Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Is there a difference between the Windows 8 Basic Recommended Settings and the Windows 11 SAC ON Recommended Settings profiles if you want to use H_C like SWH on Windows 11?

They are different.
Windows 8 Basic Recommended Settings Windows 11 SAC ON Recommended Settings
1726258943860.png


SWH application on Windows 11 is equal to Windows_11_SAC_ON_Recommended_Settings.
However, the SWH settings in WHHLight have one additional option ---> * User Folders *.
 

bazang

Level 5
Jul 3, 2024
228
Feature Request: Threshold time-out to auto-re-enable SRP and\or Restrictions that the user has disabled. At the least generate a notification that protections are disabled after X amount of time being disabled.

I cannot count how many times I disabled SRP or Restrictions to perform an action or maintenance on a system, but then forgot to re-enable what I disabled in Hard_Configurator. It is infrequent for me to disable protections, but there are occasional - perhaps once or twice per year - updates that require it.

1726482967405.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Feature Request: Threshold time-out to auto-re-enable SRP and\or Restrictions that the user has disabled. At the least generate a notification that protections are disabled after X amount of time being disabled.
I do not plan to do it. H_C is intended to work as a configurator (no real-time features, no scheduled tasks, etc.). Furthermore, some users can use H_C without activating SRP. The only exception is with SwitchDefaultDeny (included in HC).
If SRP is switched OFF via SwitchDefaultDeny, the autorun registry key is added to execute SwitchDefaultDeny in the next Windows session.

I cannot count how many times I disabled SRP or Restrictions to perform an action or maintenance on a system, but then forgot to re-enable what I disabled in Hard_Configurator. It is infrequent for me to disable protections, but there are occasional - perhaps once or twice per year - updates that require it.

For simply disabling all SRP restrictions, a more convenient tool is SwitchDefaultDeny:

1726490538878.png


1726490620329.png
 

bazang

Level 5
Jul 3, 2024
228
I do not plan to do it. H_C is intended to work as a configurator (no real-time features, no scheduled tasks, etc.).
I understand the reasons for your decision.

If SRP is switched OFF via SwitchDefaultDeny, the autorun registry key is added to execute SwitchDefaultDeny in the next Windows session.

For simply disabling all SRP restrictions, a more convenient tool is SwitchDefaultDeny:
I have used it. It works. But dependent upon the circumstances I sometimes disable SRP, particularly to eliminate the configuration as a source of a problem.

LOL I will write PowerShell script and create a startup task that runs the script that displays a message "Did you re-enable H_C?"
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
LOL I will write PowerShell script and create a startup task that runs the script that displays a message "Did you re-enable H_C?"

You can add the check for the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers
"TurnOFFAllSRP"="1"

So, the alert will be triggered only when H_C is switched OFF:

1726584364828.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Post corrected and updated.

Hello

Can H_C or ConfigureDefender settings prevent UserDiag from diagnosing?
or create instabilities, so that some programs don't work properly?
If Switch Default Deny is set to off, I'll know if the problem comes from elsewhere or not?

Thanks

UserDiag installs in the user "AppData\Roaming\" directory and unpacks the required executables to the user Temp folder (%LocalAppdata%\Temp\udiag\ ).
It will work with Basic_Recommended_Settings and Recommended_Settings.
When using more restricted settings, the application can be blocked and the application folder must be whitelisted.
If additionally H_C is started with the "-p" switch, it would be necessary to whitelist both the application folder and the "\udiag" folder in the Temp directory.
Furthermore, UserDiag uses some LOLBins like Schtasks, PowerShell, or CMD. These LOLBins should not be restricted via <Block Sponsors>.

Instead of whitelisting, I recommend temporarily deactivating SRP using the SwitchDefaultDeny tool (not necessary in the Basic or Recommended Settings).

1727277901414.png
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
it tells me that UserDiag is offline, but it can't be H_C because Switch Defaut Deny is all off...

I'm using Portmaster (free version)...

Is it incompatible with H_C?

You can see the blocked PowerShell outbound connections while inspecting the FirewallHardening Log.
So, you must deactivate the block rules for "powershell.exe" in FirewallHardening (Windows restart required).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Thank you very much.

So the problem comes from somewhere else...

Reinstalling Windows is the last thing to do. Please do as follows:
  • Run the UserDiag and remember the time. Restart the Windows. Run FirewallHardening and inspect the <Blocked events>. Deactivate the block rules for LOLBins blocked at that time.
or
  • Deactivate all rules in FirewallHardening. Restart Windows.

If UserDiag is still offline, then the issue is unrelated to FirewallHardening.
 
Last edited:

bazang

Level 5
Jul 3, 2024
228
Hard_Configurator 7.0.0.1 beta

The beta version can be installed over the previous versions.
  • Added two new ASR rules to ConfigureDefender.
  • Some corrections in the help files and H_C manual.
I run Hard_Configurator at maximum settings on my Windows 11 23H2 and 24H2 host machines. Then I run hardened Admin account Windows 23H2 or 24H2 in hardened VMWare Workstation Pro for production work.

I do financial transactions only on the host machine in the SUA. I perform various software and admin work in the hardened Admin account in the hardened VM. I am able to do it all - PowerShell managed Azure to Zero Trust Network Policies, DSC, JEA, PowerShell Remoting, SCCM, InTune Suite, Microsoft Device Manager, Vuln Scanning, Patch Management, WSUS, PKI and other cryptography management, dev & test net environments, etc. Selective & Targeted pentesting from a Kali Linux VM too.

Never - ever - encountered a problem involving Hard_Configurator that could not be troubleshot, diagnosed and resolved in 5 minutes or less.

This is not difficult.

EZPZ

This integrated platform utilizing Hard_Configurator has worked and worked really well since Hard_Configurator v1.0.

Then again, I change my underwear daily but only change my systems (clean install & rebuild) every 3 years or so. For a lot of people here those operations are reversed - figuratively speaking.

PS - If you could provide your (web or other) info source list (just a list), then I could likely get Hard_Configurator listed on the internal US DoD and other agencies' approved software list. I bet at least a few people within Agencja Wywiadu are using it.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Then again, I change my underwear daily but only change my systems (clean install & rebuild) every 3 years or so. For a lot of people here those operations are reversed - figuratively speaking.

I would like to believe, that "reversed" means:
I change my system every 3 years or so but only change my underwear daily. :)
 
  • Like
Reactions: simmerskool

bazang

Level 5
Jul 3, 2024
228
I am unsure what "info source list" means. :unsure:
Sources (e.g. Microsoft Learn, others) that you used to determine the "What & How" to harden Windows and make Hard_Configurator make those hardening steps. (Not source code.)

I would like to believe, that "reversed" means:
I change my system every 3 years or so but only change my underwear daily. :)
"Reversed" = They change their underwear every 3 years but change their systems daily. Figuratively speaking.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top