Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

FYI Patch Tuesday removed the standalone "run by smartscreen".
I was already on 1809 before the update.

I have just updated my Windows 10 64-bit ver. 1809 (Cumulative update kb4467708 + Adobe Flash Player). There were no problems with standalone RunBySmartScreen - worked as usual after the update via the right-click Explorer context menu.
Yet, the standalone RunBySmartScreen settings are automatically wiped out, after running Hard_Configurator which has its own "Run By Smartscreen" feature.
Please, report if someone had the similar problem as @shmu26.

 

[Andy Ful]

In this week I am going to push the new Hard_Configurator ver. 4.0.0.2 with updated "Run By SmartScreen" feature. Unfortunately, there is a bug in ver. 4.0.0.0 in the <Update> function (corrected in ver. 4.0.0.2), so the new version has to be downloaded and installed manually.

 

[Windows_Security]

"Windows_10_Recommended_Enhanced" profile includes also:

1. Blocking shortcuts (except some special locations).
2. Blocking file execution in writable c:\Windows subfolders.
3. Disabling SMB 1.0 protocol.
4. Disabling 16-bit programs.
5. Blocking additional sponsors: csc.exe, InstallUtil.exe, reg.exe, regini.exe, schtasks.exe.

It is opened for some other useful restrictions, which will not produce false positives. If it will be finished, and @Windows_Security will like it, then I should probably rename it to WIndows_10_Security_recommended.
Hard_Configurator has also the option to save profile via <Save Profile> option, so the user can create & save his/her custom made profiles.

Thanks, I had a whole series of manual reg-files to implement those tweaks. The only thing I also add is remote desktop/assitance disable, that closed the door for some intrusions but als cuts them of from assistance by third-party, so I understand they are not included in this 'usefull restrictions setup without 'normal user' function loss or false positives'.

keep the good work up

 

[shmu26]

I have just updated my Windows 10 64-bit ver. 1809 (Cumulative update kb4467708 + Adobe Flash Player). There were no problems with standalone RunBySmartScreen - worked as usual after the update via the right-click Explorer context menu.
Yet, the standalone RunBySmartScreen settings are automatically wiped out, after running Hard_Configurator which has its own "Run By Smartscreen" feature.
Please, report if someone had the similar problem as @shmu26.

So if it didn't happen to you, then it was probably due to something else that I did.

 

[Andy Ful]

Thanks, I had a whole series of manual reg-files to implement those tweaks. The only thing I also add is remote desktop/assitance disable, that closed the door for some intrusions but als cuts them of from assistance by third-party, so I understand they are not included in this 'usefull restrictions setup without 'normal user' function loss or false positives'.

keep the good work up

The profile "Windows_10_Recommended_Enhanced" blocks also remote features: Remote Desktop, Remote Assistance (solicited and unsolicited), Remote Shell Access, Remote Registry Access. Those features are blocked by the standard recommended settings, too.
Many your registry tweaks are included in Hard_Configurator, because you wrote about them many times and I was one of the careful readers. I checked them by myself and found useful.:emoji_ok_hand:

Also SRP settings are similar to yours. At present, H_C uses Default Security Level = Disallowed, but it works similarly to preferred by you 'Basic User' on Windows 7, 8, 8.1, and 10. The only important difference is the lack of extended protection for CMD Shell and Windows Script Host in 'Basic User' setting. So when using 'Basic User' in H_C, the VBScript and JScript scripts have to be blocked by <Disable Win. Script Host> option. This option is not related to SRP. It blocks script execution also as administrator and has very poor info in the Windows Event Viewer. Another possibility is blocking the script sponsors by SRP (wscript.exe and cscript.exe). Both <Disable Win. Script Host> and blocking sponsors do not allow whitelisting the particular scripts, so I prefer SRP Default Security Level = Disallowed.
When using in H_C the setting Default Security Level = Disallowed, the Windows Script Host is blocked by SRP as standard user only, the Log includes more information about blocked events, and the user can whitelist the particular scripts.

 

[Gandalf_The_Grey]

A few days ago @Windows_Security posted the steps to install and forget default deny on Windows 10 with Windows Defender.
Q&A - [Updated 12/11/2018] Browser extension comparison: Malwares and Phishings

Some steps are automatically included when using Hard_Configurator, so I would like to show the easy way of making such a setup with H_C:

1. Install H_C (ConfigureDefender is already in H_C). Press <ConfigureDefender> button and apply <Defender High> settings. Close ConfigureDefender.
2. Use <Load Profile> option in Hard_Configurator and apply "Windows_10_Recommended_Enhanced" profile. This profile already includes MSI tweak, blocks scripts and Remote Access, so no need to use Exploit Guard for wmic.exe, cscript.exe, rdpshell.exe and powershell.exe.
3. Use <Block Sponsors> button to block mshta.exe and iexplore.exe. You can add more sponsors if required. If particular applications require HTA files, then do not block mshta.exe, but make the Firewall rule to block the Internet access for it.
4. Configure your browser via 5 b) and c) steps included in @Windows_Security post. You can skip the 5 c) step if you like to use only Edge browser.

Ok, I finally had enough courage to try Hard Configurator

Skipped step 1 because I'm running Kaspersky Security Cloud Free and Comodo Firewall.
Had to tell Comodo Auto Containment to leave Hard Configurator alone.

No problem with step 2 (saved after Apply changes after step 3)

Wonder if I did step 3 correctly? Block Sponsors ==> add a checkbox for mshta.exe and iexplore.exe ==> Close ==> Apply changes

For step 4 Microsoft Edge and Google Chrome both have the AdGuard extension and Google Chrome has the Windows Defender Browser Protection Extension.

Thank you both @Andy Ful @Windows_Security

 

[shmu26]

Would it make sense to add these to the sponsor list:
C:\Windows\System32\OpenSSH\scp.exe
C:\Windows\System32\OpenSSH\sftp.exe
C:\Windows\System32\OpenSSH\ssh.exe

NVT was talking about them over here: NoVirusThanks OSArmor: An Additional Layer of Defense

 

[Andy Ful]

Ok, I finally had enough courage to try Hard Configurator
...

Thanks for testing H_C. I am afraid that when you will try to use "Run As SmartScreen" from the right-click Explorer context menu, this will be contained in the Comodo Sandbox. So, this feature can be used to see if the executable is accepted by SmartScreen, but not to install the new applications.
Do not use this triad (KSCF + CF + H_C) for the long time. It is better to skip H_C or CF and use the happy dyad.
You can also consider replacing H_C by the standalone RunBySmartScreen

 

[Gandalf_The_Grey]

Thanks for testing H_C. I am afraid that when you will try to use "Run As SmartScreen" from the right-click Explorer context menu, this will be contained in the Comodo Sandbox. So, this feature can be used to see if the executable is accepted by SmartScreen, but not to install the new applications.
Do not use this triad (KSCF + CF + H_C) for the long time. It is better to skip H_C or CF and use the happy dyad.
You can also consider replacing H_C by the standalone RunBySmartScreen

For now it works without any problems.
Run As SmartScreen works when I (for example) right click HitmanPro portable from my Downloads folder.
Will see how it goes, but for now

 

[Andy Ful]

Would it make sense to add these to the sponsor list:
C:\Windows\System32\OpenSSH\scp.exe
C:\Windows\System32\OpenSSH\sftp.exe
C:\Windows\System32\OpenSSH\ssh.exe

NVT was talking about them over here: NoVirusThanks OSArmor: An Additional Layer of Defense

They can be dangerous when using OSArmor, but are not dangerous when using H_C on default deny. There is only a very small chance that something will be exploited when H_C default deny settings are applied. Let's suppose anyway that an exploit has succeeded and used scp.exe, sftp.exe or ssh.exe to download the payload. If so, then the execution of that payload will be blocked by H_C settings.

Edit.
The best way of securing against OpenSSH executables would be probably to block them via the Firewall rules, because they can also upload files to the remote server.

 

[oldschool]

Thanks for testing H_C. I am afraid that when you will try to use "Run As SmartScreen" from the right-click Explorer context menu, this will be contained in the Comodo Sandbox. So, this feature can be used to see if the executable is accepted by SmartScreen, but not to install the new applications.
Do not use this triad (KSCF + CF + H_C) for the long time. It is better to skip H_C or CF and use the happy dyad.
You can also consider replacing H_C by the standalone RunBySmartScreen

I appreciate that @Gandalf_The_Grey is trying this setup (I hope it works out) but I thought the same as you when I saw it. It seems to asking for trouble, besides the "overkill" aspect.

 

[shmu26]

I appreciate that @Gandalf_The_Grey is trying this setup (I hope it works out) but I thought the same as you when I saw it. It seems to asking for trouble, besides the "overkill" aspect.

Trouble, maybe, but I don't think it's overkill, because H_C gives you sponsor protection that you don't have in the other two softs mentioned. It also gives you a stronger default/deny than Comodo, because you don't have ten thousand trusted vendors and a hidden whitelist.

 

[Gandalf_The_Grey]

My previous configuration was KSCF + CF and NoVirusThanks SysHardener at it's default settings.
Now I just replaced SysHardener with Hard Configurator.
I know that Hard Configurator is meant to be a more powerful default/deny setup than SysHardener, but I really like CF at Cruelsisters settings.
So for now I would like to continue like this and in case of big problems I will have to choose between HC and CF.

 

[Andy Ful]

My previous configuration was KSCF + CF and NoVirusThanks SysHardener at it's default settings.
..

If you did not revert the Windows default settings before skipping SysHardener, then you probably have disrupted file associations for scripts. If so, then you cannot run from the Explorer any Windows script (JS, JSE, VBS, VBE, etc.) even when H_C protection is not active.

 

[shmu26]

My previous configuration was KSCF + CF and NoVirusThanks SysHardener at it's default settings.
Now I just replaced SysHardener with Hard Configurator.
I know that Hard Configurator is meant to be a more powerful default/deny setup than SysHardener, but I really like CF at Cruelsisters settings.
So for now I would like to continue like this and in case of big problems I will have to choose between HC and CF.

I don't think you will have big problems. Once you set HC as trusted in Comodo, everything works just fine.

 

[Windows_Security]

@Gandalf_The_Grey

To decide whether to use Comodo FireWall with Cruel Sister + Kaspersky Free or Andy Ful's Hard Configurator (with Windows_10_Recommended_Enhanced profile) + Windows Defender really depends on your PC.

Because HC uses Windows internal mechanisms it should (does not apply to all PC's but as a rule of thumb it should) require less resources. When your CPU is strong enough the performance difference really is a non-issue. So when you are not looking a lot at sand glass (zandloper) I would suggest to stick to your old trusted combo of Kaspersky Free + Comodo + SysHardener and use seperate stand alone "Run By Smartcreen" as Andy suggested to you earlier.

regards Kees

 

[Gandalf_The_Grey]

Okay, thank you all for your advice
Since my laptop is a powerful one I will go back to my old configuration and add Run By SmartScreen.
HC will be used on the Celeron powered laptop of my mother in law.

 

[Andy Ful]

I was curious how Hard_Configurator can coexist with Comodo Firewall in CS settings.
Ran Hard_Configurator installation file - it was contained in the sandbox, so I added it to Trusted applications and ran again. Installed without issues.

Ran Hard_Configurator executable - it was first contained, but after a file lookup in the Comodo Cloud (very quickly) it was recognized as Trusted.
The same scenario was for the other executables: SwitchDefaultDeny, ConfigureDefender, and DocumentsAntiExploit. When I checked the details, the 'User' file rating was 'Rate Now' and below 'Comodo Trusted Installer' was Trusted.

I tried to execute a custom made program via "Run As SmartScreen" and a surprise, it was not contained - Comodo knew it as Trusted. Repeated the same with "Run By SmartScreen", the RunBySmartScreen executable was treated in the standard way: contained --> file lookup --> Trusted.

The Hard_Configurator installer (unpublished yet) and my custom made executable were uploaded to Comodo Cloud and wait for analysis.

Conclusion - CF knows H_C executables, except the new unpublished installer. It may be, that when I manually set the installer to Trusted, then CF can automatically recognize the installed executables as Trusted.
Yet, I found the problem with blocking PowerShell commands in ConfigureDefender (see the next post).

 

[Andy Ful]

Comodo Firewall lets ConfigureDefender to run, but contains in the sandbox all settings which are applied by PowerShell commands. It creates a PowerShell script for any such command in the folder:
c:\ProgramData\Comodo\Cis\tempscrpt\
This CF protection follows from the option "Do heuristic command-line analysis for certain applications" in Settings >> Advanced Protection >> Miscellaneous. When the setting 'Heuristic Command-line Analysis' is ON, the PowerShell commands in ConfiguredDefender are contained.
It takes the several minutes to try all options in ConfigureDefender and all available settings (ON, Disabled, Audit, etc.). Next they can be unblocked and then ConfigureDefender can work well.

Conclusion - it is not easy to make ConfigureDefender to work with CF.

 

[shmu26]

Comodo Firewall lets ConfigureDefender to run, but contains in the sandbox all settings which are applied by PowerShell commands. It creates a PowerShell script for any such command in the folder:
c:\ProgramData\Comodo\Cis\tempscrpt\
This CF protection follows from the option "Do heuristic command-line analysis for certain applications" in Settings >> Advanced Protection >> Miscellaneous. When the setting 'Heuristic Command-line Analysis' is ON, the PowerShell commands in ConfiguredDefender are contained.
It takes the several minutes to try all options in ConfigureDefender and all available settings (ON, Disabled, Audit, etc.). Next they can be unblocked and then ConfigureDefender can work well.

Conclusion - it is not easy to make ConfigureDefender to work with CF.

Whenever I need to run ConfigureDefender, I just turn off my advanced security software. It's easier that way.