Hard_Configurator - Windows Hardening Configurator

[shmu26]

I had in mind the single, but unspecified computer. Could it be right something like that:
"adjusting the configuration to the specific computer hardware/software".
"adjusting the configuration to the specific computer environment".
"adjusting the configuration for the particular computer"

The first one sounds best, to my ears.

 

[Freki123]

Anyone got the sha256 from the old Hard_Configurator 4.0.0.0?
Is it by chance SHA-256 9cb9a4a7892da4808908bcfe854f6ebf0d5c07fe67ad7a383cb2757b0eedf324 ?

 

[Andy Ful]

Anyone got the sha256 from the old Hard_Configurator 4.0.0.0?
Is it by chance SHA-256 9cb9a4a7892da4808908bcfe854f6ebf0d5c07fe67ad7a383cb2757b0eedf324 ?

Which installer (there are two)?

 

[Freki123]

the 64bit Version downloaded 24.7.18. I hope you meant that

 

[Andy Ful]

Anyone got the sha256 from the old Hard_Configurator 4.0.0.0?
Is it by chance SHA-256 9cb9a4a7892da4808908bcfe854f6ebf0d5c07fe67ad7a383cb2757b0eedf324 ?

Yes. This is the version from June 2018, that was flagged by Microsoft in September 2018 as a hack-tool.
The corrected installers (no version change) are available on GitHub and Softpedia.
Update - Hard_Configurator - Windows Hardening Configurator

 

[Freki123]

@Andy Ful Thanks for your answer. I found it when i scanned my downloaded (and wanted to try again some time folder) and it was flagged with 15/65 on Virus Total. My heart skipped a few beats

 

[shmu26]

The best security softwares are flagged as malware. I see it again and again.

 

[Freki123]

Most of the time i see stuff like 4/65 or so, with 15/65 i realy got worried. When it's 4 that are rarely known it happens when it 15 included the big players i started to worry.
Anyway thanks for the fast help, really appreciate it.

 

[ForgottenSeer 69673]

For those that replied to Freki123 in the malware assistance thread. Only dedicated helpers are allowe

 

[oldschool]

@Andy Ful - I uninstalled H_C recently (at my wife's 'request' ) and installed the new versions of ConfigureDefender and RunBySmartscreen. Since then I have Windows Explorer opening on startup or restart. It's quite annoying. I posted this issue in Troubleshooting thread but thought I should check here as well to see if it's related to these changes. Thanks in advance!

File Explorer issue solved in Settings>Apps>Startup>WE>OFF. User error which Administrator solved!

BTW, I'm using VoodooShield only and my wife is happy - and you know the saying - "Happy wife, happy life!".

 

[Andy Ful]

...
BTW, I'm using VoodooShield only and my wife is happy - and you know the saying - "Happy wife, happy life!".
...

Keep it this way.

 

[shmu26]

"Happy wife, happy life!". :cool:[/QUOTE]

That's iron-clad logic!

 

[Andy Ful]

A few days ago @Windows_Security posted the steps to install and forget default deny on Windows 10 with Windows Defender.
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings

Some steps are automatically included when using Hard_Configurator, so I would like to show the easy way of making such a setup with H_C:

1. Install H_C (ConfigureDefender is already in H_C). Press <ConfigureDefender> button and apply <Defender High> settings. Close ConfigureDefender.
2. Use <Load Profile> option in Hard_Configurator and apply "Windows_10_Recommended_Enhanced" profile. This profile already includes MSI tweak, blocks scripts and Remote Access, so no need to use Exploit Guard for wmic.exe, cscript.exe, rdpshell.exe and powershell.exe.
3. Use <Block Sponsors> button to block mshta.exe and iexplore.exe. You can add more sponsors if required. If particular applications require HTA files, then do not block mshta.exe, but make the Firewall rule to block the Internet access for it.
4. Configure your browser via 5 b) and c) steps included in @Windows_Security post. You can skip the 5 c) step if you like to use only Edge browser.

 

[shmu26]

Use <Load Profile> option in Hard_Configurator and apply "Windows_10_Recommended_Enhanced" profile (MSI tweak is already included). This profile already includes MSI tweak, blocks scripts and Remote Access, so no need to use Exploit Guard for wmic.exe, cscript.exe, rdpshell.exe and powershell.exe.

What about wscript ?
And what is this MSI tweak?

 

[Andy Ful]

What about wscript ?
And what is this MSI tweak?

Blocking wscript.exe/cscript.exe is not required, because Windows Script Host is properly blocked by SRP Enforcement setting set to 'Skip DLLs'. Furthermore, you can whitelist particular scripts with this setting, which is not possible when you block wscript.exe and cscript.exe.
MSI tweak is the same as the H_C option <More ...><MSI Elevation>.

 

[shmu26]

Blocking wscript.exe/cscript.exe is not required, because Windows Script Host is properly blocked by SRP Enforcement setting set to 'Skip DLLs'. Furthermore, you can whitelist particular scripts with this setting, which is not possible when you block wscript.exe and cscript.exe.
MSI tweak is the same as the H_C option <More ...><MSI Elevation>.

So "Recommended SRP" already blocks Windows script host (wscript and cscript), without even using the Sponsors tab? What other sponsors does it block?

 

[Andy Ful]

So "Recommended SRP" already blocks Windows script host (wscript and cscript), without even using the Sponsors tab? What other sponsors does it block?

That depends on Windows version. On Windows 10 the option <Recommended SRP> blocks:

1. CMD shell (BAT, CMD scripts), Windows Script Host (JS, VBS, JSE, VBE, and any file which has the code interpreted by cscript.exe or wscript.exe), MSI Installer. This is blocked by the proper SRP Enforcement and Default Security Level settings. CMD Shell commandlines and CMD console are not blocked.
2. Advanced functions in PowerShell via Constrained Language Mode. PowerShell commandlines and PowerShell console are not blocked - yet, advanced PowerShell functions are disabled. Additionally <Recommended Restrictions> option applies <No PowerShell Exec.> = ON, to block PowerShell script execution.
3. HTA, CHM, CPL, MSC, and other dangerous files are blocked only when the user tries to open them. Those files can be run when using the commandlines with sponsors.

The points 1 and 2 are very strong against malicious Windows Script Host and PowerShell scripts (also fileless), even when the system was exploited.
The point 3, protects the user against being fooled to run malicious files. But, when the system is exploited, then those files can be run as standard user via sponsors. So, when the user have installed the vulnerable applications, they should be protected by other features, like <Documents Anti-Exploit> (MS Office, Adobe Acrobat Reader), Firewall rules for sponsors, or blocking sponsors via <Block Sponsors>. The users with WD real-time protection can also activate ASR rules, available in ConfigureDefender - they are also automatically activated by the option <Defender high settings>.

 

[Windows_Security]

A few days ago @Windows_Security posted the steps to install and forget default deny on Windows 10 with Windows Defender.
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings

Some steps are automatically included when using Hard_Configurator, so I would like to show the easy way of making such a setup with H_C:

1. Install H_C (ConfigureDefender is already in H_C). Press <ConfigureDefender> button and apply <Defender High> settings. Close ConfigureDefender.
2. Use <Load Profile> option in Hard_Configurator and apply "Windows_10_Recommended_Enhanced" profile. This profile already includes MSI tweak, blocks scripts and Remote Access, so no need to use Exploit Guard for wmic.exe, cscript.exe, rdpshell.exe and powershell.exe.
3. Use <Block Sponsors> button to block mshta.exe and iexplore.exe. You can add more sponsors if required. If particular applications require HTA files, then do not block mshta.exe, but make the Firewall rule to block the Internet access for it.
4. Configure your browser via 5 b) and c) steps included in @Windows_Security post. You can skip the 5 c) step if you like to use only Edge browser.

Easier is better :emoji_pray::emoji_ok_handy) I did no know, good work, you should rename the profile to WIndows_10_Security_recommended"

 

[Andy Ful]

Easier is better :emoji_pray::emoji_ok_handy) I did no know, good work, you should rename the profile to WIndows_10_Security_recommended"

"Windows_10_Recommended_Enhanced" profile includes also:

1. Blocking shortcuts (except some special locations).
2. Blocking file execution in writable c:\Windows subfolders.
3. Disabling SMB 1.0 protocol.
4. Disabling 16-bit programs.
5. Blocking additional sponsors: csc.exe, InstallUtil.exe, reg.exe, regini.exe, schtasks.exe.

It is opened for some other useful restrictions, which will not produce false positives. If it will be finished, and @Windows_Security will like it, then I should probably rename it to WIndows_10_Security_recommended.
Hard_Configurator has also the option to save profile via <Save Profile> option, so the user can create & save his/her custom made profiles.

 

[shmu26]

FYI Patch Tuesday removed the standalone "run by smartscreen".
I was already on 1809 before the update.