Hard_Configurator - Windows Hardening Configurator

F

ForgottenSeer 95367

This limitation of SAC makes it a dealbreaker from my pov.
SAC is still in the alpha\early beta stage. So it's too early to judge it, but I wouldn't bet 1 euro that Microsoft will make SAC a well-polished product. Just look at MDAC; Microsoft started on it, but then further development came to a crawl. The only real options in the same class of default deny are SMB and enterprise third party security software.
 
  • Like
Reactions: wat0114

wat0114

Level 13
Verified
Top Poster
Well-known
Apr 5, 2021
621
So it's too early to judge it, but I wouldn't bet 1 euro that Microsoft will make SAC a well-polished product.

Unfortunately I think you are right, so I will not be "downgrading" to 22H2. Why can't MS get SAC, which currently seems to be a half-baked joke, to work properly yet? It's like their development team is made up people with stunted attention spans who can't concentrate on anything for more than a few minutes at a time, and are unable to see anything through to to its completion. To me it's inexcusable. I remember clearly years ago Applocker working exactly as intended out of the box when Windows 7 Ultimate was released. And of course before that the same with SRP. Applocker still remains my favourite Windows built-in security feature. Too bad now it's only available to enterprises, Server and the Education version of Windows.

EDIT

Btw, my rant is fueled not just by this SAC stupidity, but also by other bizarre decisions MS has made over the years with Windows versions since 7, such as deprecating the ability to display messages and send emails using Task Scheduler, making Applocker unavailable to individuals, and even the bizarre removal of seconds on their task bar clock.
 
Last edited:
  • Like
Reactions: 1chaoticadult
F

ForgottenSeer 95367

It's like their development team is made up people with stunted attention spans who can't concentrate on anything for more than a few minutes at a time, and are unable to see anything through to to its completion.
Everyone thinks Microsoft's development teams operate in a proficient and military manner. Nothing could be further from the truth. For one, Microsoft has employee turnover that impacts their projects. Then there are competing priorities within the company itself and a lack of long-term commitment to sub-projects.

I don't know why everybody is treating 22H2 as a stable, general release. It's not. It is a preview build. And it is full of problems. So part of the problem are users thinking it is a stable release.
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Guys, it would be better to continue the discussion about the pros and cons of SAC in another thread, like:
There are several interesting aspects related to SAC and most of them are not related to H_C. :) (y)
 
  • Like
Reactions: ErzCrz

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592

learningexp

Level 1
Nov 7, 2015
13
Applying the recommended settings in HC, ConfDefender and FwHardening results in being unable to install any extension from the edge store (An error has occurred Download interrupted).
Is this related? How should I allow installing extensions?
Thank you!

LE: issues with microsoft servers. Just tried it now and it works. Sorry.
 
Last edited:

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
This is an internal feature of SRP, related to Default Security Level (Disallowed or BasicUser).
on windows 11 pro 22h2 i tested H_C:
install H_C
install SRP
enable default security level = disallow

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers\DefaultLevel = 0

constrained language mode is not enabled in standard user powershell console nor when install H_C with -p switch

[system.console]::WriteLine("Test") is not blocked in standard or admin console; powershell running in full language mode
import-module -name az.account is not blocked in standard or admin console; powershell running in full language mode
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
@Andy Ful I have an old PC that has Win 8.1 installed. Does Hard Configurator work on that version of windows? or is it only on windows 10 and 11? Thanks!
It works for Windows Vista up to Windows 10. On Windows 11, it works only when upgraded from Windows 10.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
Last edited:

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
SRP does not work on Windows 11 22H2.
upgraded system windows 10 to 11
not clean install 11 22h2
srp works fine; constrained language mode does not get set
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,592
upgraded system windows 10 to 11
not clean install 11 22h2
srp works fine; constrained language mode does not get set
Interesting - if SRP works fine then Constrained Language Mode (CLM) should work too. I cannot say for sure, but there can be some incompatibility with other security layers. After your post, I tested SRP + CLM on Windows Home 21H2 (works well) and on Windows Pro 22H2 (did not work). But, in the second case, the issue was related to my tests with HomeApplocker.
It is interesting that removing HomeApplocker policies did not work. The SRP functionality has been restored after removing two folders:
c:\Windows\System32\AppLocker\MDM
c:\Windows\SysWOW64\AppLocker\MDM
 
Last edited:

Andrezj

Level 6
Verified
Well-known
Nov 21, 2022
248
Interesting - if SRP works fine then Constrained Language Mode (CLM) should work too. I cannot say for sure, but there can be some incompatibility with other security layers. After your post, I tested SRP + CLM on Windows Home 21H2 (works well) and on Windows Pro 22H2 (did not work). But, in the second case, the issue was related to my tests with HomeApplocker.
It is interesting that removing HomeApplocker policies did not work. The SRP functionality has been restored after removing two folders:
c:\Windows\System32\AppLocker\MDM
c:\Windows\SysWOW64\AppLocker\MDM
it is strange behavior
one upgraded system 11 22h2 CLM does not work
another upgraded 11 22h2 system CLM does work; dot-net of some scripts is blocked by CLM
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top