Andy Ful

Level 48
Verified
Trusted
Content Creator
I have to confess, I even have CFW (with CS settings) running on there - though I have disabled Auto-Containment now while playing with H_C.
Most likely will just keep H_C. Oh, and OSA (some overlap, I know). :rolleyes:
The danger is that overlapping configuration is inconvenient. So after some time, the users are irritated with such kind of setup, and they throw out default-deny protection.
With default-deny, is better to keep things as simple as possible and try to accustom to it, first. Even a very simple default-deny is very strong.
 

bribon77

Level 28
Verified
On Windows 7, the recommended settings block Windows Script Host and PowerShell. You can use the predefined profile Windows_7_Recommended_Enhanced.hdc . If everything works well then you can add HH.exe and Mshta.exe . In this way you have blocked the most dangerous script interpreters. Keep an eye on blocked items, because some printers and other hardware, can sometimes use interpreters to configure settings.
Sorry for my clumsiness, but I can't find Enhanced.hdc. Where is it?:emoji_innocent:
 

shmu26

Level 83
Verified
Trusted
Content Creator
I have to confess, I even have CFW (with CS settings) running on there - though I have disabled Auto-Containment now while playing with H_C.
Most likely will just keep H_C. Oh, and OSA (some overlap, I know). :rolleyes:
Also CFW is extremely light on the system, in my experience. But it does seem to me like you have a lot of overlap there. My "unsolicited advice" would be to run CFW + H_C at "Avast" settings. There is a special template for it. It basically means that .exe and .tmp files are not monitored by H_C, because they are instead monitored by Avast hardened/aggressive, or in your case, by CFW. Andy will please correct me if I am wrong.
 

Andy Ful

Level 48
Verified
Trusted
Content Creator
Also CFW is extremely light on the system, in my experience. But it does seem to me like you have a lot of overlap there. My "unsolicited advice" would be to run CFW + H_C at "Avast" settings. There is a special template for it. It basically means that .exe and .tmp files are not monitored by H_C, because they are instead monitored by Avast hardened/aggressive, or in your case, by CFW. Andy will please correct me if I am wrong.
You are right.:giggle:
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Andy Ful

Idea for a new product: Edge Configurator : here are Edge Policies mentioned, they also work when adding registry policies through registry: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)

Here are mine for reference: (export of registry renamed to txt) on my Asus Transformer which I use for travel (hence passwords blocked etc) (Edge_policies.txt).

EDIT: I checked the policies on my Desktop (have a Windows 10 Pro) and noticed some differences (Edge_GPO.txt).
 

Attachments

Last edited:

Andy Ful

Level 48
Verified
Trusted
Content Creator
@Andy Ful

Idea for a new product: Edge Configurator : here are Edge Policies mentioned, they also work when adding registry policies through registry: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)

Here are mine for reference: (export of registry renamed to txt) on my Asus Transformer which I use for travel (hence passwords blocked etc).
I am busy now with Casual User Protection and researching WD Application Control for Windows Home. But I like that idea. If there would be an accepted Edge setting profile, I could add it to H_C.(y)
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Andy Ful

There is a secure base line which works for average users, but there would be two optional settings which depend whether user wants a
A) Blank start screen or allowing users to set all startscreen/new tab related functionality through Edge GUI
B) Block passwords or allowing users to set all passwords/forms related functionality through Edge GUI

There are also some additional protections possible through WD exploit protection. That is why I thought you could make it a separate option (like you did with documents anti-exploit).

Send me a PM when you have the time to look at it.

Regards Kees
 

paulderdash

Level 4
The danger is that overlapping configuration is inconvenient. So after some time, the users are irritated with such kind of setup, and they throw out default-deny protection.
With default-deny, is better to keep things as simple as possible and try to accustom to it, first. Even a very simple default-deny is very strong.
Thanks, this is pretty much an expendable computer, and just playing at the moment, but yes, will probably just keep H_C, for simplicity.
 
Last edited:

paulderdash

Level 4
Also CFW is extremely light on the system, in my experience. But it does seem to me like you have a lot of overlap there. My "unsolicited advice" would be to run CFW + H_C at "Avast" settings. There is a special template for it. It basically means that .exe and .tmp files are not monitored by H_C, because they are instead monitored by Avast hardened/aggressive, or in your case, by CFW. Andy will please correct me if I am wrong.
You are right.:giggle:
Thanks guys! Will do, if I keep CFW!
 

askalan

Level 16
Verified
Malware Hunter
It's almost time! The website of Hard_Configurator (hard-configurator.com) will start on 1.2.2019 or 2.2.2019! Final preparations have yet to be made. Be excited!

P.S.: before the start I will publish the latest screenshots, so that you can give one or the other tip!