Hard_Configurator - Windows Hardening Configurator

[nadis]

On an H_C maximum settings VM, I created a test LNK to "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\New folder\Test.docx" and placed it onto the Desktop. The Desktop LNK file opens the test document.

The problem is not with target files being in those subfolders, but with shortcut (*.lnk) files. Such files are usually created when you install something.

The explanation of how one can whitelist shortcuts in H_C is included in the help for <Whitelist By Path> setting.

Thanks, got it now.

The way of allowing/blocking shortcuts was designed by me. I could whitelist shortcuts even deeper, but I do not think that it is necessary.

I don't see the need to have a limit there, at least not for reasonable folder depths. It can lead to confusion and frustration, also because there's no error message displayed (except in Event Viewer).
FWIW, such a path is created by default by the FurMark installer. According to the download page, it has over 450k downloads.

 

[ForgottenSeer 95367]

The problem is not with target files being in those subfolders, but with shortcut (*.lnk) files. Such files are usually created when you install something.

I tried the reverse test scenario; LNK file in ProgramData Start folder and the target file elsewhere in a 15 nested folder location. The LNK file is not blocked.

 

[Andy Ful]

FWIW, such a path is created by default by the FurMark installer. According to the download page, it has over 450k downloads.

OK. When the shortcut is blocked, you should see an alert. There is no need to search Event Log. The H_C has got a feature to identify blocked events via <Tools> <Blocked Events / Security Logs>.
Anyway, such rare cases can be whitelisted manually. In the next few years, it is possible that another developer will hide the shortcut even deeper. A simple solution is already explained & included in the H_C.
You use GPO - it is worth recalling that H_C is not compatible with SRP activated via GPO.

 

[ErzCrz]

Whitelisting the link folder is the easiest option. I only have 1 program that has a deep link, a 1 minute fix

 

[nadis]

In the next few years, it is possible that another developer will hide the shortcut even deeper.

Yes, and I still don't see why H_C should block it. But I won't insist. Peace.

 

[Andy Ful]

Yes, and I still don't see why H_C should block it. But I won't insist. Peace.

Thanks for your support.
I avoid whitelisting anything, except if it is necessary. For now, I think that it is unnecessary (although it could slightly increase the usability). I may change my mind in the future.

 

[simmerskool]

Thanks, I'm sticking with VS for now, only because I know it better. I do now recall that I ran H_C in VMWare win10, (long story missing, have not been running vm for awhile)

Actually, I got my vmware workstation up and running win10, updated everything, and uninstalled VS as H_C was already installed & config'd circa 2019 on this vm, v5.1.1.2. I assume there's a newer version. can someone point me to the link for the current version as there's 192 pages in this thread. Thanks in advance!

updated edit: I found a link for webpage but it seems to be temp down as win11 has issue with H_C. I'm running win10 as ms doesn't like my xeon cpu.

 

[ForgottenSeer 95367]

H_C was already installed & config'd circa 2019 on this vm, v5.1.1.2. I assume there's a newer version. can someone point me to the link for the current version as there's 192 pages in this thread. Thanks in advance!

Update button in upper left:

as win11 has issue with H_C.

Only W11 22H2 - which Microsoft has blocked access to it because of many problems with it. Microsoft broke a lot of stuff on W11 22H2, such as SRP and WDAC.

 

[simmerskool]

Update button in upper left:

View attachment 269728


Only W11 22H2 - which Microsoft has blocked access to it because of many problems with it. Microsoft broke a lot of stuff on W11 22H2, such as SRP and WDAC.

Thanks, I did see the update button but was not sure if that was for updating H_C or its configuration.

 

[mkoundo]

check out:

GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

 

[simmerskool]

check out:

GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

thanks!

 

[wat0114]

If you did not make a fresh install, then H_C should work with 22H2 update. You can test it by copying the H_C shortcut from the Desktop to your Downloads folder and executing this shortcut from the Downloads folder.
Anyway, if you will refresh the system then SRP restrictions will not work.

Andy,

is it only SRP rules that will not work in H_C if a fresh install of 22H2 is done, or will other functionality of H_C also break?

 

[ForgottenSeer 95367]

Andy,

is it only SRP rules that will not work in H_C if a fresh install of 22H2 is done, or will other functionality of H_C also break?

22H2 does not break H_C; it breaks its own SRP and WDAC. H_C adds no features to Windows; it is only a front-end for security features shipped with Windows. Microsoft is breaking their own SRP and WDAC.

 

[wat0114]

22H2 does not break H_C; it breaks its own SRP and WDAC. H_C adds no features to Windows; it is only a front-end for security features shipped with Windows. Microsoft is breaking their own SRP and WDAC.

Thanks, I know H_C is only a front end for enabling Windows security features, but I just wanted to know if 22H2 somehow broke H_C's ability to do that.

 

[Andy Ful]

Andy,

is it only SRP rules that will not work in H_C if a fresh install of 22H2 is done, or will other functionality of H_C also break?

Only SRP. Other policies, ConfigureDefender, and FirewallHardening work well (not impacted by SAC).

 

[specialone]

hi do i need to run windows 11 security basline before running hard configurator?

thanks

 

[Andy Ful]

hi do i need to run windows 11 security basline before running hard configurator?

thanks

No, you do not need to do this. Please note, that SRP will not work on clean installed Windows 11 (that includes 2020 update). Currently, Microsoft allows SRP only when upgrading from Windows 10 or updating from previous versions of Windows 11.

 

[ForgottenSeer 95367]

Currently, Microsoft allows SRP only when upgrading from Windows 10 or updating from previous versions of Windows 11.

Typical Microsoft. Did you figure this out by trial-and-error, or did you see Microsoft give guidance on this publicly?

 

[Andy Ful]

Typical Microsoft. Did you figure this out by trial-and-error, or did you see Microsoft give guidance on this publicly?

Both.
Microsoft announced that SAC is going to be installed only with clean Windows 11 (with 2022 update) - there are no plans to introduce SAC in Windows 10 or when upgrading from Windows 10 to Windows 11. So, we can think of Windows 10 (and Windows 10 --> 11 upgrade) as of Windows in backward compatibility mode.
By trial and error, I figured out that SRP does not work on Windows Home and Pro due to the installed SAC (even if it is set to OFF).

Post edited.

 

[Andy Ful]

I think that SAC is generally a good direction for home users and hybrid work. Of course, I am not objective because the SAC idea (smart-default-deny prevention) is very similar to H_C. The main difference for users is usability.
When using H_C the home administrator can whitelist or allow blocked executables. Furthermore, the restrictions can be adjusted to the needs.
When using SAC, one must fully rely on Microsoft. So, there is much to do for making SAC usable.