Hard_Configurator - Windows Hardening Configurator

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,083
this is my current H_C configuration, do you see any security holes in my configuration? I left cmd .exe as a matter of convenience. This all stems from Magniber's post against WD with CD MAX. I also use firewall hardening and CD without protected folders because I find it annoying. Thank you very much as always. Best regards.
 

Attachments

  • e_H_C.hdc.txt
    4.1 KB · Views: 225

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
this is my current H_C configuration, ...
You have applied very strong protection. Now, your security will depend on the way you deal with blocked files. So, choose wisely when whitelisting the blocked files or when intentionally bypassing the protection layers. (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Hard_Configurator ver. 6.0.1.1


The update can be made over the older version. After the update, some Infos are displayed in the notepad. The info about updating the configuration is included in the displayed Quick_Configuration.txt.


The changelog from the latest stable version 6.0.0.0

Version 6.0.1.1
1. Adjusted the default extensions in <Designated File Types> to those used in Simple Windows Hardening. So, some popular Excel extenions are not blocked in default setup: XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
2. Updated the manual and some help files.
3. Added new option in DocumentsAntiExploit tool to make the configuration of Adobe Acrobat more granular.
4. Added the button <MORE ...><Remove Obsolete Restrictions>.
5. Added a new digital certificate.
Version 6.0.1.0 beta
1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats:
New default extensions
ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM, XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
New Paranoid extensions
ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ
Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not Windows built-in File Explorer).
2. Added new versions of DocumentsAntiExploit, RunBySmartscreen and FirewallHardening tools.
3. Improved policies for Adobe Acrobat Reader XI/DC.
4. Corrected some minor bugs.
5. Updated H_C manual and some help files.
Version 6.0.0.1 beta
1. Added <Block AppInstaller> option.
2. New FirewallHardening version 2.0.1.1.
- added the options to load/save the external BlockLists.
- added new LOLBins: bitsadmin.exe (blocked via Exploit Protection), calc, certoc, certreq, cmd, desktopimgdownldr, dllhost, ExtExport, findstr, ieexec (new path), notepad, pktmon, Register-cimprovider, verclsid, wsl, wuauclt.exe, xwizard.
 
Last edited:

Trooper

Level 17
Verified
Top Poster
Well-known
Aug 28, 2015
801
Hard_Configurator ver. 6.0.1.1


The update can be made over the older version. After the update, some Infos are displayed in the notepad. The info about updating the configuration is included in the displayed Quick_Configuration.txt.


The changelog from the latest stable version 6.0.0.0

Version 6.0.1.1
1. Adjusted the default extensions in <Designated File Types> to those used in Simple Windows Hardening. So, some popular Excel extenions are not blocked in default setup: XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
2. Updated the manual and some help files.
3. Added new option in DocumentsAntiExploit tool to make the configuration of Adobe Acrobat more granular.
4. Added the button <MORE ...><Remove Obsolete Restrictions>.
5. Added a new digital certificate.
Version 6.0.1.0 beta
1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats:
New default extensions
ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM, XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
New Paranoid extensions
ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ
Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not Windows built-in File Explorer).
2. Added new versions of DocumentsAntiExploit, RunBySmartscreen and FirewallHardening tools.
3. Improved policies for Adobe Acrobat Reader XI/DC.
4. Corrected some minor bugs.
5. Updated H_C manual and some help files.
Version 6.0.0.1 beta
1. Added <Block AppInstaller> option.
2. New FirewallHardening version 2.0.1.1.
- added the options to load/save the external BlockLists.
- added new LOLBins: bitsadmin.exe (blocked via Exploit Protection), calc, certoc, certreq, cmd, desktopimgdownldr, dllhost, ExtExport, findstr, ieexec (new path), notepad, pktmon, Register-cimprovider, verclsid, wsl, wuauclt.exe, xwizard.

Thanks as always. Cheers!
 
F

ForgottenSeer 95367

Easy & untroublesome

1657839912824.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Easy & untroublesome
Only for some people (like my wife).:)
Such a setup requires manual software updates, except for Microsoft Store apps and applications which can auto-update via scheduled tasks with admin rights (like Edge, Chrome, etc.).
When using Paranoid Extensions, some popular file types are blocked (like Excel documents). So probably, some file extensions will require adjustments via <Designated File Types>.
The <Validate Admin C.S.> is ON, so there can be some problems with installing/updating the unsigned applications.
(y)

So the usability of this setup will depend much on the installed software. After some adjustments, it can work well on semi-locked systems.
 
Last edited:
F

ForgottenSeer 95367

Such a setup requires manual software updates
Update file paths are whitelisted, so no need to for me to manually update applications.
When using Paranoid Extensions, some popular file types are blocked (like Excel documents).
Just create an allow file path for *.xls; can run Excel only at this file path. Alternate, safer practice is to run Excel online.
The <Validate Admin C.S.> is ON, so there can be some problems with installing/updating the unsigned applications.
Turn off <Validate Admin C.S.> temporarily and install. Updates are infrequent so no problem for user.

ezpz_

Thank you.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Update file paths are whitelisted, so no need to for me to manually update applications.
Most software updates use %LocalAppdata%\Temp . Did you whitelist it?
 
F

ForgottenSeer 95367

Most software updates use %LocalAppdata%\Temp . Did you whitelist it?
Do not whitelist %LocalAppdata%\Temp.

Only allow known good update and application processes to run from there. Manual application updates are not required.

Untitled.png
So simple.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Do not whitelist %LocalAppdata%\Temp.

Only allow known good update and application processes to run from there. Manual application updates are not required.

View attachment 267997
So simple.
Your whitelist includes several paths in UserSpace. These paths can cover the updating executables for applications. So, the auto-updates will probably start, but they usually create folders & files in the folder LocalAppdata%\Temp, and next try to run some executables from there. Most of them will be blocked with your setup. Anyway, you are not a newbie, so you will find a solution. (y)
 
  • Like
Reactions: EASTER
F

ForgottenSeer 95367

Your whitelist includes several paths in UserSpace. These paths can cover the updating executables for applications. So, the auto-updates will probably start, but they usually create folders & files in the folder LocalAppdata%\Temp, and next try to run some executables from there. Most of them will be blocked with your setup. Anyway, you are not a newbie, so you will find a solution. (y)
All my known good applications and their updates work perfectly via configuration of H_C at maximum possible protection settings. Thank you.
 
  • Like
Reactions: kylprq and Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
The software updates work for you because your applications update via the Inno Setup installer. It uses the folder pattern ...\Temp\is-*.tmp\ which is whitelisted in your setup. Generally, your setup is powerful. Although some malware and adware can use Inno Setup too, such malicious installers will be prevented by the H_C Forced SmartScreen. Even if something is exploited, the malware after exploiting rarely uses the Inno Setup installer.
 
Last edited:
F

ForgottenSeer 95367

The software updates work for you because your applications update via the Inno Setup installer.
The Inno Setup is used to update VS Code IIRC. The other programs running and updating from AppData require their own specific allow rules. Creating the allow exception rules is easy.
 
  • Like
Reactions: Andy Ful

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
484
@Andy Ful
Hi Andy
Would it be possible to build in a translation tool in this product, or maybe all of them? Not for the sake of sending them to you for implementation but for the users own sake. A handy tool for user convenience, for thoose who wish to have it in their own language. One could translate it to ones own language and keep it, so to speak.

So for you it would a one time thing to do.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Not for H_C. It would be possible for ConfigureDefender, SWH, and other tools. But, this would also require translating the manual and help files (included in PDF documents).
 

pxxb1

Level 10
Verified
Well-known
Jan 17, 2018
484
Not for H_C. It would be possible for ConfigureDefender, SWH, and other tools. But, this would also require translating the manual and help files (included in PDF documents).

As i said, the user translates whatever he wishes! The possibilty is there, that is it, and one does what, and how much one wants in the installed program.
Sordum has that for their programs, a basic simple tool. If i want to do just a bit, fine, if i want to do all and send it to them, that is also possible. A helpful tool for the individual user to use, if, he so wishes, and based on personal responsibility.
 
  • Like
Reactions: Andy Ful

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,083
Hi, wouldn't it be a good idea to block exe's and derivatives from running in powershell or cmd?

Edit: Or at least have that option for those who want to activate it.
 
  • Like
Reactions: Back3 and Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top