Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Whenever I need to run ConfigureDefender, I just turn off my advanced security software. It's easier that way.

Generally, everything can be easier if you have a good memory and do not forget about the details.
The method mentioned by @shmu26 is good for many conflicting security duets, especially for Configurators. Yet, if you prepare the setup for someone else, then do not count on his/her memory.:notworthy:

 

[Gandalf_The_Grey]

@Andy Ful Nice you were testing CF
Best thing is to shut it down when installing "complex" software like ConfigureDefender as @shmu26 said.
If you forget or just don't want that I always put CF in advanced view so you can see what's blocked and unblock it from there:

 

[Andy Ful]

If you forget or just don't want that I always put CF in advanced view so you can see what's blocked ...

I used it to unblock all PowerShell scripts made by CF after testing ConfigureDefender.
I think that the latest CF version is more usable than the version 8.2 which I still use on my 10 years old XP laptop connected to TV (good as a media player). If I had the computer with Windows 7, then I would still use CF in CS settings (no other security or AV) and simply set script interpreters and some sponsors as Unrecognized.

 

[shmu26]

So let's say I want to modify the sponsors list, and add some of my own. I can see more or less how that works in this registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers\BlockSponsors\
But is that all? Do I need to make entries also in
HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers\0\Paths\
Or does that one happen by itself? I sure hope so!
Will manually added sponsors appear in H_C GUI?

Please correct me if my approach is misguided.

 

[Andy Ful]

So let's say I want to modify the sponsors list, and add some of my own. I can see more or less how that works in this registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers\BlockSponsors\
But is that all? Do I need to make entries also in
HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers\0\Paths\
Or does that one happen by itself? I sure hope so!
Will manually added sponsors appear in H_C GUI?

Please correct me if my approach is misguided.

The Registry key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\safer_Hard_Configurator\CodeIdentifiers\BlockSponsors\
is needed only for H_C, but it is unimportant for SRP. The SRP can make Disallowed rules in the in the key:
HKLM\SOFTWARE\Policies\Microsoft\Windows\safer\CodeIdentifiers\0\Paths\
If you add manually your own Disallowed rules, then they will not be visible in H_C, because only the special GUIDs are allowed in H_C.

 

[DeepWeb]

Hard Configurator is the single most important invention since sliced bread.

 

[Andy Ful]

Hard Configurator is the single most important invention since sliced bread.

I do not recommend to eat all slices at once.

 

[Andy Ful]

Hard_Configurator ver. 4.0.0.2 is available on GitHub:

1. For Windows 64-bit: AndyFul/Hard_Configurator
2. For Windows 32-bit:AndyFul/Hard_Configurator

The executables were whitelisted by: Microsoft, Emsisoft, Symantec, Avast, and BitDefender.

What is new & corrected:

1. Corrected the ability to whitelist OneDrive on SUA.
2. Changed the way of using <Refresh Explorer> option to avoid problems on SUA.
3. Added the warning before Hard_Configurator deinstallation, about using DocumentAntiExploit tool.
4. Added the DocumentsAntiExploit tool to the SwitchDefaultDeny application, for managing different MS Office and Adobe Acrobat Reader XI/DC settings on different user accounts.
5. In the 4.0.0.2 version the <Documents Anti-Exploit> option in Hard_Configurator can only change system-wide settings. Non-system-wide settings are now available only via DocumentsAntiExploit tool.
6. Added IQY and SETTINGCONTENT-MS file extensions to the default list of Designated File Types and to the hardcoded dangerous extensions in RunBySmartScreen.
7. Improved Shortcut protection.
8. Improved the protection of MS Office and Adobe Acrobat Reader XI/DC applications, against the weaponized documents.
9. Improved 'Run By SmartScreen' with over 250 blocked file extensions (SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader attachments blacklists). The extensions BAT, DLL, CMD, JSE, OCX, and VBE are now blocked with notification, instead of beeing checked by SmartScreen. Popular but vulnerable files (RTF, DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) related to MS Office and Adobe Reader, are opened with the warning instruction.
10. Changed the names of some buttons in the TOOLS menu:
    <View Blocked Events> ---> <Blocked Events / Security Logs>
    <Run Autoruns: Scripts/UserSpace> ---> <Whitelist Autoruns / View Scripts>
11. Changed 'Allow EXE' option in the <Whitelist by Path> to 'Allow EXE and TMP'. So, both EXE files and TMP files are whitelisted - this option is prepared to work with Avast Hardened Mode Aggressive as default-deny.
12. Corrected the bug with <Update> button (did not work for the 64-bit version).
13. Updated Hard_Configurator manual.

 

[Reldel1]

Hard_Configurator ver. 4.0.0.2 is available on GitHub:

1. For Windows 64-bit: AndyFul/Hard_Configurator
2. For Windows 32-bit:AndyFul/Hard_Configurator

The executables were whitelisted by: Microsoft, Emsisoft, Symantec, Avast, and BitDefender.

What is new & corrected:

1. Corrected the ability to whitelist OneDrive on SUA.
2. Changed the way of using <Refresh Explorer> option to avoid problems on SUA.
3. Added the warning before Hard_Configurator deinstallation, about using DocumentAntiExploit tool.
4. Added the DocumentsAntiExploit tool to the SwitchDefaultDeny application, for managing different MS Office and Adobe Acrobat Reader XI/DC settings on different user accounts.
5. In the 4.0.0.2 version the <Documents Anti-Exploit> option in Hard_Configurator can only change system-wide settings. Non-system-wide settings are now available only via DocumentsAntiExploit tool.
6. Added IQY and SETTINGCONTENT-MS file extensions to the default list of Designated File Types and to the hardcoded dangerous extensions in RunBySmartScreen.
7. Improved Shortcut protection.
8. Improved the protection of MS Office and Adobe Acrobat Reader XI/DC applications, against the weaponized documents.
9. Improved 'Run By SmartScreen' with over 250 blocked file extensions (SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader attachments blacklists). The extensions BAT, DLL, CMD, JSE, OCX, and VBE are now blocked with notification, instead of beeing checked by SmartScreen. Popular but vulnerable files (RTF, DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) related to MS Office and Adobe Reader, are opened with the warning instruction.
10. Changed the names of some buttons in the TOOLS menu:
    <View Blocked Events> ---> <Blocked Events / Security Logs>
    <Run Autoruns: Scripts/UserSpace> ---> <Whitelist Autoruns / View Scripts>
11. Changed 'Allow EXE' option in the <Whitelist by Path> to 'Allow EXE and TMP'. So, both EXE files and TMP files are whitelisted - this option is prepared to work with Avast Hardened Mode Aggressive as default-deny.
12. Corrected the bug with <Update> button (did not work for the 64-bit version).
13. Updated Hard_Configurator manual.

Great effort, thanks for your dedication. Can't wait to see your new baby.

 

[shmu26]

Great job, Andy!

 

[Reldel1]

Andy, I've been running H_C 4.0.0.2, 64 bit version on three machines with Windows_10_Recommended Enhanced profile and it has been running smoothly. Windows Reliability History clean for both days and no unexpected blocked events showing in the tools Blocked Events/Security logs.

A couple of observations from the install experience. On all three installs I first used H_C 4.0.0.0 to reset Windows to the default settings and then I uninstalled 4.0.0.0 using the tools uninstall button. After reboots I then installed 4.0.0.2 on each machine and followed H_C screen prompts in each instance during the process. I am not sure as to why but I believe only one or perhaps two installs gave me a prompt to reboot the machines so that all the changes would take effect. I am certain one machine gave me no such prompt and I actually think it was two of them. I'm not sure of why there would be a different install experience BUT I am thinking I may have used an Admin account on the machine and prompted a reboot and standard accounts on the machines that did not prompt me to reboot. Does that make any sense to you? If so, is that the expected experience?

On the one machine that gave me the reboot prompt, after the reboot I got the normal Dell boot-up screen with the animated screen circle from Windows BUT instead of the Lock screen appearing next I got just a gray screen with no cursor and the keyboard did not respond, to get out of it I had to do a hard shutdown because the laptop was none responsive. On the second reboot all was normal.

 

[pcalvert]

Hi Andy,

Thank you for creating this very useful security software. I'm going to use this as a replacement for SSRP on newer (post-XP) versions of Windows.

Is it normal for the Configure Defender button to be nonfunctional on Windows 8.1? Also, I've been unable to get Ninite working. If I open cmd.exe as an Administrator and launch Ninite that way, everything works fine.

Here's a little info from my troubleshooting efforts:

PROGRAMS AND SCRIPTS RUN WITH ADMINISTRATIVE RIGHTS
REPORT DATE (Y:M:D  H:M): 2018:11:21  04:33

@@@@@@   USER SPACE PATHS:

Ninite.exe (PID = 2600) identified C:\Users\Phil\AppData\Local\Temp\fcc1cf35-ed6c-11e8-9765-080027b68b15\Ninite.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
Ninite.exe (PID = 2780) identified C:\Users\Phil\AppData\Local\Temp\f8878e53-ed6d-11e8-9765-080027b68b15\Ninite.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

Ninite2.exe (PID = 1512) identified C:\Users\Phil\AppData\Local\Temp\30c6d775-ed70-11e8-9765-080027b68b15\Ninite.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
Ninite.exe (PID = 172) identified C:\Users\Phil\AppData\Local\Temp\353BDE~1\target.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
Ninite.exe (PID = 172) identified C:\Users\Phil\AppData\Local\Temp\353BDE~2\target.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

Right now it's getting stuck at the first step in the process, so I tried whitelisting these paths:

C:\Users\Phil\AppData\Local\Temp\????????-ed??-11e8-9765-080027b68b15\Ninite.exe
C:\Users\Phil\AppData\Local\Temp\?????????????-11e8-9765-080027b68b15\Ninite.exe

Those are the two variations of the path that I tried, based on the example I found page 52 of the manual. Unfortunately, neither one worked.

Phil

 

[Andy Ful]

...
A couple of observations from the install experience. On all three installs I first used H_C 4.0.0.0 to reset Windows to the default settings and then I uninstalled 4.0.0.0 using the tools uninstall button. After reboots I then installed 4.0.0.2 on each machine and followed H_C screen prompts in each instance during the process. I am not sure as to why but I believe only one or perhaps two installs gave me a prompt to reboot the machines so that all the changes would take effect.

You could install H_C 4.0.0.2 over 4.0.0.0 . All required installation actions are explained in the Quick Configuration text, which is displayed after installation.
The only H_C setting that requires rebooting is <Disable SMB>, if it has been changed to ON1 (or ON123). The fresh installations of Windows 10 ver. 1709 (and higher) have this setting disabled by default, so you will not see the reboot prompt from H_C. If the initial Windows 10 installation was older and the system was updated, then SMB remains enabled until you will apply H_C settings. In this case you will see the reboot prompt from H_C.

On the one machine that gave me the reboot prompt, after the reboot I got the normal Dell boot-up screen with the animated screen circle from Windows BUT instead of the Lock screen appearing next I got just a gray screen with no cursor and the keyboard did not respond, to get out of it I had to do a hard shutdown because the laptop was none responsive. On the second reboot all was normal.

I am not sure what happened - you are first to report this issue. There can be many different sources of such behavior. One of them can be related to the changed SMB setting. Is this issue persistent?

 

[Andy Ful]

...
Is it normal for the Configure Defender button to be nonfunctional on Windows 8.1?

Yes. It works only on Windows 10.

Also, I've been unable to get Ninite working.
...

Did you try to run ninite.exe (or a shortcut to it) via "Run As SmartScreen" option on the Explorer right-click context menu? This program is an installer/updater for other applications so it is recommended to run it as I explained.
Your rules failed, because both ninite.exe and target.exe should be whitelisted. Anyway, I recommend to avoid whitelisting the executables in the temp folder.

 

[Reldel1]

The only H_C setting that requires rebooting is <Disable SMB>, if it has been changed to ON1 (or ON123). The fresh installations of Windows 10 ver. 1709 (and higher) have this setting disabled by default, so you will not see the reboot prompt from H_C. If the initial Windows 10 installation was older and the system was updated, then SMB remains enabled until you will apply H_C settings. In this case you will see the reboot prompt from H_C.

Okay, thanks.

am not sure what happened - you are first to report this issue. There can be many different sources of such behavior. One of them can be related to the changed SMB setting. Is this issue persistent?

I only saw the incident on initial reboot. Just wanted to pass on the observation. Everything is good.

 

[Andy Ful]

Okay, thanks.

I only saw the incident on initial reboot. Just wanted to pass on the observation. Everything is good.

Thanks for testing. :emoji_ok_handy)

 

[pcalvert]

Hi Andy,

Did you try to run ninite.exe (or a shortcut to it) via "Run As SmartScreen" option on the Explorer right-click context menu? This program is an installer/updater for other applications so it is recommended to run it as I explained.

Thank you for that suggestion. I tried that and Ninite works just fine when launched via "Run As SmartScreen". Problem solved.

Phil

 

[Mr.X]

@Andy Ful

Hi bro. Are you going to add a nice icon to exe?

 

[Andy Ful]

@Andy Ful

Hi bro. Are you going to add a nice icon to exe?

Yes. Any ideas?

 

[Mr.X]

Yes. Any ideas?

Not really. I'm not that prone to design or drawing artist. Grrr.