Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

It is really weird. I assume that you close Adobe DC each time after changing the settings.
When you use <Enable All Features> after opening the document, is it added to Privileged Locations?

 

[Gandalf_The_Grey]

It is really weird. I assume that you close Adobe DC each time after changing the settings.
When you use <Enable All Features> after opening the document, is it added to Privileged Locations?

View attachment 267193

I think I found the reason:

It works with PV when saving the PDF and then opening it.

It doesn't work when opening a PDF directly from Outlook.
Probably because the path when opening from Outlook is: C:\Users\(your username)\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\94RIKRGM

I only tried the last option...

 

[Andy Ful]

I think I found the reason.
It works with PV when saving the PDF and then opening it.
It doesn't work when opening a PDF directly from Outlook.
Probably because the path when opening from Outlook is: C:\Users\(your username)\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\94RIKRGM
I only tried the last option...

Thank God.
Now I can narrow the source of this issue (probably related to Outlook settings).

 

[Gangelo]

I think/hope that you underestimate the number of casual users that have MS Office installed.
Maybe others can also comment on that.

I second that and can guarantee that MANY users will not be happy with this feature.
Disabling macros is enough for the excel files. Not been able to open them just by double-clicking on the file is going too far.
The point is to harden your system, not cripple usability.

 

[Andy Ful]

I second that and can guarantee that MANY users will not be happy with this feature.

Which feature does not work for you?

 

[Andy Ful]

I only tried the last option...

I think that we do not need to dig deeper. I would only try the solution with your help. Could you delete the value "bDisableTrustedSites" from the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

It can be done by clicking on "bDisableTrustedSites" (will be highlighted) and using <Delete> button from the keyboard.

for example:

Next close Adobe Reader, open the PDF document and check if it works. If so, then I add this correction to the PV setting in the next version.

 

[Gandalf_The_Grey]

I think that we do not need to dig deeper. I would only try the solution with your help. Could you delete the value "bDisableTrustedSites" from the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown

It can be done by clicking on "bDisableTrustedSites" (will be highlighted) and using <Delete> button from the keyboard.

for example:

View attachment 267197

Next close Adobe Reader, open the PDF document and check if it works. If so, then I add this correction to the PV setting in the next version.

I will test that when I get home and let you know the results

 

[Andy Ful]

I found a better solution. Forget for a while about my previous post and first try to delete the value "iUnknownURLPerms" under the locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cDefaultLaunchURLPerms

It can be done by clicking on "iUnknownURLPerms" (will be highlighted) and using the <Delete> button on the keyboard. For example:

Next close Adobe Reader, open the PDF document, and check if it works. If so, then I add this correction to the PV setting in the next version. The policy is added/removed by the DocumentsAntiExploit tool so you can safely delete it (it is also deleted with some other policies when using the OFF setting).

The policies iUnknownURLPerms and bDisableTrustedSites can control which websites are allowed. After removing iUnknownURLPerms, I can open links even without using <Enable All Features>.

 

[Gangelo]

Which feature does not work for you?

I read the discussion a few posts ago, where a user who installed the latest beta could not open xlsx files directly by double click.
I was quoting your discussion with @Gandalf_The_Grey regarding this.

You said below:

This H_C setup requires installing Microsoft Excel Mobile and setting it as a default application for the Excel files. Microsoft Excel Mobile is a free Windows Universal Platform app from Microsoft Store. It runs in AppContainer, the editing is disabled in the free version and active content as well. Furthermore, it ignores the SRP restrictions made in the H_C. This makes it the safest application for viewing Excel files. It is the second safest just after Application Guard for MS Office (paid subscription). Another good solution is opening Excel files by default via Xodo PDF.
The user can still open the Excel files for editing, but first, the Excel desktop application has to be opened and the file must be opened from the running Excel.

Such a setup can be probably accepted by many users who mostly open files for viewing and not for editing. I blocked only Excel files, because they are the most dangerous. People who use Word and PowerPoint mostly for viewing should do the same for all MS Office files and use Word Mobile, PowerPoint Mobile, or Xodo PDF.
In rare cases when editing is necessary, the MS Office desktop applications can be used similarly to the Excel case.

Others have to change the setup by removing the blocked Excel extensions from the <Designated File Types> and applying some additional restrictions.
The very strong setup can be the H_C Recommended_Settings + Defender HIGH Protection Level + FirewallHardening (Recommended H_C + MS Office).
In the setup Without the Defender ASR rules one has to use the DocumentsAntiExploit tool and apply additionally the "Current user restrictions" for MS Office.

Post updated and extended.

I disagree with the inability to directly open xlsx files by double-click, there many of us who use MS Office on a daily basis..

 

[wat0114]

I disagree with the inability to directly open xlsx files by double-click, there many of us who use MS Office on a daily basis..

You could just remove the Excel-related extension types (CSV, XLS, XLSX...) from: Designated File Types-> SRP Extensions. Alternatively, it's only one additional step to first open Excel, then open the file from there.

 

[Gangelo]

You could just remove the Excel-related extension types (CSV, XLS, XLSX...) from: Designated File Types-> SRP Extensions. Alternatively, it's only one additional step to first open Excel, then open the file from there.

I don't think that such a restriction should be enforced by default. And opening excel first in order to open the file is super counter-productive if you work on different spreadsheets all day long.

In any case, this is just my personal opinion and I know that some will disagree. MS Office frequent users will certainly not..

 

[Andy Ful]

I disagree with the inability to directly open xlsx files by double-click, there many of us who use MS Office on a daily basis..

I also share this opinion. But, it is not the case here, because the user can easily allow opening XLSX files in 5 seconds, by using the <Designated File Types> option in H_C. No one is obliged to use the default settings.
Of course, the opposite is also true If one would block XLSX files (not blocked by default).
There is the same number of pros and cons when blocking by default or not the XLSX files.
For now, I do not prefer any of these default possibilities.

 

[Andy Ful]

I don't think that such a restriction should be enforced by default. And opening excel first in order to open the file is super counter-productive if you work on different spreadsheets all day long.

I truly understand your viewpoint. Any user would prefer the H_C default settings that suit him/her.
The current settings are not adjusted for the users who frequently open Excel files, especially for editing.
I did not decide yet if the users who frequently use Excel should be preferred over the rest (and vice versa).
When blocking the Excel files, the H_C setup related to DocumentsAntiExploit is much simpler. This can be an advantage for many users.
Anyway, I am also not a fan of blocking Excel files. I am still thinking.

 

[Gandalf_The_Grey]

I found a better solution. Forget for a while about my previous post and first try to delete the value "iUnknownURLPerms" under the locations:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cDefaultLaunchURLPerms
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\DC\FeatureLockDown\cDefaultLaunchURLPerms

It can be done by clicking on "iUnknownURLPerms" (will be highlighted) and using the <Delete> button on the keyboard. For example:
View attachment 267198

Next close Adobe Reader, open the PDF document, and check if it works. If so, then I add this correction to the PV setting in the next version. The policy is added/removed by the DocumentsAntiExploit tool so you can safely delete it (it is also deleted with some other policies when using the OFF setting).

The policies iUnknownURLPerms and bDisableTrustedSites can control which websites are allowed. After removing iUnknownURLPerms, I can open links even without using <Enable All Features>.

Yes, great, that works, with or without using <Enable All Features>

 

[wat0114]

Anyway, I am also not a fan of blocking Excel files. I am still thinking.

Didn't you block these by default because it is dangerous to open Excel file types from File explorer?

I would like to add: I trust 100% all the Excel file types I keep on my machine because I know exactly where they came from so that they are not suspicious in the least, which is why up until the blocked Excel file types in the latest H_C release, I had no problems opening them via double-clicking from File explorer. That said, and in my use case scenarios, I don't mind the marginal inconvenience of opening them from Excel, as a small price to pay for enhanced security.

Furthermore, I can also appreciate that for @Gangelo and others who use Excel more extensively than I, it imposes too much inconvenience on them.

 

[Andy Ful]

Didn't you block these by default because it is dangerous to open Excel file types from File explorer?

Not exactly. It is dangerous to open Excel files if one uses 3rd party AV. In such a case one has to use SwitchDefaultDeny to run the DocumentsAntiExploit tool and apply "Current user restrictions". If Excel files are blocked, then additional hardening via the DocumentsAntiExploit tool is not necessary.

If one uses Defender with ConfigureDefender HIGH settings and the H_C option "Adobe+VBA" is enabled, then the Excel files are protected similarly to files opened by Word or PowerPoint. One does not have to additionally use the DocumentsAntiExploit tool via SwitchDefaultDeny.

So, when Excel files are blocked by SRP, a similar setup can be applied for Defender and 3rd party AVs.

 

[czesetfan]

Are you planning on being able to individually toggle presets in DAE settings? The default profiles are good, but if there was an option to individually tweak them, that would be even better. It would expand the possibilities of use. After all, if some of the settings give me a problem, I can't use all the others either.
Similarly, the SWH options are configurable to some extent. (Exclusion, adding certain file types, SMB restriction level for example, etc.)

MS Office option in the upper part of the DocumentsAntiExploit window will apply the MS Office restrictions to the current user (valid up to MS Office 2019):
Disabled Macros in MS Office XP and MS Office 2003+ (Word, Excel, PowerPoint, Access, Publisher, Outlook).
Disabled Access to Visual Basic Object Model (VBOM) in MS Office 2007+ (Access, Excel, PowerPoint, and Word).
Disabled DDE in Word 2007+ (requires Windows Updates pushed in January 2018, see Microsoft Security Advisory ADV170021).
Disabled auto-update for any linked fields (including DDE and OLE) in Word 2007+, Excel 2007+, Outlook 2007+, One Note 2013+.
Disabled ActiveX in MS Office 2007+. Disabled OLE in MS Office 2007+ (Word, Excel, PowerPoint).
Disabled ‘Run Programs’ option for action buttons in PowerPoint 2007+.
Disabled automatic download of linked images in PowerPoint 2007+.
Disabled TrustBar notifications in MS Office 2007+

In the "dispute" about blocking/allowing Excel files, I am in favor of allowing it by default. I see SWH as a simple tool that doesn't need deeper knowledge and debugging. Therefore, the less conflicts the better. On the other hand, if someone wants to improve/tweak the protection, he should have that option in the settings.

 

[Digmor Crusher]

Getting very confusing, 99% of computer users don't stand a chance. They'll have no idea
what any of the posts on this page mean. And no disrespect to Andy, his programs are brilliant.

I've always said, the perfect security program will have 4 buttons. On, Off, Whitelist/Ignore. Update. But I guess that ain't going to happen.

 

[ErzCrz]

Been a little tricky to follow but the quick installation guide is sufficient. Good to know I don't necessarily need to do the antiexploit tool but I'll continue to do so just in case.

 

[Andy Ful]

Are you planning on being able to individually toggle presets in DAE settings?

It is already possible with <MS Office> = ON1 setting. One can open the MS Office application and change the settings applied via DAE ("Current users restrictions"). After the changes, the setting in the DocumentsAntiExploit tool changes automatically from ON1 to Partial.
Maybe someday, I will try to make a more granular configurator for MS Office, but not in the near future. For now, my tool is very simple.