Hard_Configurator - Windows Hardening Configurator

Andy Ful · Oct 8, 2018

Lockdown said:
...
It takes Polish thinking and practicality to bring light to darkness.
...

I tried very hard to 'bring some light', but it seems that I am not a Prometheus at all. Still, the user has to make an effort to learn and H_C is only the helping hand on the long road out of the dark.

509322 · Oct 8, 2018

Andy Ful said:
I tried very hard to 'bring some light', but it seems that I am not a Prometheus at all. Still, the user has to make an effort to learn and H_C is only the helping hand on the long road out of the dark.

IT is not for the uninformed nor the uninitiated. When it comes to IT security, people have to take some personal responsibility in what they do. There is nothing better than for the average person to learn... because all the wonderful promises (some call them lies) of automated security will let them down. Knowledge is power. And nowhere is that more true than when it comes to IT.

oldschool · Oct 11, 2018

I have some grade school level questions for @Andy Ful or any other experienced member: I had installed Process Explorer and Autoruns prior to installing Hard_Configurator and I am unable to run either. I presume I must whitelist them, but have so far have been unsuccessful and at a loss as to how to do this. Another question: I inadvertently hit the Run Autoruns: Scripts/User Space in "TOOLS" without fully understanding the help section so I'm at a loss on this subject as well. Please clarify if possible? Am I in now in DEEP water???

Thanks for your patience in advance!

509322 · Oct 11, 2018

oldschool said:
I have some grade school level questions for @Andy Ful or any other experienced member: I had installed Process Explorer and Autoruns prior to installing Hard_Configurator and I am unable to run either. I presume I must whitelist them, but have so far have been unsuccessful and at a loss as to how to do this. Another question: I inadvertently hit the Run Autoruns: Scripts/User Space in "TOOLS" without fully understanding the help section so I'm at a loss on this subject as well. Please clarify if possible? Am I in now in DEEP water??? Thanks for your patience in advance!

Doing stuff without understanding what you're doing ? Heck... I am going to put you in charge of a infantry battalion heading into battle. You should do just fine.

If you are running Process Explorer and Autoruns from User Space, then you have two options:

1. Move them to System Space and make a shortcut that points to them; or
2. Whitelist their User Space file path.

Autoruns performs a scan and whitelists startups for you.

Nothing is ever permanently broken. You can always undo stuff. You won't be needing to clean install Windows. You can count on Microsoft doing that to you, but not Hard_Configurator and not you doing stuff with it. H_C is simply a front-end controller for Microsoft's own spaghetti security.

bribon77 · Oct 11, 2018

@Lockdown, thanks to me, the answer has also served me.

oldschool · Oct 11, 2018

Lockdown said:
Doing stuff without understanding what you're doing ? Heck... I am going to put you in charge of a infantry battalion heading into battle. You should do just fine.

If you are running Process Explorer and Autoruns from User Space, then you have two options:

1. Move them to System Space and make a shortcut that points to them; or
2. Whitelist their User Space file path.

Autoruns performs a scan and whitelists startups for you.

Nothing is ever permanently broken. You can always undo stuff. You won't be needing to clean install Windows. You can count on Microsoft doing that to you, but not Hard_Configurator and not you doing stuff with it. H_C is simply a front-end controller for Microsoft's own spaghetti security.

LOL, never imagined I needed to clean install! Your point #1: I'm not sure I'm clear on difference between User and System Space. I Moved Process Explorer from Program (86) Files to Windows file. Is this what you meant? It worked! I break more than I fix, but everything seems OK!

Deleted Member 3a5v73x · Oct 11, 2018

Lockdown said:
H_C is simply a front-end controller for Microsoft's own spaghetti security.

Haha, best description of it.

Not quite sure why not many more use it. I would have even bought it. @Andy Ful is genius.

shmu26 · Oct 11, 2018

oldschool said:
LOL, never imagined I needed to clean install! Your point #1: I'm not sure I'm clear on difference between User and System Space. I Moved Process Explorer from Program (86) Files to Windows file. Is this what you meant? It worked! I break more than I fix, but everything seems OK!

User space is your Desktop, your Downloads, your Appdata, your Programdata, and a few other places. That is where default/deny SRP kicks in and blocks stuff.

System Space is Windows folder, Programs folder, and maybe some other places I don't know or remember. SRP leaves those places alone, unless you enabled Sponsor protection, in which case those rules will kick in, despite being in System space.

And don't worry about autoruns. You probably ran it when you first installed H_C, whether you realized it or not. Unless you have acquired in the meantime some malware with persistence on your system, which I would bet big money that you didn't, autoruns will merely whitelist the things you want.

Andy Ful · Oct 12, 2018

oldschool said:
I have some grade school level questions for @Andy Ful or any other experienced member: I had installed Process Explorer and Autoruns prior to installing Hard_Configurator and I am unable to run either. I presume I must whitelist them, but have so far have been unsuccessful and at a loss as to how to do this. Another question: I inadvertently hit the Run Autoruns: Scripts/User Space in "TOOLS" without fully understanding the help section so I'm at a loss on this subject as well. Please clarify if possible? Am I in now in DEEP water??? Thanks for your patience in advance!

There are several solutions for that. Those two utilities work best when run elevated, so the simplest method is "Run As SmartScreen" (this bypass SRP). It is recommended to copy them first to Program Files folder, then they will be run with elevation but SmartScreencheck will be skipped.
Another good method for portable application is whitelist them by hash (it is very simple with H_C). Yet, Process Explorer executable (procexp.exe or procexp64.exe) is wrapped and uses unwrapped image from temporary folder (C:\Users\User_Name\Appdata\Local\Temp). This image is named also procexp.exe or procexp64.exe and it must be whitelisted by hash, too. Do not close the error alert, because the image is deleted after this.

Azure · Oct 13, 2018

@Andy Ful

Valid autoruns are whitelisted, right?

I have a nonvalid one from C:\Windows\system32\bcdboot.exe

Do I need to do something with it? I assumed no since it's from system32 but I wanted to be sure.

Andy Ful · Oct 13, 2018

Azure Phoenix said:
@Andy Ful

Valid autoruns are whitelisted, right?

I have a nonvalid one from C:\Windows\system32\bcdboot.exe

Do I need to do something with it? I assumed no since it's from system32 but I wanted to be sure.

Some autoruns can have parameters which can be file paths directed to the files located in the Userspace.
Generally, H_C leaves the decision to the user in such cases.
The autoruns entry 'C:\Windows\system32\bcdboot.exe' is an example of something that had parameters. On my computer I have the similar 'non valid' = 'path with parameters' entry: C:\WINDOWS\system32\bcdboot.exe C:\WINDOWS
Do not mind it, all C:\Windows folder (except some writable folders) is already whitelisted.

shmu26 · Oct 13, 2018

Is "Switch Off Restrictions" the same as restoring Windows default settings?
Is there a difference between various versions of Windows?

509322 · Oct 13, 2018

Azure Phoenix said:
@Andy Ful

Valid autoruns are whitelisted, right?

I have a nonvalid one from C:\Windows\system32\bcdboot.exe

Do I need to do something with it? I assumed no since it's from system32 but I wanted to be sure.

Don't worry about bcdboot.exe. I have it too. If it bothers you, then you can whitelist it just so it doesn't show up in the log and bother you any more. This is SRP.

509322 · Oct 13, 2018

shmu26 said:
Is "Switch Off Restrictions" the same as restoring Windows default settings?

No.

shmu26 said:
Is there a difference between various versions of Windows?

Yes, particularly with regards to Configure Defender and PowerShell.

@Andy Ful - please add "Disable PoSh v2.0" setting. It can be done via PoSh. If H_C already does it via the "No PowerShell" boolean, then I apologize. I didn't look.

Code:

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

shmu26 · Oct 13, 2018

@Andy Ful please enlighten me how to restore default Windows settings for Win 10 pro 1809, as regards the right column in H_C and in ConfigureDefender.

509322 · Oct 13, 2018

shmu26 said:
@Andy Ful please enlighten me how to restore default Windows settings for Win 10 pro 1809, as regards the right column in H_C and in ConfigureDefender.

Turn OFF > reverts those settings modified from the defaults. (Reboot system for good measure after reverting).

TOOLS > Restore Windows defaults reverts all H_C settings modifications, including those made using Configure Defender.

That's the difference.

shmu26 · Oct 13, 2018

Lockdown said:
Turn OFF > reverts those settings modified from the defaults. (Reboot system for good measure after reverting).

TOOLS > Restore Windows defaults reverts all H_C settings modifications, including those made using Configure Defender.

That's the difference.

Thanks. I forgot to look in TOOLS. Duh!

oldschool · Oct 13, 2018

Andy Ful said:
Another good method for portable application is whitelist them by hash (it is very simple with H_C). Yet, Process Explorer executable (procexp.exe or procexp64.exe) is wrapped and uses unwrapped image from temporary folder (C:\Users\User_Name\Appdata\Local\Temp). This image is named also procexp.exe or procexp64.exe and it must be whitelisted by hash, too. Do not close the error alert, because the image is deleted after this.

Duh, I was trying to run them when pinned to "Start", but I can run from Programs Folder. But I do not fully understand what this means: "...This image is wrapped and uses unwrapped imaged...." etc. I have no blocked info or errors but want to know because I've never used hash whitelisting before. Is that what the "View All Script Autoruns" is for. The errors show here and then ....?

but wishing to learn, so I persist!

509322 · Oct 13, 2018

oldschool said:
Duh, I was trying to run them when pinned to "Start", but I can run from Programs Folder. But I do not fully understand what this means: "...This image is wrapped and uses unwrapped imaged...." etc. I have no blocked info or errors but want to know because I've never used hash whitelisting before. Is that what the "View All Script Autoruns" is for. The errors show here and then ....? but wishing to learn, so I persist!

To avoid the file extraction just select the x64 version, procexp64.exe on x64 Windows. The extraction to User Space directory (C:\Users\User_Name\Appdata\Local\Temp) happens when the x86 (procexp.exe) of Process Explorer is used.

Autoruns scans the system startup locations - both file system and registry - and then the whitelisting is done by file path.

Whitelist by hash is a policy that contains or specifies a hash, and that hash is defined in the policy such that the program is allowed to launch only if it matches the calculated hash number.

Basically... So, File = hash 123. Policy states File can launch if and only if File = has 123. File = hash 987 attempts to launch, and policy blocks it from executing.

In the same manner, you can blacklist by hash number.

Understand ?

Andy Ful · Oct 14, 2018

oldschool said:
...
But I do not fully understand what this means: "...This image is wrapped and uses unwrapped imaged...." etc. I have no blocked info or errors but want to know because I've never used hash whitelisting before. Is that what the "View All Script Autoruns" is for. The errors show here and then ....? but wishing to learn, so I persist!

Did I really write "This image is wrapped and uses unwrapped imaged"????

It is simple. Developers can hide one or more applications inside another program (wrapper). In the case of the wrapped procexp.exe, it contains two applications for 32-bit and 64-bit versions of Windows. If you are using 32-bit Windows, then only 32-bit application will be extracted into Temp folder and executed. If you are using 64-bit Windows, then 64-bit application will be extracted into Temp folder and executed. Sysinternals suite usually has two Process Explorer applications:

procexp.exe - wrapped (can be run both on 32-bit and 64-bit Windows).
procexp64.exe - unwrapped for 64-bit Windows only.

------------------------------------------------------------------------------------------------------------------------------------------------------------------------
In Hard_Configurator the Autoruns program is used only for:

Whitelisting applications and scripts from the Userspace which can start with Windows.
Viewing scripts from all locations, which can start with Windows.

The second can be useful when the user wants to block the scripts completely in all locations, for example by blocking script interpreters or when <Disable Win. Script Host> = ON .

Search

Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools

509322

oldschool

Level 84

509322

bribon77

Level 35

oldschool

Level 84

Deleted Member 3a5v73x

shmu26

Level 85

Andy Ful

From Hard_Configurator Tools

Azure

Level 28

Andy Ful

From Hard_Configurator Tools

shmu26

Level 85

509322

509322

shmu26

Level 85

509322

shmu26

Level 85

oldschool

Level 84

509322

Andy Ful

From Hard_Configurator Tools

Similar threads