Hard_Configurator - Windows Hardening Configurator

Andy Ful · Sep 13, 2024

Gandalf_The_Grey said:
Is there a difference between the Windows 8 Basic Recommended Settings and the Windows 11 SAC ON Recommended Settings profiles if you want to use H_C like SWH on Windows 11?

They are different.
Windows 8 Basic Recommended Settings Windows 11 SAC ON Recommended Settings

SWH application on Windows 11 is equal to Windows_11_SAC_ON_Recommended_Settings.
However, the SWH settings in WHHLight have one additional option ---> * User Folders *.

bazang · Sep 16, 2024

Feature Request: Threshold time-out to auto-re-enable SRP and\or Restrictions that the user has disabled. At the least generate a notification that protections are disabled after X amount of time being disabled.

I cannot count how many times I disabled SRP or Restrictions to perform an action or maintenance on a system, but then forgot to re-enable what I disabled in Hard_Configurator. It is infrequent for me to disable protections, but there are occasional - perhaps once or twice per year - updates that require it.

Andy Ful · Sep 16, 2024

bazang said:
Feature Request: Threshold time-out to auto-re-enable SRP and\or Restrictions that the user has disabled. At the least generate a notification that protections are disabled after X amount of time being disabled.

I do not plan to do it. H_C is intended to work as a configurator (no real-time features, no scheduled tasks, etc.). Furthermore, some users can use H_C without activating SRP. The only exception is with SwitchDefaultDeny (included in HC).
If SRP is switched OFF via SwitchDefaultDeny, the autorun registry key is added to execute SwitchDefaultDeny in the next Windows session.

bazang said:
I cannot count how many times I disabled SRP or Restrictions to perform an action or maintenance on a system, but then forgot to re-enable what I disabled in Hard_Configurator. It is infrequent for me to disable protections, but there are occasional - perhaps once or twice per year - updates that require it.

For simply disabling all SRP restrictions, a more convenient tool is SwitchDefaultDeny:

bazang · Sep 17, 2024

Andy Ful said:
I do not plan to do it. H_C is intended to work as a configurator (no real-time features, no scheduled tasks, etc.).

I understand the reasons for your decision.

Andy Ful said:
If SRP is switched OFF via SwitchDefaultDeny, the autorun registry key is added to execute SwitchDefaultDeny in the next Windows session.

For simply disabling all SRP restrictions, a more convenient tool is SwitchDefaultDeny:

I have used it. It works. But dependent upon the circumstances I sometimes disable SRP, particularly to eliminate the configuration as a source of a problem.

LOL I will write PowerShell script and create a startup task that runs the script that displays a message "Did you re-enable H_C?"

Andy Ful · Sep 17, 2024

bazang said:
LOL I will write PowerShell script and create a startup task that runs the script that displays a message "Did you re-enable H_C?"

You can add the check for the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers
"TurnOFFAllSRP"="1"

So, the alert will be triggered only when H_C is switched OFF:

Andy Ful · Sep 19, 2024

Hard_Configurator 7.0.0.1 beta

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_7.0.0.1_beta.exe

The beta version can be installed over the previous versions.

Added two new ASR rules to ConfigureDefender.
Some corrections in the help files and H_C manual.

sypqys · Sep 25, 2024

Hello

Can H_C or ConfigureDefender settings prevent UserDiag from diagnosing?
or create instabilities, so that some programs don't work properly?
If Switch Default Deny is set to off, I'll know if the problem comes from elsewhere or not?

Thanks

Andy Ful · Sep 25, 2024

Post corrected and updated.

sypqys said:
Hello

Can H_C or ConfigureDefender settings prevent UserDiag from diagnosing?
or create instabilities, so that some programs don't work properly?
If Switch Default Deny is set to off, I'll know if the problem comes from elsewhere or not?

Thanks

UserDiag installs in the user "AppData\Roaming\" directory and unpacks the required executables to the user Temp folder (%LocalAppdata%\Temp\udiag\ ).
It will work with Basic_Recommended_Settings and Recommended_Settings.
When using more restricted settings, the application can be blocked and the application folder must be whitelisted.
If additionally H_C is started with the "-p" switch, it would be necessary to whitelist both the application folder and the "\udiag" folder in the Temp directory.
Furthermore, UserDiag uses some LOLBins like Schtasks, PowerShell, or CMD. These LOLBins should not be restricted via <Block Sponsors>.

Instead of whitelisting, I recommend temporarily deactivating SRP using the SwitchDefaultDeny tool (not necessary in the Basic or Recommended Settings).

sypqys · Sep 25, 2024

it tells me that UserDiag is offline, but it can't be H_C because Switch Defaut Deny is all off...

I'm using Portmaster (free version)...

Is it incompatible with H_C?

Andy Ful · Sep 25, 2024

sypqys said:
it tells me that UserDiag is offline, but it can't be H_C because Switch Defaut Deny is all off...

I'm using Portmaster (free version)...

Is it incompatible with H_C?

You can see the blocked PowerShell outbound connections while inspecting the FirewallHardening Log.
So, you must deactivate the block rules for "powershell.exe" in FirewallHardening (Windows restart required).

Andy Ful · Sep 25, 2024

@sypqys,

I updated my post about UserDiag. It works also with the H_C_Recommended_Settings.

sypqys · Sep 26, 2024

Thank you very much.

So the problem comes from somewhere else...

I'll reinstall Windows on new SSD and touch less with tools... like tweak sys

Andy Ful · Sep 26, 2024

sypqys said:
Thank you very much.

So the problem comes from somewhere else...

Reinstalling Windows is the last thing to do. Please do as follows:

Run the UserDiag and remember the time. Restart the Windows. Run FirewallHardening and inspect the <Blocked events>. Deactivate the block rules for LOLBins blocked at that time.

or

Deactivate all rules in FirewallHardening. Restart Windows.

If UserDiag is still offline, then the issue is unrelated to FirewallHardening.

sypqys · Sep 26, 2024

I need to reinstall windows on a new SSD (clean install). So I'll test then.

Thanks again

bazang · Sep 26, 2024

Andy Ful said:
Hard_Configurator 7.0.0.1 beta

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_7.0.0.1_beta.exe

The beta version can be installed over the previous versions.

Added two new ASR rules to ConfigureDefender.

Some corrections in the help files and H_C manual.

I run Hard_Configurator at maximum settings on my Windows 11 23H2 and 24H2 host machines. Then I run hardened Admin account Windows 23H2 or 24H2 in hardened VMWare Workstation Pro for production work.

I do financial transactions only on the host machine in the SUA. I perform various software and admin work in the hardened Admin account in the hardened VM. I am able to do it all - PowerShell managed Azure to Zero Trust Network Policies, DSC, JEA, PowerShell Remoting, SCCM, InTune Suite, Microsoft Device Manager, Vuln Scanning, Patch Management, WSUS, PKI and other cryptography management, dev & test net environments, etc. Selective & Targeted pentesting from a Kali Linux VM too.

Never - ever - encountered a problem involving Hard_Configurator that could not be troubleshot, diagnosed and resolved in 5 minutes or less.

This is not difficult.

EZPZ

This integrated platform utilizing Hard_Configurator has worked and worked really well since Hard_Configurator v1.0.

Then again, I change my underwear daily but only change my systems (clean install & rebuild) every 3 years or so. For a lot of people here those operations are reversed - figuratively speaking.

PS - If you could provide your (web or other) info source list (just a list), then I could likely get Hard_Configurator listed on the internal US DoD and other agencies' approved software list. I bet at least a few people within Agencja Wywiadu are using it.

Andy Ful · Sep 26, 2024

bazang said:
PS - If you could provide your (web or other) info source list (just a list), ...

I am unsure what "info source list" means.

Andy Ful · Sep 26, 2024

sypqys,

Portmaser uses outbound connections via PowerShell.
UserDiag uses outbound connections via Curl.
So it is necessary to deactivate FirewallHardening rules for those LOLBins.

simmerskool · Sep 26, 2024

bazang said:
Then again, I change my underwear daily but only change my systems (clean install & rebuild) every 3 years or so. For a lot of people here those operations are reversed - figuratively speaking.

Andy Ful · Sep 26, 2024

bazang said:
Then again, I change my underwear daily but only change my systems (clean install & rebuild) every 3 years or so. For a lot of people here those operations are reversed - figuratively speaking.

I would like to believe, that "reversed" means:
I change my system every 3 years or so but only change my underwear daily.

bazang · Sep 27, 2024

Andy Ful said:
I am unsure what "info source list" means.

Sources (e.g. Microsoft Learn, others) that you used to determine the "What & How" to harden Windows and make Hard_Configurator make those hardening steps. (Not source code.)

Andy Ful said:
I would like to believe, that "reversed" means:
I change my system every 3 years or so but only change my underwear daily.

"Reversed" = They change their underwear every 3 years but change their systems daily. Figuratively speaking.

Hard_Configurator - Windows Hardening Configurator

From Hard_Configurator Tools

Level 6

From Hard_Configurator Tools

Level 6

From Hard_Configurator Tools

From Hard_Configurator Tools

Level 5

From Hard_Configurator Tools

Level 5

From Hard_Configurator Tools

From Hard_Configurator Tools

Level 5

From Hard_Configurator Tools

Level 5

Level 6

From Hard_Configurator Tools

From Hard_Configurator Tools

sypqys,​

Level 36

From Hard_Configurator Tools

Level 6

Similar threads

sypqys,