Hard_Configurator - Windows Hardening Configurator

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
I realy like the work the dev and you all put in it :) What i found is that you change from Hard_Configurator to Hard Configurator throughout the website. So sometimes with _ and sometimes without.
For me the "windows vista at least" confused me more than win7,win 8,win 10( like on softpedia) but im not native so take all i say with a grain of salt pls.
 

AlanOstaszewski

Level 16
Verified
Top Poster
Malware Hunter
Jul 27, 2017
775
I realy like the work the dev and you all put in it :) What i found is that you change from Hard_Configurator to Hard Configurator throughout the website. So sometimes with _ and sometimes without.
For me the "windows vista at least" confused me more than win7,win 8,win 10( like on softpedia) but im not native so take all i say with a grain of salt pls.

You're right, oops. I think that I will use on the site "Hard Configurator". I will correct it in the near future.
 

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
@askalan It's a cute website and looks clean so I must give you that. Consider allowing me to open images in spoiler in full size with a click so I can clearly see the gui which may lead to more downloads. Sure i can right click open image in a new tab which is fine for me but still less convenient.
The website also needs a link to a manual of some sort explaining each function. Probably a faq will work with explaining stuff.
@Andy Ful I know this tool might not be for the average user but you made it easy enough that if they understand what to press and why they might use it. You used all your time to build it so a few more hours for a proper faq is maybe worth it. It doesn't need to get technical so yeah. Maybe explaining only the default profiles you made is easier and sufficient. Can't be sure if i don't see it.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
...
@Andy Ful I know this tool might not be for the average user but you made it easy enough that if they understand what to press and why they might use it. You used all your time to build it so a few more hours for a proper faq is maybe worth it. It doesn't need to get technical so yeah. Maybe explaining only the default profiles you made is easier and sufficient. Can't be sure if i don't see it.
Thanks. I think that adding manual, F.A.Q., and maybe a short video clip about installing/configuring H_C would be a good idea. I will work on it, If @askalan agree.
 

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
Apologies, I haven't read through this whole thread but after installing I do have 'Hard_Configurator' and 'Switch Default Deny' shortcuts on desktop, but without customised icons ... is that for the new version, or did I mess up during installation?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Apologies, I haven't read through this whole thread but after installing I do have 'Hard_Configurator' and 'Switch Default Deny' shortcuts on desktop, but without customised icons ... is that for the new version, or did I mess up during installation?
Will be added in the new version. You can add some icons manually, from the folder:
C:\Windows\Hard_Configurator\Skins\Icons
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful (another feature request :) )

After recent Christmas, I helped a few family members moving the 2-3 year old PC's of the kids of wealthy family members to the kids of less fortunate family members. An easy trick of making those PC's fly again was by adding an SSD. In the spirit of Christmas I paid the SSD of the first family member (luckily it stopped after four PC's, so It stayed within limits cost wise). Installing Windows 1809 from scratch turned out the easiest way (less time spend) of accomplishing this. I also installed free-office (of softmaker)*

Using Hard_Configurator and Defender_Configurator (I always add folder of D partition where I put their data but did not enable Protected Folders).Because I don't want to get called every time, I removed H_C and D_C after the job and manualy changed SRP (Safer) registry settings making sure the SRP:
- is valid for all executables except DLL's
- is valid for all users except Administrators
- removed the values EXE, MSI, MSU, LNK from Executables from registry Multi-MZ field

I manually add a "DENY TRAVERSE FOLDER/EXECUTE FILE" for EVERYONE to their Downloads/Documents/Movies/Pictures/Videos user folders (on data partition D) and on root folder of Public user. I also have two reg-files which lock some settings of Chrome and Edge by manually setting the registry keys of corresponding Edge/Chrome group policies (and set some Chrome flags increasing security).
Finally I disable IE11 and WMP and install VLC from Windows Store and set Edge as default for PDF.

Although not as strong as a default deny. This zero config/zero really is a great addition to any average JOE/JANE home user pc setup. Under normal usage this does not put any functional restriction on the usability of their PC, but reduces the attack surface substantially. Best of all IMO that it uses Windows internal mechanisms (spend no cpu cycles or money on extra software).

Any chance of inspiring you to make it a special version of Hard_Configurator, called ZERO_configurator?

Regards Kees

P.S. *
Another reason to use it this way is that FREE OFFICE does not run nicely in a default deny SRP. On internet revews still mention that free-office does not allow you to save files in M$Office formats, just go into FILES section in OPTIONS for each application and set it default save format as DOCX (in Textmaker), XLSS (in Planmager), etc. Also you can download free Hunspell spellingcheck in free version Softmaker website.
 
Last edited:

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
@SHvFl Adding a FAQ would be a great idea (y)
You could start with the best way to install windows according to you @Andy Ful
Then cover for example the setup discussed by @Windows_Security and @Andy Ful using the Windows 10 Recommended Enhanced profile.
And of couse the profile with Avast in hardened mode.
End with some troubleshooting like white list by path or hash.
 

Freki123

Level 16
Verified
Top Poster
Aug 10, 2013
753
Any chance to put sha256 checksum (or so) on the website?
When i remember correct when i first tried the software i just clicked activate right side stuff first did apply and after that the left side stuff.
Pc got messed up :D
So any chance to get a big safty warning of any kind for activating stuff in the right order. I don't think i'm the only one who will just
activate stuff and after that read a manual and look for tweaks. (Before you get post and emails like: ahhh you broke my pc)
Since i got a backup and it was my fault no harm done but some may got no backup ;)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Any chance to put sha256 checksum (or so) on the website?
When i remember correct when i first tried the software i just clicked activate right side stuff first did apply and after that the left side stuff.
Pc got messed up :D
So any chance to get a big safty warning of any kind for activating stuff in the right order. I don't think i'm the only one who will just
activate stuff and after that read a manual and look for tweaks. (Before you get post and emails like: ahhh you broke my pc)
Since i got a backup and it was my fault no harm done but some may got no backup ;)
The info about quick configuration is displayed after installing H_C. It contains the clear instruction:
-----------------------------------------------------------------------------------------------------------------------------------------------------
QUICK CONFIGURATION (after the fresh installation).

  1. On the first run, let Hard_Configurator make System Restore Point and check/whitelist autoruns - it costs nothing, and can save you a lot of time when in trouble.
  2. When the above job is done, the Tools window may be closed, and the main Hard_Configurator window should appear.
  3. Press first <Recommended SRP> button, and next <Recommended Restrictions> button to make a quick configuration (the order of pressing the buttons does matter!).
  4. Use <ConfigureDefender> button to configure advanced Windows Defender settings (if required).
  5. The changes are applied, when pressing <APPLY CHANGES> button.
  6. Read the help files to get info about Hard_Configurator options.
  7. Full information about a program and SRP can be accessed using <Documentation> button, available after pressing <General Help> button.
-----------------------------------------------------------------------------------------------------------------------------------------------------
If you press first <Recommended Restrictions> and next <Recommended SRP> then "Run By SmartScreen" option in the Explorer context menu will be available, which cannot bypass SRP. So, the user cannot run applications in the UserSpace. Such setup is good for children or computer illiterate users. The computer is still functional because H_C and applications already installed in 'c:\Program Files' can be run as usual.
Of course, after wrongly pressed buttons, the user can simply press them in the right order to get the recommended settings.
The info about the order of pressing those buttons is repeated in the General Help (point 4.).

But, it would not probably hurt, If the quick configuration info could be easily available on the website.:giggle:(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
@Andy Ful (another feature request :) )

After recent Christmas, I helped a few family members moving the 2-3 year old PC's of the kids of wealthy family members to the kids of less fortunate family members. An easy trick of making those PC's fly again was by adding an SSD. In the spirit of Christmas I paid the SSD of the first family member (luckily it stopped after four PC's, so It stayed within limits cost wise). Installing Windows 1809 from scratch turned out the easiest way (less time spend) of accomplishing this. I also installed free-office (of softmaker)*

Using Hard_Configurator and Defender_Configurator (I always add folder of D partition where I put their data but did not enable Protected Folders).Because I don't want to get called every time, I removed H_C and D_C after the job and manualy changed SRP (Safer) registry settings making sure the SRP:
- is valid for all executables except DLL's
- is valid for all users except Administrators
- removed the values EXE, MSI, MSU, LNK from Executables from registry Multi-MZ field

I manually add a "DENY TRAVERSE FOLDER/EXECUTE FILE" for EVERYONE to their Downloads/Documents/Movies/Pictures/Videos user folders (on data partition D) and on root folder of Public user. I also have two reg-files which lock some settings of Chrome and Edge by manually setting the registry keys of corresponding Edge/Chrome group policies (and set some Chrome flags increasing security).
Finally I disable IE11 and WMP and install VLC from Windows Store and set Edge as default for PDF.

Although not as strong as a default deny. This zero config/zero really is a great addition to any average JOE/JANE home user pc setup. Under normal usage this does not put any functional restriction on the usability of their PC, but reduces the attack surface substantially. Best of all IMO that it uses Windows internal mechanisms (spend no cpu cycles or money on extra software).

Any chance of inspiring you to make it a special version of Hard_Configurator, called ZERO_configurator?

Regards Kees

P.S. *
Another reason to use it this way is that FREE OFFICE does not run nicely in a default deny SRP. On internet revews still mention that free-office does not allow you to save files in M$Office formats, just go into FILES section in OPTIONS for each application and set it default save format as DOCX (in Textmaker), XLSS (in Planmager), etc. Also you can download free Hunspell spellingcheck in free version Softmaker website.
Almost all of the above can be accomplished by applying Avast profile in H_C:
  1. The DLL and EXE files are allowed (MSU also because it is not blocked by H_C file extension list).
  2. The shortcuts (LNK files) are allowed on the Desktop and Start Menu, but blocked in the UserSpace (can be bypassed by administrator).
  3. You can use "Run as administrator" to run MSI installers (and bypass SRP) - that will be rarely used, because most installers are just EXE files.
  4. VBScript and JScript scripts are blocked in the UserSpace (can be whitelisted or bypassed by administrator).
  5. PowerShell scripts are blocked (also as administrator), and PowerShell commands are restricted by Constrained Language mode (can be bypassed by administrator).
Other settings for web browsers and media players are not available in H_C, because people use several applications for that. This would require another application.
The only problem will be when applying 'UAC deny elevation of unsigned' (ValidateAdminCodeSignatures) which will block RunAsSmartScreen. In this case, two options must be reconfigured:
<Run As SmartScreen> = OFF
<Hide 'Run as administrator> = OFF


By, the way - what problems did you have with Free Office? I am using Softmaker Office Standard without issues - even H_C manual is an exported DOCX file to PDF, all made in Softmaker Office.

Edit.
I checked the Avast profile and it applies the reconfigured options already.
 
Last edited:

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

Free office would start with an error when clicking on a document. It woud open (e.g.) Textmaker but with a blank document in stead of the document clicked on. It ran normally when starting the executables via shortcut from taskbar. I will use your tip next time and see whether free-office works okay (also a good reason to stop using my tweaks through reg-files).

Regards Kees
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
I am beginning to think all I probably really need is HC (and uBO in medium mode?).

After all, I am not Julian Assange or El Chapo :whistle: ... or @Umbra :D.
There are some people who probably would agree with you, but most people will advise you to keep the light AV or at least a good driver/process monitoring tool.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,593
And your personal recommendation in each case would be?
The cautious user on Windows 10, can probably use no-AV + H_C default-deny + tool for monitoring drivers/software. From time to time the full scan by Windows Defender in passive mode.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top