Hard_Configurator - Windows Hardening Configurator

[Gandalf_The_Grey]

Hard_Configurator on Windows 11 with SAC ON.

In April, I plan to publish H_C ver. 6.1.1.1 with full support for Windows 11 ver. 22H2 (fresh installation).
This will include the correction which enables SRP, so it can be used alongside SAC.
But, there is a question: Is SRP really required with SAC?

The answer can depend on how tight protection is wanted. I think that many users will like the protection as follows:

• SAC ON and No SRP (the left panel in H_C deactivated).
• PowerShell scripts and Windows Script Host are blocked via Windows policies.
• Remote features and SMB protocols are blocked.
• ConfigureDefender set to HIGH Protection Level.
• FirewallHardening configured with Recommended H_C settings.
• If MS Office is installed, then it is recommendable to use DocumentsAntiExploit tool.

View attachment 273863

The above settings can be also applied with the current H_C version 6.0.1.1.

In the version 6.1.1.1, it will be possible to apply any SRP restrictions on Windows 11 ver. 22H2 with SAC ON.
For example (setup similar to Basic_Recommended_Settings):

View attachment 273862

@Andy Ful Are you planning to release an update for Simple Windows Hardening?

 

[Andy Ful]

@Andy Ful Are you planning to release an update for Simple Windows Hardening?

Yes, probably in May or June.

 

[Gandalf_The_Grey]

Yes, probably in May or June.

May I suggest the 27th of May, it would be great birthday present

 

[eonline]

I am testing the beta and works very well with SAC activated, the only thing I noticed are many restart orders after adding to the white list. But everything works as it should. Thank you so much. All the best.

 

[Gandalf_The_Grey]

@Andy Ful Every time you open Hard_Configurator (beta 6.1.1.1) and don't change a thing (looking at the logs for example) and press close Hard_Configurator ask you to restart the computer to apply the new configuration.
But there is no new configuration, so this message shouldn't be shown.

EDIT: Same issue with the switch default deny tool.

 

[Andy Ful]

@Andy Ful Every time you open Hard_Configurator (beta 6.1.1.1) and don't change a thing (looking at the logs for example) and press close Hard_Configurator ask you to restart the computer to apply the new configuration.
But there is no new configuration, so this message shouldn't be shown.

EDIT: Same issue with the switch default deny tool.

I know. It is one of two minor bugs I noticed so far. The second is "Wdded" instead of "Added" in the "What is new" info.
I will push a second beta at the end of April.

 

[eonline]

After several of these messages and something about the SRP giving the option to continue and reconfigure everything again, I decided to uninstall it.

 

[Andy Ful]

After several of these messages and something about the SRP giving the option to continue and reconfigure everything again, I decided to uninstall it.
View attachment 274791

You had executed H_C with -p switch (not recommended), so it started blocking processes with admin rights. Next, you tried to start H_C without -p switch, so H_C showed the alert with 3 choices: <RESTART WINDOWS>, <CHANGE and EXIT>, <EXIT>.
If you want to run H_C when blocking admin processes then H_C must be run with -p switch (one can edit the CmdLines in the H_C and SwitchDefeaultDeny shortcuts).
If you want to stop H_C from blocking admin processes, you must choose <RESTART WINDOWS> from the alert (it is noted as a recommended action because blocking admin processes can produce some issues - this setting must be used with caution and only by very experienced users ).
The details are in the manual in the section ENFORCEMENT FOR "ALL USERS" (experimental feature).

 

[Andy Ful]

After some investigations, I found out why SRP is turned off after creating the Child Account via Microsoft Family Safety.

This issue was discovered several years ago, but no one (as far as I know) could explain it.
The reason is simple. After creating the Child Account, some AppLocker Policies are added. But, these policies are not introduced via GPO, because AppLocker GPO could not work on Windows Home and Pro until the year 2022.
Microsoft Family Safety uses AppLocker via MDM WMI Bridge, which is possible with Windows 7+ on all Windows editions (including Windows Home and Pro).
Unfortunately, after removing the Child Account the AppLocker Policy files are not removed (unpleasant bug)! So, in the case of Family Safety, the issue will persist, until the policy files are manually removed.
The current beta version of H_C can detect the issue and show the alert about AppLocker Policies. Furthermore, the SRP restrictions from the left panel are deactivated (but not removed from the Registry):

After removing the AppLocker Policies, the H_C left panel is activated again.

In fact, this issue is similar to the SRP issue on Windows 11 ver. 22H2. In both cases, it is caused by some AppLocker rules invisible via GPO.

Conclusion.
The SRP issues related to Windows 11 and Family Safety are not entirely new and are not related to the new security features implemented in Windows 11. The roots of these issues are related to AppLocker, and the full functionality of SRP can be easily recovered.

 

[ForgottenSeer 93786]

I seem to be facing a problem, whenever I double click any file in appdata's sub-directories, its somehow bypassing the SRP, without having to right click and bypass smartscreen. despite the fact this is not only at default settings, but ive also never whitelisted those directories. It's both for Local and Roaming, but not for LocalLow. I have never experienced something like this with H_C before, I only noticed it when Java wasn't blocked, as it used to be, when trying to run Minecraft, as it's located in Appdata Local's subdirectories. I have reinstalled H_C, and reverted to Recommended settings, and I still the same result.

Spoiler

 

[Andy Ful]

I seem to be facing a problem, whenever I double click any file in appdata's sub-directories, its somehow bypassing the SRP, without having to right click and bypass smartscreen. despite the fact this is not only at default settings, but ive also never whitelisted those directories.

In the Recommended Settings on Windows 8+, the folders AppData and ProgramData allow the execution of *.exe and *.msi files (other file types are blocked) except for some temporary locations used by archiving applications and email clients. The reasons/pros/cons are explained in the H_C manual (look into the section RECOMMENDED SETTINGS). This is how Recommended Settings work from ver. 5.0.0.1.

 

[Andy Ful]

Hard_Configurator ver. 6.1.1.1 (beta 2) - support for Windows 22H2.
https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_Beta2_6.1.1.1.exe

It can be installed over the previous versions. Please read the information included in the Quick Configuration info displayed during the installation. No important differences from the previous beta except for some corrected bugs.

What is new (as compared to the stable version 6.0.1.1):

	1. Added support for Windows 11 ver. 22H2
	2. Added new setting profiles:
	Windows_11_SAC_ON_Recommended_Settings.hdc
	Windows_11_SAC_ON_NoSRP.hdc
	3. Added certoc.exe, cipher.exe, pnputil.exe, and scp.exe to the list of blocked sponsors.
	4. Added the ONE extension (OneNote document).
	5. Removed the OFF2 option in the DocumentsAntiExploit tool. Now, ON2 settings include also all ON1 settings.
	ON2 settings require resetting (ON2 --> OFF --> ON2) after the current update.
	6. Updated H_C manual (info about possible issues related to the activated AppLocker).
	7. Corrected some minor bugs.

 

[ForgottenSeer 93786]

In the Recommended Settings on Windows 8+, the folders AppData and ProgramData allow the execution of *.exe and *.msi files (other file types are blocked) except for some temporary locations used by archiving applications and email clients. The reasons/pros/cons are explained in the H_C manual (look into the section RECOMMENDED SETTINGS). This is how Recommended Settings work from ver. 5.0.0.1.

Thats the thing, I never experienced this before. I have been using the 6.0.1.1 before, and it always blocked files in the appdata folder(s) unless you whitelist appdata.

 

[Andy Ful]

Thats the thing, I never experienced this before. I have been using the 6.0.1.1 before, and it always blocked files in the appdata folder(s) unless you whitelist appdata.

When you install the update over the older H_C version, the old settings are not changed (with some rare exceptions). The Recommended Settings are automatically installed when:

1. H_C is installed the first time.
2. H_C was uninstalled and installed again.
3. The user removed the H_C settings via <Tools><Restore Windows Defaults> and then runs H_C again.
4. The user pressed the button <Recommended Settings>.

You can use the setting profile Windows_10_Strict_Recommended_Settings, if you want to also block these folders.
Please read the info from the H_C manual and choose the setting profile which is best for you.

 

[ForgottenSeer 93786]

When you install the update over the older H_C version, the old settings are not changed (with some rare exceptions). The Recommended Settings are automatically installed when:

1. H_C is installed the first time.
2. H_C was uninstalled and installed again.
3. The user removed the H_C settings via <Tools><Restore Windows Defaults> and then runs H_C again.
4. The user pressed the button <Recommended Settings>.

You can use the setting profile Windows_10_Strict_Recommended_Settings, if you want to also block these folders.
Please read the info from the H_C manual and choose the setting profile which is best for you.

Thank you, the strict settings was what I were looking for.

 

[simmerskool]

It is not bad advice ...
but unnecessary here.

well I dunno, I tried some keyloggers in more remote past, and they seemed unusable to me. Maybe some are better now-a-days hopefully current AVs and H_C or SWH help with anti-keylogging??

 

[Andy Ful]

well I dunno, I tried some keyloggers in more remote past, and they seemed unusable to me. Maybe some are better now-a-days hopefully current AVs and H_C or SWH help with anti-keylogging??

H_C (SWH) is a preventive setup. So, it can prevent the installation/execution of the keylogger.

The H_C is not intended to fight the keylogger already running in memory. Of course, some of the keylogger's actions can still be mitigated by advanced Defender settings, blocking remote features, and by FirewallHardening but one cannot count it as a comprehensive anti-keylogging.

 

[Trident]

hopefully current AVs and H_C or SWH help with anti-keylogging??

I think what @Harputlu meant there on that thread (judging by their previous posts in regards to CheckPoint/ZoneAlarm as well) is one of these keystroke encryption methods that’s been in G Data, ZoneAlarm, Kaspersky and potentially other products for quite some time.
They aim to mitigate the damage if keylogger infection is successful but the objective of Hard_Configurator is to prevent any infection by disabling the point of entry.
Keylogging mitigation (or other mitigations such as anti ransomware that auto-copies files in repository and restores them post-infection) are not necessary.

So it is not relevant to this thread in any way.

 

[Andy Ful]

Hard_Configurator ver. 6.1.1.1 (beta 3)

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_Beta3_6.1.1.1.exe

Some additional checks have been added, to avoid potential problems with misconfigured AppLocker.

 

[ErzCrz]

Hard_Configurator ver. 6.1.1.1 (beta 3)

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_Beta3_6.1.1.1.exe

Some additional checks have been added, to avoid potential problems with misconfigured AppLocker.

Nice one, look forward to testing it. I had a anomaly with Thunderbird downloading messages taking longer that without H_C installed but still investigating as to whether it's a H_C, FirewallHardening or ConfigureDefender related thing.

Anyway, looking forward to trying out the new beta