Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

I really appreciate your work mate @Andy Ful , but how is SRP more usable?

SRP uses Designated File Types list to block files by extension. For example, you can block CHM files (and many other) outside 'C:\Windows' and C:\Program FIles' folder without blocking the executable hh.exe that can open them. You can also directly block shortcuts (LNK files) etc. So, the happy clicker cannot be fooled by the file with the spoofed extension, because it will be blocked.
Furthermore, you can block many vulnerable executables from Windows folder without breaking Windows Updates and system scheduled tasks, because they are usually blocked by SRP only as standard user and allowed to run with higher rights.
Generally SRP configuration is simpler from WD Application Control.
SRP can be applied in Enterprises networks, but to get the similar security level as in the case of WD Application Control, SRP has to be very restrictive, so less usable.
.

Why nobody talks about more important factor, that most home users are "click happy" and don't pay attention to any security alerts and if some comes up or "in their face" like Smartscreen alert, they just click yes to get it faster out of their way without reading any information what its for. If family have no one to ask computer help, they have to call someone tech like. And most people 50+ who didn't born with tablets and pc's in their hands, will not do manual way seeking for problem help in Google or MalwareTips example. I can set SRP for my other 5+ family windows systems, but if I wasn't there for them, default-deny would NOT be the best security solution.

All the above is true. I think that you understand the home user as an inexperienced or average user. I did not mean it. The home user is the user that has the computer connected to the home network under the NAT router. That is a big difference as compared to the user in the Enterprise network. I do not recommend configuring SRP (with or without Hard_Configurator) by inexperienced users. As you noticed, even already configured SRP setup requires supervising by an experienced user, from time to time.

SRP is best for Business/corp oriented systems where employes are not allowed to install additional programms and just use work oriented applications.

That is the point we do not agree. In my opinion, SRP is quite good for:

1. Small business.
2. Home - when computers can be supervised by an experienced user.

For Enterprise networks the combo WD Application Control + WD Application Guard or 3-rd party solutions like AppGuard are much better.

 

[Andy Ful]

Hard_Configurator is now available on Softpedia:
Download Hard_Configurator 4.0.0.0
Thanks, Alexandra Sava for the nice review.

 

[shmu26]

@Andy Ful it was asked on the other forum about the right-click option to force checking by Smartscreen. Maybe you have something to say?


Has anyone done any testing on its impact or not on WD's "block at first sight" cloud scanning?

 

[Andy Ful]

@Andy Ful it was asked on the other forum about the right-click option to force checking by Smartscreen. Maybe you have something to say?


Has anyone done any testing on its impact or not on WD's "block at first sight" cloud scanning?

What are they interested in?
The right-click option in Explorer to force checking by SmartScreen ('Run As SmartScreen' or 'Run By SmartScreen') depends only on SmartScreen settings. If SmartScreen for applications is turned on then this feature is fully functional (even when Defender is completely turned off).
SmartScreen is independent of the "block at first sight" feature.

 

[Andy Ful]

I found the thread mentioned by @shmu26:
AV-Comparatives: Real-World Protection Test February-June 2018
I like to read @itman threads because of interesting links to source articles. But it seems that he is not the expert in SRP. He is right that Hard_Configurator is dependent on SRP, but it is not true that there are many such third-party solutions. In fact, as far I know, except Hard_Configurator there is not any GUI application for Windows 7+, based on default-deny SRP. There is non-GUI Simple Software-Restriction Policy application which is worth to be mentioned. There are some applications based on default allow SRP (like Cryptoprevent).
Furthermore, Hard_Configurator is semi-portable. One can simply copy the Hard_Configurator folder from one computer to another (with the same processor architecture) at the location C:\Windows\Hard_Configurator, and it will be full-functional. The strict folder location is required to adopt forced SmartScreen, so Hard_Configurator cannot be fully portable.
Hard_Configurator and ConfigureDefender are available not only on GitHub, but also on Softpedia. They are also whitelisted by Microsoft, Symantec, Avast, and Emsisoft (I sent installers to analysis). They are also whitelisted by Avast reputation cloud which is activated via Aggressive Hardened Mode. So, they have gained some positive reputation.
The open question that bothers me from the 2016 year (when Hard_Configurator was created), is how long Microsoft will keep SRP available. In fact, SRP was not actively developed for a few last years. The last improvement I noticed was PowerShell Constrained Language Mode integrated with default-deny SRP settings. Microsoft can throw it out next year or after 5 years (or later) - that will depend on how SRP is popular in Enterprises and how many new protection features will be transferred from Windows Enterprise edition to Pro edition.

Post edited: Microsoft can abandon it ---> Microsoft can throw it out.

 

[Sunshine-boy]

The open question that bothers me from the 2015 year (when Hard_Configurator was created), is how long Microsoft will keep SRP available.

SRP settings. Microsoft can abandon it next year or after 5 years (or later)

They already did it
they may remove it!its time to start using AppLocker : ) Andy be ready for creating another tool but this time for APPlocker:emoji_innocent:

 

[Andy Ful]

They already did it
they may remove it!its time to start using AppLocker : ) Andy be ready for creating another tool but this time for APPlocker:emoji_innocent:

Fortunately, they did not. By abandoned, I have meant not available.
Applocker is not available for Windows Home and Pro (so far), but who knows.

 

[Sunshine-boy]

Itman said:

With the caveat that sometimes, it might be impossible to do so. Case in point, malware drops Powershell v2 on your PC. Renames it or file downloaded under a different name. It then moves it to a folder your not monitoring .exe startup from; e.g. C:\Program Files, etc..
how can SRP handle it?

 

[Sunshine-boy]

Pro

its available for pro version.

I have meant not available

soon : ) then whattttttttt? what u have for me plssssssssss. get windows pro learn AppLocker and after that create another tool. time is running.

 

[Andy Ful]

Itman said:

With the caveat that sometimes, it might be impossible to do so. Case in point, malware drops Powershell v2 on your PC. Renames it or file downloaded under a different name. It then moves it to a folder your not monitoring .exe startup from; e.g. C:\Program Files, etc..
how can srp handle it? this ITman is an eset user i talk to him soemtiems in eset froum. he is very very smart and paranoid xd

PowerShell v2 will not be dropped and executed when using Hard_Configurator settings (computer in the home network with NAT router), except when the user intentionally allows running the malware (ignoring SmartScreen) or uses vulnerable software (easily exploited). Even then, the malware will be usually blocked/mitigated, except some sophisticated samples or when the user will ignore UAC alert to allow copying files to Program Files.

 

[Andy Ful]

its available for pro version.

soon : ) then whattttttttt? what u have for me plssssssssss. get windows pro learn AppLocker and after that create another tool. time is running.

You must wait, I am afraid.

 

[Andy Ful]

its available for pro version.

Applocker rules can be created on Windows Pro, but they will work only on Ultimate, Enterprise or Education editions.
On Windows 10 Applocker can be probably implemented when using Intune (paid), but I never tried this:
Requirements to use AppLocker (Windows 10)
Managing AppLocker on Windows 10 via OMA-DM

 

[Andy Ful]

People on Wilderssecurity forum asked about blocking by Hard_Configurator settings the BAT file located somewhere in the Userspace (XXXX is a UserProfile name):

START "" C:\Users\XXXX\AppData\Local\Temp\knownmalicious.exe

AV-Comparatives: Real-World Protection Test February-June 2018
.
Of course, it will be blocked, because Hard_Configurator default settings (Recommended SRP) block BAT files (and many others) in the Userspace. So, maybe the more clever SmartScreen bypass would be avoiding BAT files and run the commandline:
cmd /c START "" C:\Users\XXXX\AppData\Local\Temp\knownmalicious.exe
or
PowerShell -command start C:\Users\XXXX\AppData\Local\Temp\knownmalicious.exe
.
But then, the executable knownmalicious.exe will be blocked too, because Hard_Configurator default settings (Recommended SRP) block EXE files in the Userspace.
Anyway, the user can run the file knownmalicious.exe when using "Run As SmartScreen" via the Explorer right-click menu, but then it will be checked by SmartScreen.

 

[Andy Ful]

I found some issues with recommended by Microsoft the MS Office hardening tweaks. Those tweaks are adopted in Hard_Configurator (<Documents Anti-Exploit>) and SysHardener. They should block VBA Macros, DDE, OLE, and ActiveX in MS Office documents (MS Office 2007 up to MS Office 2016).
The DDE mitigations sources:

1. Microsoft Security Advisory 4053440
2. {{windowTitle}} - ADV170021 | Microsoft Office Defense in Depth Update

The issue I found is related to DDE in Excel (mitigations worked in Word). The tweaks from the first link did not work for my Office 2010 (in VirtualBox) until I manually installed the concrete update (excel2010-kb4011660-fullfile-x86-glb.exe) adviced in the second link. It seems that the required updates are not always offered via Windows Updates.
How to check if DDE is blocked in Excel? It is very simple.

1. Create the blank workbook.
2. In the first cell (A1) insert (copy/paste) the formula: =cmd|'/c calc.exe'!A1
3. If this formula will open from Excel the calculator application then DDE is not blocked.
4. Also, you can save this workbook, close Excel and open the workbook from Explorer to test DDE.

Edit
When using custom Hard_Configurator settings, please check first if cmd.exe is unblocked (<Block Sponsors>).

 

[shmu26]

It was already installed for me.

 

[Andy Ful]

It was already installed for me.

How did you check this?

 

[shmu26]

How did you check this?

I downloaded the updates for Excel and also for Word, x64, for Office 2016, and when I ran them, they said they are already installed.

 

[Andy Ful]

I downloaded the updates for Excel and also for Word, x64, for Office 2016, and when I ran them, they said they are already installed.

So the above can be the right example for others.
But, blocking completely DDE in Excel is possible only via reg tweak, by setting (12.0 is for MS Office 2007, 14.0 for MS Office 2010, 15.0 for MS Office 2013, 16.0 for MS Office 2016):
HKEY_CURRENT_USER\Software\Microsoft\14.0\Excel\Security
DisableDDEServerLaunch = 1
HKEY_CURRENT_USER\Software\Microsoft\14.0\Excel\Security
DisableDDEServerLookup = 1
By default, those values are set to 0.

 

[shmu26]

Question: when I was using Defender with ASR, I could still use my Word add-ons.
But right now I have a 3rd party AV, and if I enable "Documents anti-exploit", I get error messages when I launch Word.
Is there a certain setting or exception that will help?

 

[Andy Ful]

Question: when I was using Defender with ASR, I could still use my Word add-ons.
But right now I have a 3rd party AV, and if I enable "Documents anti-exploit", I get error messages when I launch Word.
Is there a certain setting or exception that will help?

What version of MS Office you have and what is the error alert?