Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Hi, wouldn't it be a good idea to block exe's and derivatives from running in powershell or cmd?

Edit: Or at least have that option for those who want to activate it.

It is only possible to block CMD or PowerShell, so they cannot be used to run anything.

 

[eonline]

Then you could, if you think it necessary, put an option to block powershell and cmd then. Thank you very much.

 

[Andy Ful]

Then you could, if you think it necessary, put an option to block powershell and cmd then. Thank you very much.

This option is already included (use <Block Sponsors>).

 

[eonline]

It's not so blocked after all. Another question can you make an option, if you don't have one, that you prevent the execution of cscript.exe, runas.exe and derivatives that execute sometimes malicious things? Thank you very much.

 

[Andy Ful]

It's not so blocked after all. Another question can you make an option, if you don't have one, that you prevent the execution of cscript.exe, runas.exe and derivatives that execute sometimes malicious things? Thank you very much.

View attachment 268628

Please read the help for <Block Sponsors> to understand what happened.
If you want to use SRP to block programs with Admin rights then you should read the section "Enforcement for ‘All users’ (experimental feature)" in the H_C manual.

 

[Andy Ful]

I don't think this is correct, you can disable SAC but can't re-enable again without reset/reinstall Windows.

After some updates, I noticed that you were right. Now, I can change it from ON to OFF.

 

[Andy Ful]

One of the H_C testers reported that SRP does not work properly on the current builds of Windows 11 22H2 (Windows Insider). I confirmed this issue and reported it to Microsoft. I suspect that this issue can be caused by Smart App Control which is in the early stage and can cause conflicts.

 

[ForgottenSeer 95367]

Smart App Control which is in the early stage and can cause conflicts.

While Windows Defender Application Control (WDAC) development appears to have stalled. Microsoft was talking about WDAC a lot years ago, but now it rarely mentions it. New release notes pertaining to WDAC are non-existent now. Defensive PowerShell pros at GIAC\SANS say WDAC is a dead horse and have removed it from their course materials (WDAC was removed 5 years ago; SANS stopped teaching it).

 

[Andy Ful]

While Windows Defender Application Control (WDAC) development appears to have stalled. Microsoft was talking about WDAC a lot years ago, but now it rarely mentions it. New release notes pertaining to WDAC are non-existent now. Defensive PowerShell pros at GIAC\SANS say WDAC is a dead horse and have removed it from their course materials (WDAC was removed 5 years ago; SANS stopped teaching it).

MDAC (WDAC) is hidden in Smart App Control. I noticed a few MDAC policies added and they seem to use new undocumented features. The MDAC policies are uneasy to manage for Administrators and did not achieve popularity, so far.

 

[ForgottenSeer 95367]

MDAC (WDAC) is hidden in Smart App Control. I noticed a few MDAC policies added and they seem to use new undocumented features. The MDAC policies are uneasy to manage for Administrators and did not achieve popularity, so far.

All evidence points to MDAC (WDAC) being dead as far as future development. SANS professionals have very close working relationships with Microsoft and if they decided to stop teaching WDAC, it must be a dead horse.

 

[WhiteMouse]

All evidence points to MDAC (WDAC) being dead as far as future development. SANS professionals have very close working relationships with Microsoft and if they decided to stop teaching WDAC, it must be a dead horse.

I haven't heard anything about this. I'm currently using MDAC to protect my PC, too bad if Microsoft is going to stop develop this feature without anything to replace it.

 

[ForgottenSeer 95367]

I haven't heard anything about this. I'm currently using MDAC to protect my PC, too bad if Microsoft is going to stop develop this feature without anything to replace it.

Microsoft more often than not slows or ceases development and then makes no comment. For example, does anyone remember PowerShell Desired State Configuration (DSC)? For a couple of years Microsoft promoted it hard. Then after a few years Microsoft just stopped talking about DSC. Now DSC resides in the realm of projects Microsoft started, but has not finished. Oh Microsoft has online documentation for DSC, and it lists that it is "still in development," but when you start to dig around and ask Microsoft questions about the current state of DSC and its future there is nothing but silence. This sort of behavior from Microsoft has been a part of all things PowerShell since 1.0 and it is just not limited to PoSh. The same Microsoft behavior applies to AppLocker, SRP, MDAC (WDAC), and others. Lots of things Microsoft brings to market ultimately just "fade away." AppLocker is a good example. Microsoft still ships it with Windows images, but there is no work being done on AppLocker.

MS works on these kinds of features in small teams. Sometimes key personnel will leave Microsoft and then the project will stagnate for a long time - sometimes years. Other times, these small teams do not coordinate among themselves very well. The result is very slow progress. It is a good bet that the slow progress of WDAC is due to such internal issues or logistics.

You can search for MDAC release notes, but you will not find much of anything (that is significant) within the past 5 years. Microsoft certainly has not made WDAC a top priority to refine in order to make it a serious, user-friendly, practical replacement for SRP, AppLocker, Configurable Code Integrity (CCI - the forerunner of WDAC), and so on.

If the good folks at SANS have dropped teaching MDAC (WDAC), it is a pretty good indication that it is a stagnant Windows feature. They have deep contacts within Microsoft and are in a position to know I asked Jason Flossen at SANS why he no longer taught WDAC, and his reply was basically "WDAC is a dead duck."

 

[ForgottenSeer 77194]

Feature Request: Add more hardening policies options similar to Syshardener.

For example, LSA Protection is an important one.

 

[Andy Ful]

Feature Request: Add more hardening policies options similar to Syshardener.
View attachment 269268

For example, LSA Protection is an important one.

All required and useful restrictions are already added. The H_C is very different from Syshardener and far more restrictive. So, the options that can improve the Syshardener security, are not required in the H_C.
Enabling LSA protection is not needed in the home environment, especially with H_C settings. Protecting LSA is required to prevent lateral movement in the enterprise environment. Anyway, If one wants to harden LSA then it is possible via Configuredefender which is integrated with H_C.

 

[simmerskool]

Andy asking this (& running and ducking for cover) now running win10, & win11 does not like my hardware. I did use H_C in the past, but stepped away from MT for several months++, and I H_C is not installed or not running best I can tell, right now I am running Voodooshield. Trying to keep it simple on win10. Any point in running H_C with VS, or do they compliment one another? I saw your posts re SAC for win11, and got the urge to ask. (PS I do not recall if I ran H_C & VS together in the past, my bad)

 

[Andy Ful]

Trying to keep it simple on win10. Any point in running H_C with VS, or do they compliment one another?

Running them both is possible, but not recommended. Such a setup would be too complex. Some people use VS with Simple Windows Hardening. Anyway, I did not test VS for a long time, so I do not know if SWH is really needed. You can ask @danb.

 

[ForgottenSeer 77194]

Andy asking this (& running and ducking for cover) now running win10, & win11 does not like my hardware. I did use H_C in the past, but stepped away from MT for several months++, and I H_C is not installed or not running best I can tell, right now I am running Voodooshield. Trying to keep it simple on win10. Any point in running H_C with VS, or do they compliment one another? I saw your posts re SAC for win11, and got the urge to ask. (PS I do not recall if I ran H_C & VS together in the past, my bad)

Something you could do is use Voodooshield as the default deny module and use SWH for the hardening part (No SRP).

 

[oldschool]

Any point in running H_C with VS,

None at all. As @Andy Ful points out, it's too complex. Choose one from H_C, SWH or VS. Anything else is overkill. Stay safe, not paranoid!

 

[dicious]

Do I understand correctly installing 22h2 update on win11makes H_C obsolete? I am using Avast_hardened_mode_aggressive profile that comes with the program...

 

[ForgottenSeer 95367]

Do I understand correctly installing 22h2 update on win11makes H_C obsolete? I am using Avast_hardened_mode_aggressive profile that comes with the program...

On W11 22H2, the status of H_C is not yet clear; more testing and observations need to be done.