is based on SRP + Application Reputation Service (forced SmartScreen) + Windows hardening settings (restricting vulnerable features).
Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:
  1. Enabling Software Restriction Policies (SRP) in Windows Home editions.
  2. Changing SRP Security Levels, Enforcement options, and Designated File Types.
  3. Whitelisting files in SRP by path (also with wildcards) and by hash.
  4. Blocking the vulnerable system executables via SRP.
  5. Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
  6. Restricting shortcut execution to some folders only (via SRP).
  7. Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
  8. Blocking outbound connections of many LOLBins and user applications.
  9. Filtering Windows Event Log for blocked outbound connections.
  10. Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
  11. Disabling PowerShell script execution (Windows 7+).
  12. Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
  13. Disabling execution of scripts managed by Windows Script Host.
  14. Removing "Run as administrator" option from the Explorer right-click context menu.
  15. Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
  16. Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
  17. Disabling execution of 16-bit applications.
  18. Securing Shell Extensions.
  19. Disabling SMB protocols.
  20. Disabling program elevation on Standard User Account.
  21. Disabling Cached Logons.
  22. Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
  23. Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
  24. Turning ON/OFF all the above restrictions.
  25. Restoring Windows Defaults.
  26. Making System Restore Point.
  27. Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
  28. Saving the chosen restrictions as a profile, and restoring when needed.
  29. Backup management for Profile Base (whitelist profiles and setting profiles).
  30. Changing GUI skin.
  31. Updating application.
  32. Uninstalling application (Windows defaults restored).

Many of the above tasks can be made by using Windows RegEdit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
This program was created for advanced users to secure inexperienced users. :)

Wasn't aware this specific tool existed. Thanks for the share!
 

mkoundo

Level 8
Verified
Well-known
Jul 21, 2017
358
Hi Andy, I installed beta 6.0.1.0 over the top of beta 6.0.0.1. I am running the basic recommended profile. Now i can't open a spreadsheet by double-clicking on it. If i open excel and then open file it works fine. The message i'm getting is:

Untitled.png


Please advise how to unlock this.

thanks
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top