Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Hi Andy,

just wanna say, the switch does a great job. I installed it on a few machines of average users and it works great so far. It is much easier to understand and to use. Thanks alot.

Please allow me to ask: When will we see the Hard_Configurator + easy Switch + Configure_Defender all in one suite?

I am waiting for the new Windows version to test it.
The new 'suite' will be released as WDDS application = Windows Default-Deny Security. It will contain a simplified GUI with predefined setting profiles and Hard_Configurator + ConfigureDefender will be available via Advanced settings.
It is too soon to say what will be the final version, because I am still working on GUI and options (see the attachment).

 

[Daniel Keller]

Wow, that looks terrific!
Testing with new Windows 10 version makes sense of course. Looking forward to the final version .

This is such a great tool. Thank you very much for all you efforts and the continues support.

 

[Andy Ful]

Wow, that looks terrific!
Testing with new Windows 10 version makes sense of course. Looking forward to the final version .

This is such a great tool. Thank you very much for all you efforts and the continues support.

Thanks. I am glad to hear that you found it useful.

 

[Reldel1]

Andy,
I wanted to chime in and thank you for your continued development. I have been using both your Hard_C and Config Defender on two machines with 1803 Windows builds and found no visible problems. After years of using SRP I have found your implementation and GUI approach much simpler.

 

[Andy Ful]

Andy,
I wanted to chime in and thank you for your continued development. I have been using both your Hard_C and Config Defender on two machines with 1803 Windows builds and found no visible problems. After years of using SRP I have found your implementation and GUI approach much simpler.

You are welcome. It is a good news that all works fine on Windows 1803.

 

[Av Gurus]

...i'm also using Configure Defender on v1803 (Child Protection) and is working fine.
If you need to download v 1803 check this:
Get the Windows 10 Spring Creators Update early - gHacks Tech News

 

[Sunshine-boy]

working on GUI and options

Such a cute GUI:notworthy:

 

[shmu26]

With the advent of Spring Creators update, will there be any additional features in Hard-Configurator, or in ConfigureDefender?

 

[Andy Ful]

With the advent of Spring Creators update, will there be any additional features in Hard-Configurator, or in ConfigureDefender?

I have not decided what options will be included. So far, the below will be added:
1. <ConfigureDefender> button to run ConfigureDefender utility.
2. <Allow EXE files> button in 'Whitelist By Path' window. This feature allows all EXE files except ticked in <Blocked Sponsors>.
.
The <Allow EXE files> will be the solution for people who want use Avast with activated Avast Hardened Mode.
.
I am also working on Anti-Exploit feature to block the active content in MS Office applications (macros, OLE, ActiveX, DDE) and PDF viewers Adobe Acrobat, FoxitPDF, SumatraPDF.
SumatraPDF will be restricted through an INI file (no active content, no external links, no Registry access, no file access, etc.) and Exploit Guard.

 

[shmu26]

I am also working on Anti-Exploit feature to block the active content in MS Office applications (macros, OLE, ActiveX, DDE)

So if I understand right, this feature will work even without Windows Defender enabled?
That would be awesome.

 

[Andy Ful]

So if I understand right, this feature will work even without Windows Defender enabled?
That would be awesome.

Windows 10 FCU allows using Exploit Guard for applications even with third-party AV. But, it is not possible to configure ASR and Controlled Folder Access when using PowerShell cmdlets (Defender is required).
Blocking macros, OLE, ActiveX, and DDE in MS Office applications, do not require activating Defender.

 

[shmu26]

Blocking macros, OLE, ActiveX, and DDE in MS Office applications, do not require activating Defender.

Got it. So ASR will remain a Defender feature, but the other features you mentioned are not limited to Defender.

 

[Andy Ful]

Got it. So ASR will remain a Defender feature, but the other features you mentioned are not limited to Defender.

Yes, ASR (FCA) are Defender type features. When I tested ASR with Avast, it worked but I could not re-configure ASR settings via PowerShell cmdlets.

 

[Av Gurus]

...you are getting closer to NVT OS Armor...

 

[Andy Ful]

I had in mind MS Office and PDF documents vulnerabilities for a long time. I did not include them in Hard_Configurator because the changes in the registry were in HKCU registry hive, that can be accessed as standard user. But finally, I changed my mind.

 

[shmu26]

I am presently trying out the "Recommended SRP" settings.
Making exceptions, in order to allow certain things to run in user space, is not harder than it is with comparable third-party solutions. So SRP is a winner.
Thanks for making all this accessible.

 

[Andy Ful]

SRP in Hard_Configurator, allows also blocking many vulnerable system tools (<More SRP ...> <Block Sponsors> ). The blocked by SRP, Windows events can be recognized via <Tools> <Run SRP/Scripts EventLog View>.

 

[shmu26]

SRP in Hard_Configurator, allows also blocking many vulnerable system tools (<More SRP ...> <Block Sponsors> ). The blocked by SRP, Windows events can be recognized via <Tools> <Run SRP/Scripts EventLog View>.

Right. I saw that. Very cool.
Now the million dollar question is which sponsors you really truly don't need as a home user?
Let's ignore powershell and windows script host, because they have their own special settings in Hard_Configurator.

 

[shmu26]

Right. I saw that. Very cool.
Now the million dollar question is which sponsors you really truly don't need as a home user?
Let's ignore powershell and windows script host, because they have their own special settings in Hard_Configurator.

Okay, after reviewing the basics of SRP, I see that my question is not so important after all. Because system-initiated processes run with elevated privileges, so SRP restrictions will not apply to them.
So if I understand right, you won't mess up your OS by blocking sponsors.

 

[Andy Ful]

Right. I saw that. Very cool.
Now the million dollar question is which sponsors you really truly don't need as a home user?
Let's ignore powershell and windows script host, because they have their own special settings in Hard_Configurator.

That depends on what applications you are using for managing files with potentially vulnerable content (MS Office and PDF documents, e-mail attachments, etc.).
The recommended Windows security configuration, when using Windows Defender antivirus and Recommended Hard_Configurator settings, is as follows:
1. Protected View - use Universal Applications from Microsoft Store for viewing/printing Office documents and PDF/EPUB... files. Those applications use App Container isolation, so it is hard to exploit them.
2. Use your favorite desktop Office applications and favorite desktop PDF/EPUB... readers/editors for managing documents created by yourself or from trusted sources.
3. Activate ASR in Windows Defender.
3. Use Edge or Chrome as a default web browser - both have strong sandboxes.
4. Use safe DNS (like Adguard DNS) or at least any adblock extension in the web browser.
5. Do not ignore SmartScreen alerts when running application installers via 'Run As SmartScreen' from Explorer context menu.
.
For home users, the above configuration applies a decent prevention against all kinds of malware and exploits. Similar but slightly weakened configuration (no Protected View from point 1.) was tested on Malware Hub and protected against all tested malware samples including malicious documents.
.
Generally, the more elements from the recommended security configuration are weakened, the stronger should be Hard_Configurator settings. For example, dropping the point 1. in favor of using an unsupported MS Office 2007 for viewing documents, opens many vulnerabilities (OLE, DDE commands, ActiveX Components, etc). Still, even in such case, Hard_Configurator recommended settings + ASR can apply a pretty good protection. But, that can be insufficient to stop more sophisticated malware related to Office documents. So, the user with happy clicker habits, should activate additional restrictions for file execution via <Blocked Sponsors>.
The most wanted will be those sponsors which can compile/run c# code, change the Registry or run scriptlets:

• csc.exe, InstallUtill.exe (c# code),
• reg.exe, powershell.exe, powershell_ise.exe (Registry changes),
• mshta.exe, regsrv32.exe (scriptlets), etc.

.
On many computers, the users can activate without problems all Hard_Configurator restrictions, but in some hardware/software configurations that will not be possible and the optimal protection can be adjusted only by advanced users.