Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
bazang said:
Sources (e.g. Microsoft Learn, others) that you used to determine the "What & How" to harden Windows and make Hard_Configurator make those hardening steps. (Not source code.)
Click to expand...

Unfortunately, all official resources are related to SRP configuration via GPO.
H_C does not use GPO to apply SRP, so it is documented only in the H_C manual (based on my research).
The initial idea was mentioned on Wilderssecurity forum many years ago (on Windows XP).
Some SRP configurations are specific only to H_C.
That is why H_C will never be listed on the internal US DoD. :)
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool and oldschool
bazang

bazang

Level 6
Jul 3, 2024
272
Andy Ful said:
H_C does not use GPO to apply SRP, so it is documented only in the H_C manual (based on my research).

Some SRP configurations are specific only to H_C.

That is why H_C will never be listed on the internal US DoD. :)
Click to expand...
The DoD and other agencies do not have a 100% official Microsoft documented method requirement to obtain approval for use. They all use undocumented methods.

It is possible to obtain approval by supplying the infos of how something was achieved by either adapting official, documented methods or via discovery that it works (e.g. research).

Never say "Never."
 
  • Like
Reactions: Andy Ful, oldschool and simmerskool
sypqys

sypqys

Level 5
Apr 18, 2022
216
Andy Ful said:
Reinstalling Windows is the last thing to do. Please do as follows:
  • Run the UserDiag and remember the time. Restart the Windows. Run FirewallHardening and inspect the <Blocked events>. Deactivate the block rules for LOLBins blocked at that time.
or
  • Deactivate all rules in FirewallHardening. Restart Windows.

If UserDiag is still offline, then the issue is unrelated to FirewallHardening.
Click to expand...

explorer.exe in LOLBins rules was the problem, I think.
I removed the rule, and now all I have to do is restart the computer and make sure that's what it is.

Many thanks again!

I'm starting to understand this tool a little bit thanks to you here...

paintdotnet_fTK8qDPm0o.png
 
  • Like
  • Applause
Reactions: Andy Ful and simmerskool
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
sypqys said:
If Office is on block with LOLBins or H_C Recommended, Excel or Word works fine or not?
Click to expand...

It should work well, except if you use documents that want to auto-update the content using resources from the Internet or local Network.
Microsoft Office updates are not blocked.

Did you notice any issues?
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, simmerskool and sypqys
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
sypqys said:
the problem remains... even after removing explorer.exe from the list in Firewall Hardening.
Click to expand...
What is the problem - Office, Portmaster, or something else?
Which blocked LOLBins can be seen in the FirewallHardening Log?
 
  • +Reputation
  • Like
Reactions: simmerskool and sypqys
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
sypqys said:
FirewallHardening rules stay if I switch off "Switch Defaut Deny" ?
Click to expand...

Yes. SwitchDefaultDeny will unblock the execution. FirewallHardening does not block the execution of LOLBins - only the outbound connections are blocked.
 
  • +Reputation
  • Like
Reactions: simmerskool and sypqys
sypqys

sypqys

Level 5
Apr 18, 2022
216
Office doesn't seem to update with this:

Is this normal?

What exactly is the purpose of this Office block (I don't quite understand).
Maybe you've answered my question, or I'll have a look at the documentation.

Thanks a lot!

explorer_tF4VNcx2ci.png
 
  • Like
Reactions: Andy Ful
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
sypqys said:
Office doesn't seem to update with this:
Click to expand...
To see which LOLBin is the issue you must use <Blocked Events> and see which LOLBins are in the LOG. Usually, there can be many events related to Explorer.exe and a few events of rundll32.exe (mainly Windows telemetry).

sypqys said:
What exactly is the purpose of this Office block (I don't quite understand).
Click to expand...

MS Office applications can be exploited and serve as a trojan. But, if you use Microsoft Office 365, such outbound connections are normal. You can use the the DestAdress from the FirewallHardening Logto see where the outbound traffic goes:

Event[1]:
Local Time: 2024/10/04 11:36:45
ProcessID: 14868
Application: C:\windows\system32\rundll32.exe
Direction: Outbound
SourceAddress: 192.168.0.165
SourcePort: 54672
DestAddress: 51.124.78.146
DestPort: 443
Protocol: 6
.....

IP Whois Online, Whois Lookup Online | IPVoid

1728035409317.png


In this case the DestAddress is related to Microsoft.
 
Last edited:
  • +Reputation
  • Like
Reactions: simmerskool, silversurfer, Gandalf_The_Grey and 1 other person
sypqys

sypqys

Level 5
Apr 18, 2022
216
Andy Ful said:
To see which LOLBin is the issue you must use <Blocked Events> and see which LOLBins are in the LOG. Usually, there can be many events related to Explorer.exe and a few events of rundll32.exe (mainly Windows telemetry).



MS Office applications can be exploited and serve as a trojan. But, if you use Microsoft Office 365, such outbound connections are normal. You can use the the DestAdress from the FirewallHardening Logto see where the outbound traffic goes:

Event[1]:
Local Time: 2024/10/04 11:36:45
ProcessID: 14868
Application: C:\windows\system32\rundll32.exe
Direction: Outbound
SourceAddress: 192.168.0.165
SourcePort: 54672
DestAddress: 51.124.78.146
DestPort: 443
Protocol: 6
.....

IP Whois Online, Whois Lookup Online | IPVoid

View attachment 285684

In this case the DestAddress is related to Microsoft.
Click to expand...

To sum up, I can block Office telemetry without any problem ?

Thanks again !
 
  • Like
Reactions: simmerskool
sypqys

sypqys

Level 5
Apr 18, 2022
216
ConfigureDefender_x64_ykKlRuRuZ8.png

ConfigureDefender like this, is OK for home usage ?
 

Attachments

  • ConfigureDefender_x64_DPXR5Hn3LG.png
    ConfigureDefender_x64_DPXR5Hn3LG.png
    20.1 KB · Views: 45
  • ConfigureDefender_x64_sHbztDsZ8h.png
    ConfigureDefender_x64_sHbztDsZ8h.png
    21.6 KB · Views: 44
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,482
sypqys said:
View attachment 285686
ConfigureDefender like this, is OK for home usage ?
Click to expand...

I am not sure. You disabled the protection for MS Office. Many settings are set to Audit.
Audit will show an alert but will not stop the infection. The details are included in the help.
 
Last edited:
  • +Reputation
Reactions: Gandalf_The_Grey, sypqys, lokamoka820 and 1 other person
sypqys

sypqys

Level 5
Apr 18, 2022
216
Hello !

When I block Office in FirewallHardening, this is different than that (AntiExploit) ?

And what about telemetry ? Is the same or not ?

Hard_Configurator(x64)_o5HXmmmBgr.png
 

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,090
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top