Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
it is strange behavior
one upgraded system 11 22h2 CLM does not work
another upgraded 11 22h2 system CLM does work; dot-net of some scripts is blocked by CLM
Although SRP is still a valuable security layer on Windows 10 and server editions, I think that using SRP on Windows 11 22H2 can be risky, without proper testing. Microsoft tries to introduce some new security features that can be sometimes incompatible with old ones.
 

piquiteco

Level 14
Oct 16, 2022
624
Yes. IIRC it has a W8 and other profiles, but I haven't used it in quite some time.
Thank you very much! @oldschool for answering my question and thank you for your attention!(y)
It works for Windows Vista up to Windows 10. On Windows 11, it works only when upgraded from Windows 10.
@Andy Ful Thanks! for the information, it's good to know. Always, I have followed your posts here on the forum, before I registered here on MT. ;)
 

Andrezj

Level 6
Nov 21, 2022
248
this might not be place to ask, has anyone come across a way to set powershell language mode to 'no language'
no language is a requirement for powershell just enough administration (jea) and it is set on a remote target by settign the language mode in the session configuration file (.pssc), jea is enforced, if i am correct, only when user connects to remote target using powershell remoting
does anyone know the key values for the different language modes at this key?

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers\DefaultLevel

this should be open source windows internals information

enforcing language mode for a session\not permanently can be done by launching powershell with this command string or converting this into a script, but this is does not protect the machine if malware launches powershell:

Start-Process -FilePath "powershell" -ArgumentList ($ExecutionContext.SessionState.LanguageMode = "NoLanguage")

i suppose one can configure just enough administration (jea) on localhost, which will block all cmdlets by default, set a role for the configured users on the machine, and then specify in their session configuration files that powershell runs in nolanguage (or constrained language) mode, but this is might be a problem as user must connect to interactive powershell session using cmdlet Enter-PSSEssion -ComputerName localhost, and this means powershell remoting must be enabled on localhost, so not a very good solution, this however will protect system against powershell abuse by attacker or malware

there is applocker and device guard, but that is not a good solution either as, i might be mistaken, nolanguage mode cannot be set - only constrained language is enforced through these
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
this might not be place to ask, has anyone come across a way to set powershell language mode to 'no language'
This can be done via CmdLine (as you posted) or by using the profile script. You can look at my old thread:
https://malwaretips.com/threads/how-do-you-secure-powershell.70981/post-623772

Both ways are not especially useful.

there is applocker and device guard, but that is not a good solution either as, i might be mistaken, nolanguage mode cannot be set - only constrained language is enforced through these
It is better to block powershell.exe and use only powershell_ise.exe to run CmdLines.
Another possibility is blocking PowerShell via SRP or AppLocker and using High or System privileges to still run PowerShell scripts. System privileges are required when we choose to block PowerShell also for Administrators.
 

Andrezj

Level 6
Nov 21, 2022
248
This can be done via CmdLine (as you posted) and by using the profile script:

Both ways are not especially useful.


It is better to block powershell.exe and use only powershell_ise.exe to run CmdLines.
i suppose i can install hard configurator, set all enforcements, and at least grab the key value for constrained language mode

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers\DefaultLevel

but of course no values for other language modes, more importantly not sure if those language modes will be enforced by the above key, or their values to verify enforcement

or i can try populate profile.ps1 with each language mode individually, run a separate test for each, try with hard configuration srp enabled, see if there is a way that the other language mode defined in profile.ps1 will change the registry key value, with great luck get those key values

microsoft powershell team :unsure:
 

Andrezj

Level 6
Nov 21, 2022
248
Can be bypassed by the "-noprofile" switch.
yes, i know

setting language mode in profile.ps1 just to see if value of

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers\DefaultLevel

changes while srp is enabled (whitelist profile.ps1 filepath), restart system, then, with a lot of luck it works and we get the numeric key value for each language mode
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
I am using Windows 11 Pro v22H2, clean installed 2 months back. For security, I am using Kaspersky Total Security and tweaked with @harlan4096 Hardened System with Kaspersky. Windows is on default settings, encrypted Drives with BitLocker, but Windows SAC is OFF. So, can I use your Hard_Configurator v6.0.1.1? If yes, do I need to tweak any settings?
There is no need to use H_C in such a configuration on any Windows version. Furthermore, on Windows 11 v22H2 (clean installation), some important restrictions (related to SRP) will not work.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
@Andy Ful

Maybe an idea to add Microsoft recommended block rules as a category or include them in recommended sponsors?

From the list of MS I noticed these are missing in the list of sponsors

Dotnet.exe
Microsoft.Build.dll
Microsoft.Build.Framework.dll
msbuild.dll
webclnt.dll
davsvc.dll
For now, I am busy with the conception of HomeApplocker, but it is probable that LOLBins will be updated in the next year.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
In W10 for Office 2021 what DocumentsAntiExploit setting in Default Deny will be more efficient:
ON 1 or ON 2?
Try ON2. If it will be too restrictive, then use ON1 and adjust the settings via Microsoft Office applications (Word, Excel, PowerPoint). After adjustments, the ON1 setting in the DocumentAntiExploit tool can change to Partial. (y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top