Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

I recently upgraded to the latest 6.x beta and found a couple of issues:

1. When loading an External BlockList in FirewallHardening, it discards the rules with missing paths (files that don't exist at that location). I think this should be optional. Because I'd like to install H_C on a clean Windows system and load all the firewall rules, so that they're ready before programs that need to be blocked are installed.
But maybe someone prefers the current behavior. In that case there should be an additional button, for a total of three, when missing paths are loaded: "show missing paths", "keep rules" and "discard rules". That way, one could decide what to do.

Rejecting invalid paths is necessary in the case when the user used the wrong path format. Anyway using FirewallHardening in your way is also OK. I will think about it.

2. When upgrading H_C from version 5.x to 6.x, it automatically enables SmartScreen for "Apps and Files", even when it was off and disabled by Group Policy. It looks like this doesn't happen with a fresh 6.x install, however.

The H_C always enabled SmartScreen (except for a few early versions). The whole idea of H_C is based on the Forced SmartScreen.

 

[SeriousHoax]

Hello @Andy Ful, what is this file in H_C_HardeningTools? I know it's for Firewall Hardening, but what's the purpose of it? I think you explained it somewhere, but I forgot.

 

[Andy Ful]

Hello @Andy Ful, what is this file in H_C_HardeningTools? I know it's for Firewall Hardening, but what's the purpose of it? I think you explained it somewhere, but I forgot.
View attachment 267358

It can be used to update the BlockList to ver. 2.0.0.1.
You probably saw the explanation in the readme.txt (this file is in H_C_HardeningTools_2010.zip).

 

[SeriousHoax]

It can be used to update the BlockList to ver. 2.0.0.1.
You probably saw the explanation in the readme.txt (this file is in H_C_HardeningTools_2010.zip).

Yeah, got it. So it's not necessary with the current version 2.1.1.1? I haven't applied Firewall Hardening on this system yet.

 

[Andy Ful]

Yeah, got it. So it's not necessary with the current version 2.1.1.1? I haven't applied Firewall Hardening on this system yet.

No need to update.

 

[Andy Ful]

I noticed a discussion about Constrained Language Mode (CLM) on the Wilderssecurity forum and some questions.

1. There are several methods of applying CLM, some of them are PowerShell session dependent and some not.
2. The method used by SRP, Applocker, and MDAC is independent of the PowerShell sessions and does not use the __PSLockDownPolicy. Of course, changing the Language Mode is prevented in the session already running with Constrained Language mode. This is also explained in the article mentioned on Wilderssecurity:
   
   

   Mitigating PowerShell risks with Constrained Language mode

   PowerShell is a robust tool that can control almost all components of Windows and applications such as Exchange. It can therefore cause great damage in the hands of attackers. Its Constrained Language mode blocks dangerous features, thereby preventing misuse.

   4sysops.com
3. When using SRP one can apply CLM to processes running with standard rights and also to high privileged ones. In the H_C Recommended_Settings the first method is used. If one wants H_C to apply CLM and other SRP restrictions also to high privileged processes then it can be done by running H_C with "-p" switch.

 

[eonline]

you said you know a technique that can bypass the restrictions of your programs, the question is why don't you fix that. If it can be fixed. I don't know the technique but you do and it seems to me that it would be necessary for all of us who use your software to know what it is and how to prevent it if you don't update and mitigate that attack. I always thank you for making a code so easy to use and so good and I also thank you that you are always sharing your knowledge having a lot of patience especially in users like me who are basic. Thank you.

 

[Andy Ful]

you said you know a technique that can bypass the restrictions of your programs, the question is why don't you fix that.

I did not say so. You probably refer to my post:

App Review - Windows Defender Bypassed | The PC Security Channel

malwaretips.com

This post was a continuation of a few posts about using PowerShell trojan-downloaders. I had in mind the attack method via successful exploit + PowerShell CmdLines that could rarely "bypass" the H_C Recommended_Settings. This method was discussed several times on MT (BITS Transfer cmdlet) - it is almost absent in widespread attacks. Restricting BITS is not recommendable, so a reasonable fix is not possible (as far as I know), except for blocking PowerShell (can be done in H_C). The recommendable way is to avoid vulnerable (unpatched) applications exploited in the wild.
If you use such an application then you have to be cautious or use additional protection like blocking some LOLBins (powershell.exe, powershell_ise.exe), using the DocumentsAntiExploit tool, advanced H_C profiles, etc. The details are included in the H_C manual.

 

[flaubert1971]

Probably I have not read the hard configurator documentation well or that it has already been written in this thread, so I apologize in advance for the question.
Can hard configurator be used, at the recommended settings, also in enterprise versions of windows?
Thank you

 

[sypqys]

How to allow OBS to capture screen ?
i have add path and file of OBS studio in whitelist but the screen it is blocked like this :

without defaut deny protection, the screen it is black, ... so H_C block something...
sorry if it is not H_C whose block my OBS studio ... but finaly without deny protection, the screen was black so different...

Sorry it's an error. Because i was try another way, and the problem persist without deny protection...
so forget this post I don't succed to delete it.

 

[Andy Ful]

Probably I have not read the hard configurator documentation well or that it has already been written in this thread, so I apologize in advance for the question.
Can hard configurator be used, at the recommended settings, also in enterprise versions of windows?
Thank you

Yes, if the user did not activate the SRP via GPO and policies shared with H_C must be set in GPO to "Not Configured". There should not be a problem if you did not apply the policies via GPO.

 

[sypqys]

Hi !

the shortcut from another disk don't want to open. How I have to do to allow this shortcut to execute ?

Because ok for the security but the problem, I cannot use anything on my HDD ...

If you have a solution ?

 

[sypqys]

 

[sypqys]

shortcut from H_C nothing ; I have to open the source of folder on my disk to open H_C.

 

[sypqys]

the NAS don't start anymore why ?

 

[Andy Ful]

Hi !

the shortcut from another disk don't want to open.

View attachment 267558

Did you try the solution for shortchts included in the help file for <Whitelist by Path> option?

 

[Andy Ful]

shortcut from H_C nothing ; I have to open the source of folder on my disk to open H_C.

What is the location of these blocked shortcuts? The non-standard locations in the UserSpace are intentionally blocked. Shortcuts are allowed by default only in standard locations (Desktop, Start Menu, Task Bar, Power Menu).
If you want others, they must be whitelisted..

 

[sypqys]

yes but the same problem ... i think...

 

[sypqys]

What is the location of these blocked shortcuts? The non-standard locations in the UserSpace are intentionally blocked. Shortcuts are allowed by default only in standard locations (Desktop, Start Menu, Task Bar, Power Menu).
If you want others, they must be whitelisted..

C:\Windows\Hard_Configurator

 

[Andy Ful]

C:\Windows\Hard_Configurator

Are you sure? Why the shortcut for VisualBoyAdvance.exe might be in this folder?