Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Will you report the Bug to MS?
Yes, I will. But first, I have to find out how to do it.:)
This bug is not related to recommended Hard_Configurator settings. The funny thing is, that SUA worked fine on my wife's computer, because of <Disable Elevation on SUA> set to ON, so there is no possibility to use SAS on SUA (every elevation attempt is blocked). Only admin account was affected.
 
Last edited:

Reldel1

Level 2
Verified
Jun 12, 2017
50
Andy, a few weeks ago I installed Hard_Configurator on a Windows 10 Home machine to experiment with it. After a few days I realized I had an old Pro license lying dormant and used that license to install on the machine. Before the switch to Pro I uninstalled HC but even after it uninstalled a remnant of it remains within Settings>Apps>Apps and Features. I've searched regedit and used autoruns and process explorer to try and find the file but cannot find it. Any idea where it may reside so I can remove it?
 
  • Like
Reactions: Andy Ful and shmu26

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Andy, a few weeks ago I installed Hard_Configurator on a Windows 10 Home machine to experiment with it. After a few days I realized I had an old Pro license lying dormant and used that license to install on the machine. Before the switch to Pro I uninstalled HC but even after it uninstalled a remnant of it remains within Settings>Apps>Apps and Features. I've searched regedit and used autoruns and process explorer to try and find the file but cannot find it. Any idea where it may reside so I can remove it?
What version you installed? What did you do to uninstall Hard_Configurator?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
64 bit version and I uninstalled from Settings>Apps>Apps and Features>Hard_Configurator uninstall. Prior to this I reset within HC to remove applied settings.
I did the same without any issues. Something in your computer prevented the uninstallation.
What other security applications are installed?
 
  • Like
Reactions: neon and shmu26

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Only Windows Defender with default settings for exploit protection, controlled folder protection turned off. Smartscreen settings set to block. App store settings set to warn before install.
Nothing that could stop uninstallation. You said that you can see the Hard_Configurator entry in Apps and Features. What happens when you click on this entry?
If you can see an error alert, then probably something deleted the uninstallation files. The simplest method to repair this will be installing Hard_Configurator again and uninstalling it just after that. Please, use the latest version:
Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub
 
Last edited:

Reldel1

Level 2
Verified
Jun 12, 2017
50
Nothing that could stop uninstallation. You said that you can see the Hard_Configurator entry in Apps and Features. What happens when you click on this entry?
If you can see an error alert, then probably something deleted the uninstallation files. The simplest method to repair this will be installing Hard_Configurator again and uninstalling it just after that. Please, use the latest version:
Hard_Configurator/Hard_Configurator_setup(x64)_beta_3.1.0.0.exe at master · AndyFul/Hard_Configurator · GitHub

Worked, problem solved. One other item I changed before the install of HC, changed app settings to allow apps from anywhere instead of what my setting had been, WARN when installing apps from out of store. I've noticed the warn setting can tend to delay the UAC screen offering before the install option is offered. I sometime think this delay wonks an install. Thanks, keep up the good work.
 
  • Like
Reactions: Andy Ful and shmu26

Daniel Keller

Level 2
Verified
Dec 28, 2016
86
Hi @Andy Ful ,
I'm working with HC quite a while now and I'm still very impressed. I installed it on some PC of non experienced users and it works like a charm most of the time.
Sometimes though it is necessary to disable the SRP rules and the further protections temporary. I found that for the inexperienced user (who sometimes even has problems with English language) it is still complicated to press 4 buttons to temporary disable the protection. Further more if they only need to once in a while.

So I asked myself if it would be possible to create an all simple on / off GUI as first layer after starting the tool. This way user could toggle the restrictions just by one single click. This tool could serve as inspiration (just first layer GUI wise): IWR Consultancy : Simple Software-Restriction Policy.

The above tool also has the option to reactivate the restrictions after restart. This would be also handy for HC if possible.
How do you think about this?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Actually, the user in most cases can simply press the left green button to partially unlock SRP restrictions. This does not require log-off and SRP Default Security Level is set to Unrestricted. After installing applications, the user simply should press the left green button again to reactivate restrictions.
.
If the other restrictions have to be fully deactivated then after pressing green buttons, log-off is required.
.
I am thinking about a simple GUI as follows:
Lock / Allow EXE / Unlock / Configure
The "Lock" will activate predefined options.
The "Allow EXE" will activate recommended options but EXE files will be allowed and Userprofile Temp folder will be whitelisted for all files.
The 'Unlock" will deactivate all restrictions except SMB.
The "Configure" will execute Hard_Configurator.
.
All options require log-off to fully apply changes.
.
Yet, after "Unlock" the user may not log-off because many SRP restrictions will be deactivated (Default Security Level = Unrestricted). This will not deactivate other SRP features like <Enforcement>, <Block Sponsors> or <Protect Shortcuts> because those options require log-off. But those options will hardly block something when <Default Security Level> is set to Unrestricted.
 

Daniel Keller

Level 2
Verified
Dec 28, 2016
86
This sounds very good!(y)
I´m sure this will make the tool much more easy to use for the average user while it still has all the mighty options to fine tune...

Pressing "Lock" after clean install will enable all default protections, while "Lock" and "Unlock" will toggle custom configuration if there have been made changes to the default configuration, right?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
This sounds very good!(y)
I´m sure this will make the tool much more easy to use for the average user while it still has all the mighty options to fine tune...

Pressing "Lock" after clean install will enable all default protections, while "Lock" and "Unlock" will toggle custom configuration if there have been made changes to the default configuration, right?
That is right.:)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
But in the first stage, I would like to make a GUI switch for newbies:
Default Deny (ON / OFF)
This switch will only change SRP Default Protection Level to Unrestricted (OFF) or restore the default-deny setting (ON --> Basic User or Disallowed). The user will not have to log-off, the setting is applied immediately.
.
In the OFF setting, the protection will allow anything, except when something is explicitly disallowed in Hard_Configurator. If Hard_Configurator was set to the recommended settings, then switching OFF still protects Windows folder and shortcuts, and also will block: PowerShell script execution, Windows Script Host, Remote Access, 16-bit applications, Shell Extensions, Cached Logons. But the user will be able to run almost any file (EXE, COM, MSI, SCR, BAT, CMD, HTA, etc.).
.
The Default Deny (ON / OFF) switch cannot be used for disabling all Hard_Configurator protection, but may be used by the newbie when the installation of the application cannot be made via 'Run As SmartScreen'.
@Daniel Keller did you need something more than that when you troubleshoot your computers? For example, the option to allow scripts or Remote Access?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
@Andy Ful , sounds perfekt to me. :cool:
Most of the time it‘s all about problems during installations. So, no scripts and remote access are ok to me.
That is fine.:)
For now, the same effect will be when pressing the left green button before installation (OFF), and after installation (ON).
 
  • Like
Reactions: harlan4096 and neon

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
I finished the SwitchDefaultDeny utility:
for Windows 64-bit: Hard_Configurator/SwitchDefaultDeny(x64).exe at master · AndyFul/Hard_Configurator · GitHub
for Windows 32-bit: Hard_Configurator/SwitchDefaultDeny(x86).exe at master · AndyFul/Hard_Configurator · GitHub
The executable should be copied to 'C:\Windows\Hard_Configurator' folder and the user can make the shortcut to it on the desktop.
.
SwitchDefaultDeny is a companion utility to Hard_Configurator. It works only when Software Restrictions Policies are properly activated in Hard_Configurator. It can be useful on the computers of inexperienced users, when there are problems with application installations via 'Run As SmartScreen' or 'Run as administrator'. In such case, the user can use SwitchDefaultDeny to:
disable Default Deny Protection >> install applications >> enable Default Deny Protection
The changes are applied immediately (log-off is not needed).
.
When switching to the OFF setting, this utility simply changes SRP Default Security Level to Unrestricted (the old value is saved), and adds the autorun entry to start with Windows.
When switching to the ON setting, it restores the old SRP Default Security Level setting ('Basic User' or 'Disallowed') and deletes the autorun entry.
.
There are also some additional options available from the menu:
Help - shows this help
About - shows an info about SwitchDefaultDeny
Do not start with Windows - deletes the SwitchDefaultDeny autorun entry even when set to OFF.
Exit - exits the utility
.
SwitchDefaultDeny has no impact on the below Hard_Configurator SRP options:
<Block Sponsors>, <Protect Windows Folder>, <Protect Shortcuts>, and all non-SRP options related to blocking scripts and system hardening.

.
I would like to thank @BBs19 autoitscript.com forum member for developing excellent MetroGUI UDF:
MetroGUI UDF v5.1 - Windows 10 style buttons, toggles, radios, menu etc.
 

Attachments

  • Switch Default Deny.png
    Switch Default Deny.png
    46.3 KB · Views: 473
Last edited:

Daniel Keller

Level 2
Verified
Dec 28, 2016
86
Hi Andy,
this really looks great! Just made some short tests and it worked just as intended.
Btw has the "default deny protection" button any use? I mean, it seems to be a button, right?
 
  • Like
Reactions: neon

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,598
Hi Andy,
this really looks great! Just made some short tests and it worked just as intended.
Btw has the "default deny protection" button any use? I mean, it seems to be a button, right?
Yes, it is a cosmetic button. But, it can be functional if someone will find out the interesting function for it.:)
 

Daniel Keller

Level 2
Verified
Dec 28, 2016
86
Hi Andy,

just wanna say, the switch does a great job. I installed it on a few machines of average users and it works great so far. It is much easier to understand and to use. Thanks alot.

Please allow me to ask: When will we see the Hard_Configurator + easy Switch + Configure_Defender all in one suite? :)
 
  • Like
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top