Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Is "Switch Off Restrictions" the same as restoring Windows default settings?
Is there a difference between various versions of Windows?

The features <Switch ON/OFF SRP> and <Switch ON/OFF Restrictions> are explained in <General Help> point 5. (option available in main H_C window) and in H_C manual. Here they are:

"5. There are also important green buttons <Switch OFF/ON SRP> and <Switch OFF/ON Restrictions>. Any green button can switch OFF the settings in the column, but remembers the last settings in that column. They can be restored when pressing the green button the second time. But, there is one requirement - meanwhile, you cannot turn on any setting in that column. If you prefer to turn on some settings in that column, they overwrite the previous settings.

If you <Switch OFF/ON SRP> but do not <APPLY CHANGES>, then only SRP Default Security Level will be switched and aplied (other changed settings require <APPLY CHANGES> to work). That can be used when you want to disable protection temporarily, perform some tasks on the computer, and quickly restore the protection."

The blue part is equivalent to SwitchDefaultDeny tool.
What the options <Switch OFF/ON SRP> and <Switch OFF/ON Restrictions> can do, may be seen when looking at the changed options. Simply press <Switch OFF/ON SRP> or <Switch OFF/ON Restrictions> several times and you quickly will see what is happening.

Windows defaults can be recovered in several ways (finished by <APPLY CHANGES>):

1. <Tools><Restore Windows Defaults> (but not Windows Defender settings).
2. <Switch ON/OFF SRP> and <Switch ON/OFF Restrictions> (but not Windows Defender settings).
3. <Load Profile> and choose All_OFF.hdc (but not Windows Defender settings).
4. <Tools><Uninstall Hard_Configurator>.

The red entries do not remember previous settings. The green entries remember the settings applied before switching them OFF and they can be restored.

The restored SMB and some <Block Remote Access> default settings are different for Windows 7 and Windows 10.

Windows Defender default settings can be restored when using the proper one click button from ConfigureDefender.

Edit.
I forgot about differences in some <Block Remote Access> settings.

 

[shmu26]

The features <Switch ON/OFF SRP> and <Switch ON/OFF Restrictions> are explained in <General Help> point 5. (option available in main H_C window) and in H_C manual. Here they are:

"5. There are also important green buttons <Switch OFF/ON SRP> and <Switch OFF/ON Restrictions>. Any green button can switch OFF the settings in the column, but remembers the last settings in that column. They can be restored when pressing the green button the second time. But, there is one requirement - meanwhile, you cannot turn on any setting in that column. If you prefer to turn on some settings in that column, they overwrite the previous settings.

If you <Switch OFF/ON SRP> but do not <APPLY CHANGES>, then only SRP Default Security Level will be switched and aplied (other changed settings require <APPLY CHANGES> to work). That can be used when you want to disable protection temporarily, perform some tasks on the computer, and quickly restore the protection."

The blue part is equivalent to SwitchDefaultDeny tool.
What the options <Switch OFF/ON SRP> and <Switch OFF/ON Restrictions> can do, may be seen when looking at the changed options. Simply press <Switch OFF/ON SRP> or <Switch OFF/ON Restrictions> several times and you quickly will see what is happening.

Windows defaults can be recovered in several ways (finished by <APPLY CHANGES>):

1. <Tools><Restore Windows Defaults> (but not Windows Defender settings).
2. <Switch ON/OFF SRP> and <Switch ON/OFF Restrictions> (but not Windows Defender settings).
3. <Load Profile> and choose All_OFF.hdc (but not Windows Defender settings).
4. <Tools><Uninstall Hard_Configurator>.

The red entries do not remember previous settings. The green entries remember the settings applied before switching them OFF and they can be restored.

The restored SMB default settings are different for Windows 7 and Windows 10.

Windows Defender default settings can be restored when using the proper one click button from ConfigureDefender.

Thanks.
Let's make sure I got this right:
1 "switch off" and "restore windows defaults" have a similar effect. The big difference is that "restore windows defaults" doesn't remember what settings you had before.
2 H_C is smart enough to restore the right Windows default settings; it can distinguish between Windows 7 and 10.

 

[Andy Ful]

...
@Andy Ful - please add "Disable PoSh v2.0" setting. It can be done via PoSh. If H_C already does it via the "No PowerShell" boolean, then I apologize. I didn't look.

Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root

In Windows 10, using PowerShell 2.0 is not possible until the user will install Net Framework 3.5 . PowerShell 2.0 requires both installed Net Framework 2.0 and ticked option "Windows PowerShell 2.0" in Windows optional features.
In Windows 8.1 and prior versions the PowerShell interpreters are blocked by recommended H_C settings.
So, most users are protected against bypassing "Constrained Language Mode" via PowerShell 2.0.
Yet, the users with installed Net Framework 3.5 on Windows 10 have to block PowerShell interpreters.
The idea of removing PowerShell 2.0 is worth rethinking.

 

[Andy Ful]

Thanks.
Let's make sure I got this right:
1 "switch off" and "restore windows defaults" have a similar effect. The big difference is that "restore windows defaults" doesn't remember what settings you had before.
2 H_C is smart enough to restore the right Windows default settings; it can distinguish between Windows 7 and 10.

That is right. Restoring Windows defaults is simple because all options are OFF. The differences between Windows versions are only with SMB and some <Block Remote Access>settings.

 

[shmu26]

In Windows 10, using PowerShell 2.0 is not possible until the user will install Net Framework 3.5 . PowerShell 2.0 requires both installed Net Framework 2.0 and ticked option "Windows PowerShell 2.0" in Windows optional features.
In Windows 8.1 and prior versions the PowerShell interpreters are blocked by recommended H_C settings.
So, most users are protected against bypassing "Constrained Language Mode" via PowerShell 2.0.
Yet, the users with installed Net Framework 3.5 on Windows 10 have to block PowerShell interpreters.
The idea of removing PowerShell 2.0 is worth rethinking.

How and why would someone with Win 10 have Net Framework 3.5 on their system?

 

[Andy Ful]

How and why would someone with Win 10 have Net Framework 3.5 on their system?

Some older applications will require the older Net Framework versions.

 

[509322]

In Windows 10, using PowerShell 2.0 is not possible until the user will install Net Framework 3.5 . PowerShell 2.0 requires both installed Net Framework 2.0 and ticked option "Windows PowerShell 2.0" in Windows optional features.
In Windows 8.1 and prior versions the PowerShell interpreters are blocked by recommended H_C settings.
So, most users are protected against bypassing "Constrained Language Mode" via PowerShell 2.0.
Yet, the users with installed Net Framework 3.5 on Windows 10 have to block PowerShell interpreters.
The idea of removing PowerShell 2.0 is worth rethinking.

An option to remove v2.0 in Windows Features makes sense. Attacks social engineer people to download .NET Framework all the time. It is common enough.

If a person is using Hard_Configurator properly, then there are multiple layers blocking stuff before they ever get to see the Windows Feature windows to download .NET Framework. However, there could be a convergence of user misconfiguration\error where v2.0 is a problem.

v2.0 just isn't needed. It is bad ju-ju legacy stuff that adds nothing. It should not be there.

 

[Andy Ful]

It is the fact that PowerShell 2.0 should be removed. Yet I am still not convinced if H_C should do it.

1. There is a convenient Windows application that can do it (OptionalFeatures.exe).
2. There are probably more optional features which should be removed.

Would not be better to add to H_C the option which simply can run OptionalFeatures.exe + the help file?
The advanced user should not have problems with adjusting the configuration for the concrete computer.

 

[509322]

It is the fact that PowerShell 2.0 should be removed. Yet I am still not convinced if H_C should do it.

1. There is a convenient Windows application that can do it (OptionalFeatures.exe).
2. There are probably more optional features which should be removed.

Would not be better to add to H_C the option which simply can run OptionalFeatures.exe + the help file?
The advanced user should not have problems with adjusting the configuration for the concrete computer.

Most people who will use your Hard_Configurator will be new to it; they will range from n00bs to advanced SRP users. I would think a really advanced user who is all about security has already removed PoSh v2.0 from Windows using one method or another. It is the people who use your product and depend upon it to guide them to implement the best SRP policy are the ones I am talking about.

Unfortunately, people refuse to slow down and simply read. TL;DR. I just used the product. Now I got myself into troubles. I will go to the forum and ask questions instead of reading the help files...

Disabling PoSh v2.0 is basic security practice. However you implement it is better than leaving PoSh v2.0 in-place.

Ask people here. You will get a general consensus. Me personally, I don't care which method is used. What I am more concerned about is that people understand that there are various PoSh versions, each one solves some but not all security problems, but v2.0 is atrocious - it needs to be uninstalled from the Windows image.

 

[oldschool]

I am the user type who installed H_C, "...who use your product and depend upon it to guide them to implement the best SRP policy...) and has not run into problems. I also follow @illumination's recommendation to rely on Window's built-in features vs loads of 3rd party apps which has likely helped me avoid problems! I do come up with questions with the aim of learning for sake of learning. I do not code and I know little of Windows processes except some basic and general concepts, etc.. e.g. dangerous extensions, etc. So in this sense I may be one archetypical MT user. @Andy Ful's Help texts are excellent so that makes me lean toward integrated PoSh removal. Whatever you come up with will probably be fine.

 

[509322]

I am the user type who installed H_C, "...who use your product and depend upon it to guide them to implement the best SRP policy...) and has not run into problems. I also follow @illumination's recommendation to rely on Window's built-in features vs loads of 3rd party apps which has likely helped me avoid problems! I do come up with questions with the aim of learning for sake of learning. I do not code and I know little of Windows processes except some basic and general concepts, etc.. e.g. dangerous extensions, etc. So in this sense I may be one archetypical MT user. @Andy Ful's Help texts are excellent so that makes me lean toward integrated PoSh removal. Whatever you come up with will probably be fine.

PoSh = versions 1 thru 5. 6 is in beta right now.
PoSh v2.0 has weak protections because Microsoft didn't develop it with security in mind in the first place.
PoSh v3 - 5, Microsoft has serviced because of numerous reports of security problems. Microsoft has done a bare minimum job at improving security. Of course the whole point is to make PoSh available, but make it safe. That is an oxymoron - unless Microsoft collects it all to know it all and then patches it all. The face of stupidity.
PoSh v2.0 stupidly remains installed on Windows by default for backwards compatibility\legacy reasons.
PoSh code\commandlets are not universal across all versions of PoSh. So a cmdlet on v5.0 cannot automatically be used in v2.0.
However, v2.0 can be used maliciously if it is installed and active on Windows.
PoSh Constrained Language Mode (v5.0) or _pspolicy as an environmental variable are good security. However, v2.0 and other methods can be used to disable Constrained Language Mode. Therefore, just uninstall v2.0.
Disabling PoSh and wscript makes missing ASR rules in Exploit Guard a moot point.
Microsoft Windows spaghetti security.

 

[oldschool]

WD once again quarantined ConfigureDefender as HackTool:Win32/MpTamper.D. Good to know it's doing its job!

 

[shmu26]

WD once again quarantined ConfigureDefender as HackTool:Win32/MpTamper.D. Good to know it's doing its job!

It's definitely hacking your registry, but for the good...

@Lockdown, I don't get how PoSh v2.0 works. It uses the same powershell.exe but does different stuff with it, or what? Even when it is enabled, it doesn't seem to put another powershell.exe in Windows folder, at least I can't find it...

@Andy Ful, you wrote "adjusting the configuration for the concrete computer". Pardon me for being an English stickler: When you use the word "concrete" it is often a little hard to understand. In this case, a more idiomatic way of saying it would be "adjusting the configuration for that specific computer".

 

[oldschool]

It's definitely hacking your registry, but for the good...

@Lockdown, I don't get how PoSh v2.0 works. It uses the same powershell.exe but does different stuff with it, or what? Even when it is enabled, it doesn't seem to put another powershell.exe in Windows folder, at least I can't find it...

@Andy Ful, you wrote "adjusting the configuration for the concrete computer". Pardon me for being an English stickler: When you use the word "concrete" it is often a little hard to understand. In this case, a more idiomatic way of saying it would be "adjusting the configuration for that specific computer".

!

 

[509322]

@Lockdown, I don't get how PoSh v2.0 works. It uses the same powershell.exe but does different stuff with it, or what? Even when it is enabled, it doesn't seem to put another powershell.exe in Windows folder, at least I can't find it...

PowerShell is installed to a v1.0 directory. That means all versions 1.0 through 5.0, and soon 6.0.

PowerShell runs using the concept of "sessions." So you can run both version 5 and 2 simultaneously. You have to invoke version 2 specifically.

PowerShell.exe -Version 2

Knowing PoSh, there's probably multiple ways of calling v2.0. A quick lookup proves that statement on the money. Take a Look-See here:

Starting the Windows PowerShell 2.0 Engine

All the PoSh internals are in the PoSh libraries (DLL).

 

[Andy Ful]

WD once again quarantined ConfigureDefender as HackTool:Win32/MpTamper.D. Good to know it's doing its job!

You probably are using the older version 1.0.1.1. The corrected version 1.1.1.1 is still whitelisted by Microsoft (tried 5 minutes ago).

 

[shmu26]

It is the fact that PowerShell 2.0 should be removed. Yet I am still not convinced if H_C should do it.

1. There is a convenient Windows application that can do it (OptionalFeatures.exe).
2. There are probably more optional features which should be removed.

Would not be better to add to H_C the option which simply can run OptionalFeatures.exe + the help file?
The advanced user should not have problems with adjusting the configuration for the concrete computer.

You could add it to the options in the right column, I think it would be a welcome addition.

 

[Andy Ful]

You could add it to the options in the right column, I think it would be a welcome addition.

I cannot put it there. Uninstalling optional Windows features do not fit well with the <Switch OFF/ON Restrictions> option for the right column. I have also a problem. Should PowerShell 2.0 be restored via <Tools><Restore Windows Defauls> or when uninstalling H_C?
I am not sure what would be the best way. For now, I am thinking about:

1. Removing PowerShell 2.0 during installation of H_C, with option to skip this action.
2. Adding the button for running OptionalFeatures.exe
3. Adding PowerShell 2.0 during uninstallation of H_C, with option to skip this action.

 

[shmu26]

I cannot put it there. Uninstalling optional Windows features do not fit well with the <Switch OFF/ON Restrictions> option for the right column. I have also a problem. Should PowerShell 2.0 be restored via <Tools><Restore Windows Defauls> or when uninstalling H_C?
I am not sure what would be the best way. For now, I am thinking about:

1. Removing PowerShell 2.0 during installation of H_C, with option to skip this action.
2. Adding the button for running OptionalFeatures.exe
3. Adding PowerShell 2.0 during uninstallation of H_C, with option to skip this action.

2

 

[Andy Ful]

It's definitely hacking your registry, but for the good...

@Lockdown, I don't get how PoSh v2.0 works. It uses the same powershell.exe but does different stuff with it, or what? Even when it is enabled, it doesn't seem to put another powershell.exe in Windows folder, at least I can't find it...

@Andy Ful, you wrote "adjusting the configuration for the concrete computer". Pardon me for being an English stickler: When you use the word "concrete" it is often a little hard to understand. In this case, a more idiomatic way of saying it would be "adjusting the configuration for that specific computer".

I had in mind the single, but unspecified computer. Could it be right something like that:
"adjusting the configuration to the specific computer hardware/software".
"adjusting the configuration to the specific computer environment".
"adjusting the configuration to the particular computer"