Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
In the "dispute" about blocking/allowing Excel files, I am in favor of allowing it by default. I see SWH as a simple tool that doesn't need deeper knowledge and debugging. Therefore, the less conflicts the better. On the other hand, if someone wants to improve/tweak the protection, he should have that option in the settings.
In the current ver. of SWH, the Excel extensions like XLSX are already allowed. But SWH is intended for another group of users than H_C. Anyway, from my point of view, it would be simpler to keep the same default SRP extensions in SWH and H_C (like in the H_C ver. 6.0.0.0 and earlier versions). For now, this is the only serious argument to not-block by default some popular Excel extensions in the H_C.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The H_C is intended for a very specific group = home administrators. They are usually advanced users who made similar hardening via GPO or reg tweaks. It is true that most people do not have the time and motivation to be home administrators. That is why I created also some simple applications like SWH, CD, FH, DAE.
This thread is also for users who would like to learn something about Windows built-security. Others can skip it without any loss.:)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
If one uses complex documents that require macros, DDE, updating data from remote locations (like the Internet or remote shares), etc., then the DocumentsAntiExploit (DAE) protection will show the Partial or OFF setting. This means that DAE cannot cover some important attack vectors anymore, and the H_C Recommended_Settings alone will be insufficient. One has to use a Strict_Recommended_Settings with additionally blocked Sponsors or use Defender with ASR rules. People who can afford to spend some money can consider buying a subscription that includes Application Guard for MS Office.

Using Defender with ASR rules + H_C Recommended_Settings can probably cover 99% of attack vectors even when DocumentAntiExploit settings are OFF. But when using complex documents and Outlook, some ASR rules have to be disabled or weakened by exclusions, and the protection is not so great anymore.

In the case when one has to use MS Office and allow macros, or other potentially dangerous features (DAE Partial or OFF setting), my advice is to avoid using MS Office for document viewing and be very careful when opening documents for editing. This will significantly lower the possibility of infection. (y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Recently, I tested Windows built-in Outlook. It can open Adobe Acrobat and MS Office documents for viewing in the Edge web browser. It is integrated with OneDrive. MS Office documents can be edited online. This could be a safe solution to view the documents contained as attachments in emails.

Unfortunately, if the document contains a malicious URL, then the website is opened in the web browser and the weaponized document is downloaded to disk (not directly to OneDrive). So anyway, the weaponized document will be opened by MS Office installed in the system. One could change the download location to OneDrive and block MS Office files via SRP. In such a case the file is blocked except if one will use the right-click Explorer context menu to open it online ("View online" option). Still the safe files can be opened from within the MS Office application.
 
  • Like
Reactions: Nevi and eonline

sypqys

Level 5
Apr 18, 2022
230
There's is possible that LOL_Bin's rules et H_C recommended block me Spotify after the advertising (free use)... Spotify stop running after the advertising.

Where is the problem ?

Anyone have an idea, on Win 10 and when I have migrate to Win 11, the same issue.
 

Attachments

  • ScreenWings_87W6avNAR7.png
    ScreenWings_87W6avNAR7.png
    33.8 KB · Views: 124
  • Like
Reactions: Nevi and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
There's is possible that LOL_Bin's rules et H_C recommended block me Spotify after the advertising (free use)... Spotify stop running after the advertising.

Where is the problem ?

Anyone have an idea, on Win 10 and when I have migrate to Win 11, the same issue.
I do not know. But, you can test this in a simple way:
  1. Save the current BlockList.
  2. Remove all entries from the FirewallHardening BlockList. Restart the computer and check if Spotify works.
  3. If Spotify works after the actions from point 2, then you can Load the saved Blocklist into FirewallHardening.
  4. Check if the event logging is activated:
    1654508708163.png
  5. Close FH and restart the computer.
  6. Check the Log by using <Blocked Events>.
Post here about your findings.:)(y)
 

sypqys

Level 5
Apr 18, 2022
230
I do not know. But, you can test this in a simple way:
  1. Save the current BlockList.
  2. Remove all entries from the FirewallHardening BlockList. Restart the computer and check if Spotify works.
  3. If Spotify works after the actions from point 2, then you can Load the saved Blocklist into FirewallHardening.
  4. Check if the event logging is activated:
    View attachment 267238
  5. Close FH and restart the computer.
  6. Check the Log by using <Blocked Events>.
Post here about your findings.:)(y)
FIrewall Hardening version is 2.0.0.1

How I have to save the current blocklist (1.) ?


Thanks
 
  • Like
Reactions: Nevi and Andy Ful

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,083
Why would you make the changes for Exel if you can always whitelist documents that are from a trusted source. I'm fine with the new restrictions.
 
  • Like
Reactions: Nevi and Andy Ful

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
There's is possible that LOL_Bin's rules et H_C recommended block me Spotify after the advertising (free use)... Spotify stop running after the advertising.
Do you use by chance Firefox, Sandboxie and Adguard desktop? I ran into some strange problems there sometimes with spotify. As far as I remember it I had to disable Adguard for that site even when spotify should be whitelisted by default. Long time ago could remember it all wrong :D
 
  • Like
Reactions: sypqys

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
No I use simplewall with NextDNS.
You should first check if one of these applications is the source of the block, especially SimpleWall. (y)
This can be done by temporarily removing the restrictions (similarly to the case of FirewallHardening).
What is a link to your current setup?
 
  • Like
Reactions: sypqys

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Since with NextDns you can also add or remove a lot of different filterlists (atleast if you use your own ID) mabe also take a look there. Maybe spotify has to be whitelisted or you have to find the filter list that works for it.
 
  • Like
Reactions: sypqys

nadis

Level 1
Apr 21, 2020
14
I recently upgraded to the latest 6.x beta and found a couple of issues:

1. When loading an External BlockList in FirewallHardening, it discards the rules with missing paths (files that don't exist at that location). I think this should be optional. Because I'd like to install H_C on a clean Windows system and load all the firewall rules, so that they're ready before programs that need to be blocked are installed.
But maybe someone prefers the current behavior. In that case there should be an additional button, for a total of three, when missing paths are loaded: "show missing paths", "keep rules" and "discard rules". That way, one could decide what to do.

2. When upgrading H_C from version 5.x to 6.x, it automatically enables SmartScreen for "Apps and Files", even when it was off and disabled by Group Policy. It looks like this doesn't happen with a fresh 6.x install, however.
 
  • Like
Reactions: Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top