Hard_Configurator - Windows Hardening Configurator

[simmerskool]

Running them both is possible, but not recommended. Such a setup would be too complex. Some people use VS with Simple Windows Hardening. Anyway, I did not test VS for a long time, so I do not know if SWH is really needed. You can ask @danb.

very good. thanks for the feedback. I'll continue to follow this thread, love your all your work, thanks.

 

[simmerskool]

None at all. As @Andy Ful points out, it's too complex. Choose one from H_C, SWH or VS. Anything else is overkill. Stay safe, not paranoid!

Thanks, I'm sticking with VS for now, only because I know it better. I do now recall that I ran H_C in VMWare win10, (long story missing, have not been running vm for awhile)

 

[Andy Ful]

Do I understand correctly installing 22h2 update on win11makes H_C obsolete? I am using Avast_hardened_mode_aggressive profile that comes with the program...

If you did not make a fresh install, then H_C should work with 22H2 update. You can test it by copying the H_C shortcut from the Desktop to your Downloads folder and executing this shortcut from the Downloads folder.
Anyway, if you will refresh the system then SRP restrictions will not work.

 

[oldschool]

One of the H_C testers reported that SRP does not work properly on the current builds of Windows 11 22H2 (Windows Insider). I confirmed this issue and reported it to Microsoft. I suspect that this issue can be caused by Smart App Control which is in the early stage and can cause conflicts.

Does this include SRP via Group Policy? And is Basic User deprecated?

 

[ForgottenSeer 95367]

Does this include SRP via Group Policy?

The SRP section of GPO not working.

 

[Andy Ful]

Does this include SRP via Group Policy?

This is general SRP issue on the fresh installed Windows 11 with 2022 update (build 22H2). No matter if you use GPO or something else.

And is Basic User deprecated?

What exactly do you mean?

 

[oldschool]

What exactly do you mean?

I saw a couple of random posts mention that it no longer works. I believe they are incorrect.

 

[nadis]

The H_C always enabled SmartScreen (except for a few early versions). The whole idea of H_C is based on the Forced SmartScreen.

Late reply, but please reconsider this.
People can have various reasons for not using SmartScreen or any other anti-malware solution, whether it's performance related or privacy related or anything else.
(I saw that uninstalling H_C 6.* also re-enables SS. But it looks like the SS related Group Policy settings stick if you toggle them to default and back.)



And I found a bug in H_C, at recommended settings:
If a shortcut (*.lnk) is more than a few folders deep, the linked app gets blocked. For example:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1\2\shortcut.lnk — works
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1\2\3\shortcut.lnk — does not work

This problem doesn't happen when setting SRP rules in GP, only with H_C.

 

[ForgottenSeer 95367]

And I found a bug in H_C, at recommended settings:

Windows 10 or 11?

NOTE: Lots of problems in browser posting here at MT. Sorry for separate question.

 

[Andy Ful]

I saw a couple of random posts mention that it no longer works. I believe they are incorrect.

I meant "Basic User"?

 

[Andy Ful]

Late reply, but please reconsider this.
People can have various reasons for not using SmartScreen or any other anti-malware solution, whether it's performance related or privacy related or anything else.

I know, but then they will not be able to use H_C.

And I found a bug in H_C, at recommended settings:
If a shortcut (*.lnk) is more than a few folders deep, the linked app gets blocked. For example:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1\2\shortcut.lnk — works
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1\2\3\shortcut.lnk — does not work

This problem doesn't happen when setting SRP rules in GP, only with H_C.

It is not a bug. Almost all applications do not need such deep whitelisting of shortcuts. Furthermore, one can whitelist the blocked shortcut.
Normally, the shortcuts are not blocked when using SRP via GPO.

 

[ForgottenSeer 95367]

And I found a bug in H_C, at recommended settings:
If a shortcut (*.lnk) is more than a few folders deep, the linked app gets blocked. For example:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1\2\shortcut.lnk — works
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1\2\3\shortcut.lnk — does not work

This problem doesn't happen when setting SRP rules in GP, only with H_C.

Can you please show image of the LNK rules you configured in SRP rules section of GP?

 

[oldschool]

I meant "Basic User"?

Yes, that's what the posts were referring to.

 

[Andy Ful]

Yes, that's what the posts were referring to.

I know, but is it the "Basic User" setting of the SRP security level? The "Basic User" security level is rarely used. Do you use it?
If so, then I am confused why you think that it might be depreciated. I think that the last time that it changed its functionality was with Windows 7. But, it is also true that I did not use this setting for several years.
Do you have some new information?

 

[nadis]

It is not a bug.

Is it something that H_C does (and if so, why?) or it's a Windows thing?
I know that most apps don't make such long paths, but it can happen.

one can whitelist the blocked shortcut.

Whitelisting the shortcut file didn't work for me, but whitelisting that entire folder did.

Can you please show image of the LNK rules you configured in SRP rules section of GP?

I just set the Start Menu path to 'unrestricted', for the purpose of testing this. I don't usually have LNK rules in SRP.

 

[ForgottenSeer 95367]

I just set the Start Menu path to 'unrestricted', for the purpose of testing this. I don't usually have LNK rules in SRP.

I only asked for an image of the SRP configuration that you made in GPO as you stated earlier:

"This problem doesn't happen when setting SRP rules in GP"

From this statement and the other details provided, it appears that you created specific file (LNK) rules in SRP section of GP. If that is correct, then all of us taking a close look at those configured rules, one of us might find an explanation for the discrepancy between the rules you created in GP SRP and H_C rules.

On an H_C maximum settings VM, I created a test LNK to "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\Test.docx" and placed it onto the Desktop. The Desktop LNK file opens the test document.

I think the devil is in the details. There might be something being done in your test case that is blocking the LNK.

What does shortcut.lnk in your test point to?

Over the past couple of years, I have run into isolated cases of LNK AND document files on the Desktop being randomly blocked. They would enter a "locked" state where I could not open them, moving them around was blocked, and other quirky behaviors such as no errors or notifications. That is really odd and almost seems a permissions corruption. It happened only two or three times. I cannot recall if it followed a Windows Update. I know the behavior did not follow any H_C version update. And I made no H_C policy changes that would account for the behavior. In troubleshooting the issue it appeared to me to be a Windows corruption issue because if I disabled both H_C SRP and Restrictions (turned all of H_C OFF), the issue still persisted. I could only get it to fix by resetting the rules by reinstalling H_C (over-writing the existing corrupted rules). That tells me that the cause is more likely to be Windows itself because H_C is only a front-end to the underlying Windows technology. That is not to say that H_C cannot do something like corrupting the rules itself somehow. But that makes no sense because the issue was spontaneous after many months of no problems and no alterations to H_C policy. My observations could somehow be related to yours, but we can't know this is case for sure.

 

[oldschool]

I know, but is it the "Basic User" setting of the SRP security level? The "Basic User" security level is rarely used. Do you use it?
If so, then I am confused why you think that it might be depreciated. I think that the last time that it changed its functionality was with Windows 7. But, it is also true that I did not use this setting for several years.
Do you have some new information?

I use your threads and an old Kees post Tutorial - Windows Pro owner? Use Software Restriction Policies! for reference to refresh my memory, but I use "Disallowed". I keep it simple without many granular rules. I don't understand Windows well enough to do an advanced setup.

The posts I saw re: Basic User were old and probably referring to the last change during the W7 era that you mentioned. Otherwise I have no new info .

 

[Andy Ful]

Whitelisting the shortcut file didn't work for me, but whitelisting that entire folder did.

The way of allowing/blocking shortcuts was designed by me. I could whitelist shortcuts even deeper, but I do not think that it is necessary.

The explanation of how one can whitelist shortcuts in H_C is included in the help for <Whitelist By Path> setting.

 

[Andy Ful]

I use your threads and an old Kees post Tutorial - Windows Pro owner? Use Software Restriction Policies! for reference to refresh my memory, but I use "Disallowed". I keep it simple without many granular rules. I don't understand Windows well enough to do an advanced setup.

The posts I saw re: Basic User were old and probably referring to the last change during the W7 era that you mentioned. Otherwise I have no new info .

Understand. In some way, the "Basic User" setting is depreciated compared to Windows Vista and XP.
From Windows 7, it is almost the same as the "Disallowed" setting. But when I tested it a few years ago, there were some differences. I think that I put the information about differences in the H_C manual (Table 3 in the section "Software Restriction Policies (SRP)".

 

[ForgottenSeer 95367]

I think that I put the information about differences in the H_C manual (Table 3 in the section "Software Restriction Policies (SRP)".

"Basic User" summary in Manual: