Hard_Configurator - Windows Hardening Configurator

[skiper]

Sorry for the offtopic but I have one last question that keeps me awake at night. I'm thinking that maybe by mistake he left it out.

I use Defender with maximum settings and firewall hardening rules and nothing else. No SWH or H_C here.

Just CD MAX+FirewallHardening with LOLBins and no Run By SmartScreen?

 

[skiper]

If I understand correctly, Sponsors=LOLBins?

I'm thinking of @oldschool configuration.If Sponsors=LOLBins, FirewallHardening ADD LOLBins can be obtained in this way too?

1. Press <Load Profile> and choose All_OFF.hdc
2. Press <(Re)Install SRP>
3. Press <Block Sponsors> <Select All>
4. Apply changes.

There are 178 in total.

Is one better than the other? It is better to block LOLBins from FirewallHardening or Sponsors this way. LOLBins contain the same number?

 

[oldschool]

s one better than the other?

It's like comparing apples and oranges. One blocks them from being abused, the other only from connecting outbound. Whatever suits your preference.

 

[skiper]

Do the lists have similar content the only difference is how they prevent an attack?

I really wanted to ask you, in your setup do you also run Run By SmartScreen?

 

[Andy Ful]

Is one better than the other? It is better to block LOLBins from FirewallHardening or Sponsors this way. LOLBins contain the same number?

Blocking all LOLBins via <Block Sponsors> can be kinda risky for most users. I do not recommend it, as a set-and-forget setup.
I block all LOLBins on one of my wife's computers, but she uses it only for web browsing, watching films, and listening to music.
Blocking outbound connections via FirewallHardening is much less invasive.

 

[oldschool]

in your setup do you also run Run By SmartScreen?

Yes. Very handy tool.

 

[skiper]

Well the idea wasn't to be paranoid about blocking everything.
I was thinking of something else.

I saw that the Enhanced profiles add 22 Sponsors. But with LOLBins added, do the 22 Sponsors make sense? Or a profile without Enhanced and just with LOLBins? I was thinking maybe they overlap...

I also have a question, does the Recommended Settings of this Default-Deny setup work "like a wall"? If you watch what the SmartScreen warns and don't use the Default Deny Switch to turn it off, you can get infected ? The only weakness may be the SmartScreen if it is tricked?

I mean for example without using Install By SmartScreen, if I have a folder full of all sorts of "viruses" and I pick them up one by one, can anything get past the Default-Deny setup? Are they blocked with the message "This app has been blocked by your system administator"?

Because I'm not good at it and in my head it looks that way. Click click click click and nothing happens

 

[oldschool]

also have a question, does the Recommended Settings of this Default-Deny setup work "like a wall"? If you watch what the SmartScreen warns and don't use the Default Deny Switch to turn it off, you can get infected ?

Why don't you start a PC configuration thread and you can get feedback there? As to your question, the recommended settings are plenty secure, but don't go downloading malware files.

 

[wat0114]

I just went back to H_C from WHHL on Windows 11 21H2 Pro, recently imaged btw, because I like the extra configurability of H_C. I have "High" setting for CF, Disallowed/Skip DLL's for SRP, and Block Sponsors-> Enhanced but not Script interpretors (16 checked) enabled. I might start adding more Sponsors to block, as my Windows needs are simple browsing, some Office like Excel and Word, and a little email. That's about it. Logs can be checked if something doesn't work as expected, so modifications to the Sponsors list can be made if it caused the breakage, and of course SRP and CF rules can be modified as well.

@skiper

you could easily start with Recommended settings as oldschool suggests, then if you like, add additional protections in a piecemeal fashion if you want to enhance security, even if it's not needed.

 

[Andy Ful]

I mean for example without using Install By SmartScreen, if I have a folder full of all sorts of "viruses" and I pick them up one by one, can anything get past the Default-Deny setup? Are they blocked with the message "This app has been blocked by your system administator"?

Almost all will be blocked, except files that cannot be blocked (like documents, media files, etc.). The unblocked files will be opened by legal applications, but some of those files can be exploits. If you use MS Office and Adobe Reader, then almost all exploits can be prevented by Defender with ConfigureDefender High, Interactive, or Max settings.

When you use other applications for opening documents, you should restrict them (especially macros and scripts). If not then you can block some popular LOLBins + CMD and PowerShell console.

It is still possible, but very improbable that something else can hurt your system.
Even if you lock completely your system with all known security applications, there will be always some (minimal) probability of infection.

 

[Andy Ful]

There can be probably some difference in the computer security when getting out of bed on the right side.
It is good to realize that adding more and more security makes a similar difference.

 

[SHvFl]

Tool works perfectly obviously. Two usability options for me. Put a help button on the main gui that opens the manual and move blocked event button on the main gui.

 

[Azazel]

Is it possible to block powershell scripts by SRP and not globally by Reg Tweak.
Or scripts are capable to easily bypassing SRP?

 

[Andy Ful]

Is it possible to block powershell scripts by SRP and not globally by Reg Tweak.
Or scripts are capable to easily bypassing SRP?

Yes, they can be restricted only by SRP (without blocking all scripts). SRP in H_C restricts PowerShell scripts and PowerShell CmdLines by applying ConstrainedLanguage Mode.

 

[sypqys]

hello !

I really like this free tool. All the work done by the developer... thank you for this software.

I understand that settings make Windows difficult to access, but with whitelisting, I find it fine.

how to set Hard_Configurator to make Windows secure and not unusable or difficult to use?
What to check?

it is OK like this ?

 

[Andy Ful]

hello !

I really like this free tool. All the work done by the developer... thank you for this software.

I understand that settings make Windows difficult to access, but with whitelisting, I find it fine.

how to set Hard_Configurator to make Windows secure and not unusable or difficult to use?
What to check?

View attachment 282410View attachment 282411View attachment 282412

it is OK like this ?

It would be better to set < Block Remote Access> = ON and use FirewallHardening to restrict outbound connections of popular LOLBins (H_C Recommended).
You can also set <Forced SmartScreen> = "Standard User" and use "Run By SmartScreen" from the Explorer context menu as an on-demand file reputation scanner.
In such settings, the EXE and MSI files are protected mostly by AV (not blocked by H_C).

 

[sypqys]

And ConfigureDefender :

 

[Andy Ful]

And ConfigureDefender :

View attachment 282414View attachment 282415View attachment 282416

Looks good.

 

[sypqys]

Hello !

I want to play some tracks with my Echo Dot 5 (Alexa) by bluetooth and it doesn't work.
I have add some changes on my H_C.

If I switch off "Switch Default Deny" and the problem occur, it is not H_C ?

 

[sypqys]

Or this is one of this feature whose blocks me Alexa... :