Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

1. I really wish that when you select one of the security options, it was clearly marked (with a check mark or a different color), because when you select a security option and after a while go to the settings, you do not understand which one you activated earlier or which option is currently active). You have to click on the desired option again to be sure.

I am not sure. The inactive option is marked as OFF. If not, then it is active.

2. The purpose of the additional icon on the Switch Default Deny desktop is not entirely clear. Is it resetting the default antivirus settings or just blocking any activity at all, and does the home user need it?

Did you read the help file?

Hard_Configurator is used to adjust and apply the final settings.
SwitchDefaultDeny is mainly for temporarily turning off the SRP settings and applying them again in a simple way (OFF/ON toggle). Additionally, it has the option to run the DocumentsAntiExploit tool, etc.

3. What settings should be made to ensure that the protection is at the level of DefenderUI Pro or better?

I do not know (I do not use/test DefenderUI).

Do I need to install ALL of your embeds and how do I configure them?

The settings depend on the user. There is no singe setup best for all users. For most users, the Recommended Settings will be OK.

4. Perhaps in the future you will make a single application with all the functions together, so that we don't have to download or install all the utilities separately?

There is no reason to download/install all my apps/tools separately.

Maybe I'm mistaken and Hard_Configurator is the only one that contains all the separate ones?

Hard_Configurator is a self consistent project.
WHHLight package is another self consistent project.
Combining them into one application would only cause a mess.

 

[badboy]

I am not sure. The inactive option is marked as OFF. If not, then it is active.

I meant the protection profiles. When any of them is activated, the buttons do not change (color or on/off designation) and after some time it is not clear which profile is currently active.
If it is not too much trouble, I would like to see something like what I drew in the screenshot.

P.S. I am currently studying all the instructions and information, but it is not easy, because my knowledge of English does not extend to technical and computer terms. The DeepL translator helps me a lot, so please forgive me for stupid questions - translation difficulties.

 

[Andy Ful]

I meant the protection profiles. When any of them is activated, the buttons do not change (color or on/off designation) and after some time it is not clear which profile is currently active.
If it is not too much trouble, I would like to see something like what I drew in the screenshot.

View attachment 287370

ConfigureDefender allows applying hundreds of different setups. Protection Levels (DEFAULT, HIGH, INTERACTIVE, MAX) are only starting points for many custom setups (most users apply custom settings).
Furthermore, when INTERACTIVE setup is applied in ConfigureDefender, it does not mean that others are OFF. For example, the applied restrictions are almost identical to the HIGH setup. Only the alerts are different. The meaning of Protection Levels (DEFAULT, HIGH, INTERACTIVE, MAX) cannot be described by simple ON/OFF events. The same is true for several Setting Profiles available in Hard_Configurator:

P.S. I am currently studying all the instructions and information, but it is not easy, because my knowledge of English does not extend to technical and computer terms. The DeepL translator helps me a lot, so please forgive me for stupid questions - translation difficulties.

Use the Recommended Settings for a few months to see how they work. If those settings will work well, you may add gradually a few more restrictions if necessary. When adding restrictions, please read the info included in the Hard_Configurator manual and help files. Additional restrictions can make the setup less usable.
Many users may have problems learning Hard_Configurator - it is a complex application that helps secure family computers at home (as well as home businesses). It should be used by advanced users (home administrators).

 

[Tiamati]

@Andy Ful

I'm having trouble to share files through bluetooh... does H_C interfere with that?

 

[Andy Ful]

@Andy Ful

I'm having trouble to share files through bluetooh... does H_C interfere with that?

No, if you mean Windows built-in Bluetooth support.
But like in any such situation, you can switch off all H_C restrictions, and remove all FirewallHardening + ConfigureDefender rules (restart required) to see if the issue persists.

 

[ErzCrz]

3. What settings should be made to ensure that the protection is at the level of DefenderUI Pro or better? Do I need to install ALL of your embeds and how do I configure them?

As far as I understand it though they are two different approaches but both very effecting. DefenderUIPro and Cyberlock includes other features but Hard_Configurator is a great default deny appraoch.
Setting Hard_Configurator with Recommended configuration hardens the system and block which covers the Pro bit, Set ConfigureDefender to HIGH or Interative. Which is the same as the DefenderUI bit. Set FirewallHardening by adding Recommended Rules goes in line with recently added SmartFirewall feature of CyberLock and adds block LOLbin rules to Windows Firewall. Then your all set and don't have to do a thing unless you run into an issue.

 

[Andy Ful]

I suspect that one obvious difference is also blocking by default executables in UserSpace (flash drives, Downloads folder, etc.). If the user wants to execute them, it is necessary to choose "Install By SmartScreen" using the Explorer right-click menu (in Windows 11 it is hidden under "Show more options").

 

[dronefox1166]

Hello

I use FirewallHardening and ConfigureDefender... Alone.
I want to switch back to H_C. Because there the firewall rules are still active.

Whereas with H_C Switch Defaut Deny, you can disable all the rules and apply the rules when you want...

if I install H_C, it could be duplicated, right?

Will it overwrite configure Defender rules if I open a backup of H_C (including CD)?

Thanks for guiding me...

 

[Andy Ful]

Whereas with H_C Switch Defaut Deny, you can disable all the rules and apply the rules when you want...

Did you read the help:

SwitchDefaultDeny switches OFF/ON only the rules related to SRP (does not touch the ConfigureDefender and FirewallHardening rules.
Installing H_C does not change the rules already applied by ConfigureDefender and FirewallHardening. However, you can execute ConfigureDefender or FirewallHardening directly from the H_C GUI.
Only when H_C is uninstalled via <Tools> <Uninstall Hard_Configurator> the Windows default values for the ConfigureDefender and FirewallHardening rules can be recovered.

 

[dronefox1166]

Did you read the help:

View attachment 287797

View attachment 287798

SwitchDefaultDeny switches OFF/ON only the rules related to SRP (does not touch the ConfigureDefender and FirewallHardening rules.
Installing H_C does not change the rules already applied by ConfigureDefender and FirewallHardening. However, you can execute ConfigureDefender or FirewallHardening directly from the H_C GUI.
Only when H_C is uninstalled via <Tools> <Uninstall Hard_Configurator> the Windows default values for the ConfigureDefender and FirewallHardening rules can be recovered.

Ok thanks !

 

[bazang]

You can add the check for the registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers
"TurnOFFAllSRP"="1"

So, the alert will be triggered only when H_C is switched OFF:

View attachment 285504

Hard_Configurator ENABLED: "TurnOFFAllSRP"="0"
Hard_Configurator DISABLED: "TurnOFFAllSRP"="1"

#To confirm Hard_Configurator is not enable (OFF) or enabled (ON) after Windows system boot # Output shall be "The registry value 'TurnOFFAllSRP' does not exist or is not set to '0." or "The registry value 'TurnOFFAllSRP' exists and is set to '1'." # Define the registry path and value name $RegistryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers" $ValueName = "TurnOFFAllSRP" # Check if the registry key exists if (Test-Path $RegistryPath) { # Get the registry value $RegistryValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue # Check if the value exists and equals "1" if ($RegistryValue.$ValueName -eq "1") { Write-Output "The registry value 'TurnOFFAllSRP' exists and is set to '1'." } else { Write-Output "The registry value 'TurnOFFAllSRP' does not exist or is not set to '0'." } } else { Write-Output "The registry key does not exist." }

#To confirm Hard_Configurator is not enabled (OFF) or enabled (ON) after Windows system boot # Output shall be "The registry value 'TurnOFFAllSRP' exists and is set to '0'." or "The registry value 'TurnOFFAllSRP' does exist or is not set to '0'." # Define the registry path and value name if (Test-Path $RegistryPath) { >> # Get the registry value >> $RegistryValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue >> >> # Check if the value exists and equals "1" >> if ($RegistryValue.$ValueName -eq "0") { >> Write-Output "The registry value 'TurnOFFAllSRP' exists and is set to '0'." >> } else { >> Write-Output "The registry value 'TurnOFFAllSRP' does not exist or is not set to '0'." >> } >> } else { >> Write-Output "The registry key does not exist." >> }

 

[Andy Ful]

Thanks for providing the script, although users can simply run H_C to see if the left panel is active.
I think that one script might be enough.

#Script confirms the state of SRP (ON/OFF) settings in Hard_Configurator.
# Define the registry path and value name
$RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers'
$ValueName = 'TurnOFFAllSRP'
# Check if the registry key exists
if (Test-Path $RegistryPath) {
    # Get the registry value
    $RegistryValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue
    # Check if the value exists and equals '1'
    if ($RegistryValue.$ValueName -eq '1') {
        Write-Output 'SRP settings in H_C are turned OFF.'
    } else {
        Write-Output 'SRP settings in H_C are turned ON.'
    }
} else {
    Write-Output 'SRP settings in H_C are turned OFF.'
}

A similar scripting code can be inserted into the batch script that runs PowerShell with CmdLines. The batch script can be whitelisted in SRP and added to autoruns (whitelisted batch script works even if cmd[.]exe is blocked in SRP). Otherwise, the PowerShell script would be blocked by < Block PowerShell Scripts >.
The code can be modified to show the alert only if SRP settings are Switched OFF.


Post edited.
Another possibility is creating a batch file that runs SwitchDefaultDeny (instead of alert), when SRP is Switched OFF.
If SRP is turned ON or SRP is not installed, the script does nothing:

%Windir%\System32\WindowsPowerShell\v1.0\powershell.exe -NonInteractive -WindowStyle hidden $RegistryPath = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers'; $ValueName = 'TurnOFFAllSRP'; $RegistryValue = Get-ItemProperty -Path $RegistryPath -Name $ValueName -ErrorAction SilentlyContinue; if ($RegistryValue.$ValueName -eq '1'){Start-Process -FilePath $Env:WinDir'\Hard_Configurator\SwitchDefaultDeny(x64).exe'}