- Dec 28, 2016
- 86
Hard_Configurator - Windows Hardening Configurator
- Thread starter Andy Ful
- Start date
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
Yes, I will. But first, I have to find out how to do it.
This bug is not related to recommended Hard_Configurator settings. The funny thing is, that SUA worked fine on my wife's computer, because of <Disable Elevation on SUA> set to ON, so there is no possibility to use SAS on SUA (every elevation attempt is blocked). Only admin account was affected.
Last edited:
Andy, a few weeks ago I installed Hard_Configurator on a Windows 10 Home machine to experiment with it. After a few days I realized I had an old Pro license lying dormant and used that license to install on the machine. Before the switch to Pro I uninstalled HC but even after it uninstalled a remnant of it remains within Settings>Apps>Apps and Features. I've searched regedit and used autoruns and process explorer to try and find the file but cannot find it. Any idea where it may reside so I can remove it?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
64 bit version and I uninstalled from Settings>Apps>Apps and Features>Hard_Configurator uninstall. Prior to this I reset within HC to remove applied settings.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
I did the same without any issues. Something in your computer prevented the uninstallation.
What other security applications are installed?
Only Windows Defender with default settings for exploit protection, controlled folder protection turned off. Smartscreen settings set to block. App store settings set to warn before install.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
Nothing that could stop uninstallation. You said that you can see the Hard_Configurator entry in Apps and Features. What happens when you click on this entry?
If you can see an error alert, then probably something deleted the uninstallation files. The simplest method to repair this will be installing Hard_Configurator again and uninstalling it just after that. Please, use the latest version:
Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
Last edited:
Worked, problem solved. One other item I changed before the install of HC, changed app settings to allow apps from anywhere instead of what my setting had been, WARN when installing apps from out of store. I've noticed the warn setting can tend to delay the UAC screen offering before the install option is offered. I sometime think this delay wonks an install. Thanks, keep up the good work.
- Dec 28, 2016
- 86
Hi @Andy Ful ,
I'm working with HC quite a while now and I'm still very impressed. I installed it on some PC of non experienced users and it works like a charm most of the time.
Sometimes though it is necessary to disable the SRP rules and the further protections temporary. I found that for the inexperienced user (who sometimes even has problems with English language) it is still complicated to press 4 buttons to temporary disable the protection. Further more if they only need to once in a while.
So I asked myself if it would be possible to create an all simple on / off GUI as first layer after starting the tool. This way user could toggle the restrictions just by one single click. This tool could serve as inspiration (just first layer GUI wise): IWR Consultancy : Simple Software-Restriction Policy.
The above tool also has the option to reactivate the restrictions after restart. This would be also handy for HC if possible.
How do you think about this?
I'm working with HC quite a while now and I'm still very impressed. I installed it on some PC of non experienced users and it works like a charm most of the time.
Sometimes though it is necessary to disable the SRP rules and the further protections temporary. I found that for the inexperienced user (who sometimes even has problems with English language) it is still complicated to press 4 buttons to temporary disable the protection. Further more if they only need to once in a while.
So I asked myself if it would be possible to create an all simple on / off GUI as first layer after starting the tool. This way user could toggle the restrictions just by one single click. This tool could serve as inspiration (just first layer GUI wise): IWR Consultancy : Simple Software-Restriction Policy.
The above tool also has the option to reactivate the restrictions after restart. This would be also handy for HC if possible.
How do you think about this?
Last edited:
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
Actually, the user in most cases can simply press the left green button to partially unlock SRP restrictions. This does not require log-off and SRP Default Security Level is set to Unrestricted. After installing applications, the user simply should press the left green button again to reactivate restrictions.
Lock / Allow EXE / Unlock / Configure
The "Lock" will activate predefined options.
The "Allow EXE" will activate recommended options but EXE files will be allowed and Userprofile Temp folder will be whitelisted for all files.
The 'Unlock" will deactivate all restrictions except SMB.
The "Configure" will execute Hard_Configurator.
.
All options require log-off to fully apply changes.
.
Yet, after "Unlock" the user may not log-off because many SRP restrictions will be deactivated (Default Security Level = Unrestricted). This will not deactivate other SRP features like <Enforcement>, <Block Sponsors> or <Protect Shortcuts> because those options require log-off. But those options will hardly block something when <Default Security Level> is set to Unrestricted.
.
If the other restrictions have to be fully deactivated then after pressing green buttons, log-off is required.
.
I am thinking about a simple GUI as follows:If the other restrictions have to be fully deactivated then after pressing green buttons, log-off is required.
.
Lock / Allow EXE / Unlock / Configure
The "Lock" will activate predefined options.
The "Allow EXE" will activate recommended options but EXE files will be allowed and Userprofile Temp folder will be whitelisted for all files.
The 'Unlock" will deactivate all restrictions except SMB.
The "Configure" will execute Hard_Configurator.
.
All options require log-off to fully apply changes.
.
Yet, after "Unlock" the user may not log-off because many SRP restrictions will be deactivated (Default Security Level = Unrestricted). This will not deactivate other SRP features like <Enforcement>, <Block Sponsors> or <Protect Shortcuts> because those options require log-off. But those options will hardly block something when <Default Security Level> is set to Unrestricted.
- Dec 28, 2016
- 86
This sounds very good!
I´m sure this will make the tool much more easy to use for the average user while it still has all the mighty options to fine tune...
Pressing "Lock" after clean install will enable all default protections, while "Lock" and "Unlock" will toggle custom configuration if there have been made changes to the default configuration, right?
I´m sure this will make the tool much more easy to use for the average user while it still has all the mighty options to fine tune...
Pressing "Lock" after clean install will enable all default protections, while "Lock" and "Unlock" will toggle custom configuration if there have been made changes to the default configuration, right?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
That is right.This sounds very good!
I´m sure this will make the tool much more easy to use for the average user while it still has all the mighty options to fine tune...
Pressing "Lock" after clean install will enable all default protections, while "Lock" and "Unlock" will toggle custom configuration if there have been made changes to the default configuration, right?
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
But in the first stage, I would like to make a GUI switch for newbies:
Default Deny (ON / OFF)
This switch will only change SRP Default Protection Level to Unrestricted (OFF) or restore the default-deny setting (ON --> Basic User or Disallowed). The user will not have to log-off, the setting is applied immediately.
.
In the OFF setting, the protection will allow anything, except when something is explicitly disallowed in Hard_Configurator. If Hard_Configurator was set to the recommended settings, then switching OFF still protects Windows folder and shortcuts, and also will block: PowerShell script execution, Windows Script Host, Remote Access, 16-bit applications, Shell Extensions, Cached Logons. But the user will be able to run almost any file (EXE, COM, MSI, SCR, BAT, CMD, HTA, etc.).
.
The Default Deny (ON / OFF) switch cannot be used for disabling all Hard_Configurator protection, but may be used by the newbie when the installation of the application cannot be made via 'Run As SmartScreen'.
@Daniel Keller did you need something more than that when you troubleshoot your computers? For example, the option to allow scripts or Remote Access?
Default Deny (ON / OFF)
This switch will only change SRP Default Protection Level to Unrestricted (OFF) or restore the default-deny setting (ON --> Basic User or Disallowed). The user will not have to log-off, the setting is applied immediately.
.
In the OFF setting, the protection will allow anything, except when something is explicitly disallowed in Hard_Configurator. If Hard_Configurator was set to the recommended settings, then switching OFF still protects Windows folder and shortcuts, and also will block: PowerShell script execution, Windows Script Host, Remote Access, 16-bit applications, Shell Extensions, Cached Logons. But the user will be able to run almost any file (EXE, COM, MSI, SCR, BAT, CMD, HTA, etc.).
.
The Default Deny (ON / OFF) switch cannot be used for disabling all Hard_Configurator protection, but may be used by the newbie when the installation of the application cannot be made via 'Run As SmartScreen'.
@Daniel Keller did you need something more than that when you troubleshoot your computers? For example, the option to allow scripts or Remote Access?
- Dec 28, 2016
- 86
@Andy Ful , sounds perfekt to me.
Most of the time it‘s all about problems during installations. So, no scripts and remote access are ok to me.
Most of the time it‘s all about problems during installations. So, no scripts and remote access are ok to me.
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
That is fine.@Andy Ful , sounds perfekt to me.
Most of the time it‘s all about problems during installations. So, no scripts and remote access are ok to me.
For now, the same effect will be when pressing the left green button before installation (OFF), and after installation (ON).
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
I finished the SwitchDefaultDeny utility:
for Windows 64-bit: Hard_Configurator/SwitchDefaultDeny(x64).exe at master · AndyFul/Hard_Configurator · GitHub
for Windows 32-bit: Hard_Configurator/SwitchDefaultDeny(x86).exe at master · AndyFul/Hard_Configurator · GitHub
The executable should be copied to 'C:\Windows\Hard_Configurator' folder and the user can make the shortcut to it on the desktop.
.
SwitchDefaultDeny is a companion utility to Hard_Configurator. It works only when Software Restrictions Policies are properly activated in Hard_Configurator. It can be useful on the computers of inexperienced users, when there are problems with application installations via 'Run As SmartScreen' or 'Run as administrator'. In such case, the user can use SwitchDefaultDeny to:
disable Default Deny Protection >> install applications >> enable Default Deny Protection
The changes are applied immediately (log-off is not needed).
.
When switching to the OFF setting, this utility simply changes SRP Default Security Level to Unrestricted (the old value is saved), and adds the autorun entry to start with Windows.
When switching to the ON setting, it restores the old SRP Default Security Level setting ('Basic User' or 'Disallowed') and deletes the autorun entry.
.
There are also some additional options available from the menu:
Help - shows this help
About - shows an info about SwitchDefaultDeny
Do not start with Windows - deletes the SwitchDefaultDeny autorun entry even when set to OFF.
Exit - exits the utility
.
SwitchDefaultDeny has no impact on the below Hard_Configurator SRP options:
<Block Sponsors>, <Protect Windows Folder>, <Protect Shortcuts>, and all non-SRP options related to blocking scripts and system hardening.
.
I would like to thank @BBs19 autoitscript.com forum member for developing excellent MetroGUI UDF:
MetroGUI UDF v5.1 - Windows 10 style buttons, toggles, radios, menu etc.
for Windows 64-bit: Hard_Configurator/SwitchDefaultDeny(x64).exe at master · AndyFul/Hard_Configurator · GitHub
for Windows 32-bit: Hard_Configurator/SwitchDefaultDeny(x86).exe at master · AndyFul/Hard_Configurator · GitHub
The executable should be copied to 'C:\Windows\Hard_Configurator' folder and the user can make the shortcut to it on the desktop.
.
SwitchDefaultDeny is a companion utility to Hard_Configurator. It works only when Software Restrictions Policies are properly activated in Hard_Configurator. It can be useful on the computers of inexperienced users, when there are problems with application installations via 'Run As SmartScreen' or 'Run as administrator'. In such case, the user can use SwitchDefaultDeny to:
disable Default Deny Protection >> install applications >> enable Default Deny Protection
The changes are applied immediately (log-off is not needed).
.
When switching to the OFF setting, this utility simply changes SRP Default Security Level to Unrestricted (the old value is saved), and adds the autorun entry to start with Windows.
When switching to the ON setting, it restores the old SRP Default Security Level setting ('Basic User' or 'Disallowed') and deletes the autorun entry.
.
There are also some additional options available from the menu:
Help - shows this help
About - shows an info about SwitchDefaultDeny
Do not start with Windows - deletes the SwitchDefaultDeny autorun entry even when set to OFF.
Exit - exits the utility
.
SwitchDefaultDeny has no impact on the below Hard_Configurator SRP options:
<Block Sponsors>, <Protect Windows Folder>, <Protect Shortcuts>, and all non-SRP options related to blocking scripts and system hardening.
.
I would like to thank @BBs19 autoitscript.com forum member for developing excellent MetroGUI UDF:
MetroGUI UDF v5.1 - Windows 10 style buttons, toggles, radios, menu etc.
Attachments
Last edited:
- Dec 28, 2016
- 86
Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,119
Yes, it is a cosmetic button. But, it can be functional if someone will find out the interesting function for it.
- Dec 28, 2016
- 86
Hi Andy,
just wanna say, the switch does a great job. I installed it on a few machines of average users and it works great so far. It is much easier to understand and to use. Thanks alot.
Please allow me to ask: When will we see the Hard_Configurator + easy Switch + Configure_Defender all in one suite?
just wanna say, the switch does a great job. I installed it on a few machines of average users and it works great so far. It is much easier to understand and to use. Thanks alot.
Please allow me to ask: When will we see the Hard_Configurator + easy Switch + Configure_Defender all in one suite?
Similar threads
-
- Sticky
