Hard_Configurator - Windows Hardening Configurator

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,483
oldschool said:
... When I created SUA approx. a year ago I neglected to move those to SUA and it made H_C more complicated than need be. I solved this not long ago simply by moving everything to SUA. Voila! Problem solved.

I am now using Windows10_Recommended_Enhanced Profile as well.
Click to expand...
The other solution is creating the new Admin account (at least one Admin account is required) and change the type of the old Admin account to SUA. That can be often a more precise and quick way.
 
  • Like
Reactions: Weebarra, Vasudev, vtqhtr413 and 5 others
bribon77

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
Andy Ful said:
The other solution is creating the new Admin account (at least one Admin account is required) and change the type of the old Admin account to SUA. That can be often a more precise and quick way.
Click to expand...
Let me get this straight. Apart from the administrator account I have.
I have to create another administrator account and then change it to SUA?:giggle:
 
  • Like
Reactions: Weebarra, stefanos, Vasudev and 3 others
D

Deleted member 178

Best practice "a la Umbra" :

1- local admin account (for the "admin" of the house) for maintenance tasks.
2- SUA (with MS account or not) for all the house members including the admin; made for daily usage.
3- Guest account for friends passing by.
 
  • Like
Reactions: Weebarra, bribon77, Andy Ful and 3 others
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
@Andy Ful - Can you explain this for me please? Is this going to interfere with Windows updates?

I get the feeling sometimes that while EV shows various WD blocks, the operations actually proceed. :unsure:
 

Attachments

  • Event view.PNG
    Event view.PNG
    36.5 KB · Views: 387
  • Like
Reactions: Weebarra, Vasudev, vtqhtr413 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,483
oldschool said:
@Andy Ful - Can you explain this for me please? Is this going to interfere with Windows updates?

I get the feeling sometimes that while EV shows various WD blocks, the operations actually proceed. :unsure:
Click to expand...
You activated the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" (it is not enabled in Defender High settings). This rule does not block the process, but only forbid the access to lsass.exe. From your post I can see that such access is forbidden for Windows Setup Remediations Service in Windows 10:
https://support.microsoft.com/en-us...ions-1507-1511-1607-1703-1709-and-1803-for-up
What are Sedsvc.exe, Sedlauncher.exe Files and REMPL Folder in Windows 10? - AskVG
This is the legal M$ soft, which includes reliability improvements to Windows Update Service components in Windows 10, for versions up to 1803 (it is absent on ver. 1809).
If you have any problem with Windows Updates, then disable that ASR rule.
 
  • Like
Reactions: Weebarra, vtqhtr413, shmu26 and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,483
Generally, disabling that rule is not recommended. It can be especially important in organizations and businesses, where the malware can attack the user from the local network with administrative rights. Next it can attack lsass.exe to steal credentials, admin passwords, etc.
With H_C settings, the malware originated by the user actions can hardly elevate, because it will be first blocked by H_C settings (default-deny). So, in this special configuration in the home environment, disabling that ASR rule can be more beneficial than the danger of broken updates.
 
  • Like
Reactions: ForgottenSeer 85179, Weebarra, Vasudev and 5 others
oldschool

oldschool

Level 84
Verified
Top Poster
Well-known
Mar 29, 2018
7,595
Andy Ful said:
You activated the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" (it is not enabled in Defender High settings). This rule does not block the process, but only forbid the access to lsass.exe. From your post I can see that such access is forbidden for Windows Setup Remediations Service in Windows 10:
https://support.microsoft.com/en-us...ions-1507-1511-1607-1703-1709-and-1803-for-up
What are Sedsvc.exe, Sedlauncher.exe Files and REMPL Folder in Windows 10? - AskVG
This is the legal M$ soft, which includes reliability improvements to Windows Update Service components in Windows 10, for versions up to 1803 (it is absent on ver. 1809).
If you have any problem with Windows Updates, then disable that ASR rule.
Click to expand...

This helps to expand my understanding. I am still on 1803 and have not been offered the latest feature update. If it is offered and I encounter problems then I will disable. Thanks!

@Umbra - I keep it enabled until I can verify it is blocking a feature update.
 
  • Like
Reactions: Weebarra, Vasudev, vtqhtr413 and 6 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Andy Ful said:
You activated the ASR rule "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" (it is not enabled in Defender High settings). This rule does not block the process, but only forbid the access to lsass.exe. From your post I can see that such access is forbidden for Windows Setup Remediations Service in Windows 10:
https://support.microsoft.com/en-us...ions-1507-1511-1607-1703-1709-and-1803-for-up
What are Sedsvc.exe, Sedlauncher.exe Files and REMPL Folder in Windows 10? - AskVG
This is the legal M$ soft, which includes reliability improvements to Windows Update Service components in Windows 10, for versions up to 1803 (it is absent on ver. 1809).
If you have any problem with Windows Updates, then disable that ASR rule.
Click to expand...
I found the lsass rule to be the most problematic of all the ASR rules. It conflicted with some of my software.
 
  • Like
Reactions: Weebarra, harlan4096, Andy Ful and 1 other person

Similar threads

Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
29,414
Hard_Configurator Tools
South Park
South Park
Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
318
Views
34,090
Hard_Configurator Tools
Andy Ful
Andy Ful
SpyNetGirl
    • Like
    • Applause
    • Thanks
Serious Discussion Why do you use obsolete security technologies such as SRP?
Replies
7
Views
1,127
General Security Discussions
Andy Ful
Andy Ful

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top