Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Let's suppose that one uses MS Office version, which is not supported by Microsoft (previous to MS Office 2010) and cannot fully apply ASR. In the home environment, the H_C default-deny (enhanced) settings + non-system-wide Documents Anti-Exploit will be required to stop the threats in the wild. But, there is some additional danger, if one is forced to use frequently the documents from the Enterprise. For example, the Enterprise could be under the targeted attack via specially crafted & weaponized document. I can recommend in such situation the below precautions:

1. Use <Block Sponsors> in H_C (like @shmu26 did).
2. Block the Internet connection to MS Office applications.
3. Block the Internet connection to: certutil.exe, cmstp.exe, control.exe, dnscmd.exe, explorer.exe, ie4uinit.exe, rundll32.exe.

The above sponsors can be used to run DLLs directly from a remote server or via other ways like .inf files. There are some others, but they are included already on H_C sponsors lists. The same should be done, if for some reason, the sponsor from H_C settings cannot be blocked directly.

 

[shmu26]

In the home environment, the H_C default-deny (enhanced) settings + non-system-wide Documents Anti-Exploit will be required

What is "enhanced" settings?

 

[Andy Ful]

What is "enhanced" settings?

When the user applies one of the below profiles (some sponsors are blocked):
Windows_10_Recommended_Enhanced.hdc
Windows_8_Recommended_Enhanced.hdc
Windows_7_Recommended_Enhanced.hdc

 

[Andy Ful]

...
And SRP doesn't offer protection for rundll32.
...

That is not quite true. You could set SRP to block DLLs in the UserSpace, by setting:
<Enforcement> = All Files
But, this would make whitelisting more complicated and .NET DLLs would not blocked, anyway.

 

[shmu26]

Let's suppose that one uses MS Office version, which is not supported by Microsoft (previous to MS Office 2010) and cannot fully apply ASR. In the home environment, the H_C default-deny (enhanced) settings + non-system-wide Documents Anti-Exploit will be required to stop the threats in the wild. But, there is some additional danger, if one is forced to use frequently the documents from the Enterprise. For example, the Enterprise could be under the targeted attack via specially crafted & weaponized document. I can recommend in such situation the below precautions:

1. Use <Block Sponsors> in H_C (like @shmu26 did).
2. Block the Internet connection to MS Office applications.
3. Block the Internet connection to: certutil.exe, cmstp.exe, control.exe, dnscmd.exe, explorer.exe, getobject.exe, ie4uinit.exe, rundll32.exe.

The above sponsors can be used to run DLLs directly from a remote server or via other ways like .inf files. There are some others, but they are included already on H_C sponsors lists. The same should be done, if for some reason, the sponsor from H_C settings cannot be blocked directly.

Thanks, Andy. Great post.

It seems that getobject.exe and dnscmd.exe are not installed by default in the Windows directory. A search on my win10 x64 1809 system finds only the flat version of them.

 

[Andy Ful]

Thanks, Andy. Great post.

It seems that getobject.exe and dnscmd.exe are not installed by default in the Windows directory. A search on my win10 x64 1809 system finds only the flat version of them.

Yes, the executable dnscmd.exe is included in Remote Server Administration Tools, which can be installed as an additional Windows feature in Windows Pro, Education or Enterprise editions.
I have edited my previous post - getobject.exe can be skipped.

 

[shmu26]

ReHIPS sandbox for MS Office (blocked Internet in the sandbox)

This can be further hardened by enabling the ReHIPS "isolated hooks" setting for MS Office.

 

[Andy Ful]

This can be further hardened by enabling the "isolated hooks" for MS Office.

Also, WIndows 10 Exploit Protection applied to MS Office applications, will work in ReHIPS sandbox.

 

[shmu26]

The more complicated setup, the more problems.

Well said.
In English we have an expression, "Too many cooks spoil the soup." I think this could be applied to multiple advanced security solutions.

 

[shmu26]

Consider applying Exploit Guard for MS Office

What are recommended baseline Exploit Guard settings for MS Office apps?

 

[Moonhorse]

Because of activity of this thread im gonna give H_C another go, over avast. Did clean install over night while sleeping, and now getting to installation part..the main goal is just using WD, because its integrated in windows. My first option was to just use firefox and re:hips, since it cant isolate chrome on free version so i rather just use H_C

 

[Andy Ful]

Because of activity of this thread im gonna give H_C another go, over avast. Did clean install over night while sleeping, and now getting to installation part..the main goal is just using WD, because its integrated in windows. My first option was to just use firefox and re:hips, since it cant isolate chrome on free version so i rather just use H_C

Did you have any problems with Avast? H_C + Avast Hardened Aggressive mode is usually easier for users, while still a default-deny protection.
But, H_C + WD is the kind of setup, which is most compatible with Windows.

 

[shmu26]

H_C + WD is also more reliable than Avast Hardened mode, because Avast needs internet to work. If you download something, and then your internet connection goes flaky when you want to run it, Avast Hardened won't protect you. Also, Avast Hardened only warns you once, it is hard to block it afterward, if you regret your decision to allow it. That's how I remember it, anyway.

 

[Moonhorse]

Did you have any problems with Avast? H_C + Avast Hardened Aggressive mode is usually easier for users, while still a default-deny protection.
But, H_C + WD is the kind of setup, which is most compatible with Windows.

I had no problems with avast, only the privacy issues in my mind.
I have everything working fine except the game client i play on, i have whitelisted everything correctly..but when i run the client and try to turn GPU-plugin on i just run on to endless jogamp_exe train, i add pat*wildcards x2 jogamp_exe but even i whitelist those 2 new jogamp urls, and restart client it will give me another 2 jogamp_exe to whitelist I dont bother with this issue really anymore, i just have made settings to game client so it will always run as admin, and the gpu plugin will stay enabled. On below ; red = correct whitelist , Green= endless jogamp_exe when i turn gpu- plugin on, without running client with admin rights

The whatsapp problem i fixed by using whatsapp app from windows store, i aswell installed spotify from windows store.

TLDR; everything is working fine, the issue with game client exist, but is fixed by running it as administrator

 

[Andy Ful]

...Also, Avast Hardened only warns you once, it is hard to block it afterward, if you regret your decision to allow it. That's how I remember it, anyway.

The allowed entries are accessible in Avast via exclusions, and can be deleted.

 

[Andy Ful]

I had no problems with avast, only the privacy issues in my mind.
I have everything working fine except the game client i play on, i have whitelisted everything correctly..but when i run the client and try to turn GPU-plugin on i just run on to endless jogamp_exe train, i add pat*wildcards x2 jogamp_exe but even i whitelist those 2 new jogamp urls, and restart client it will give me another 2 jogamp_exe to whitelist I dont bother with this issue really anymore, i just have made settings to game client so it will always run as admin, and the gpu plugin will stay enabled. On below ; red = correct whitelist , Green= endless jogamp_exe when i turn gpu- plugin on, without running client with admin rights

View attachment 207965


The whatsapp problem i fixed by using whatsapp app from windows store, i aswell installed spotify from windows store.

TLDR; everything is working fine, the issue with game client exist, but is fixed by running it as administrator

Your rules for the executable jogamp_exe are ineffective, because the plugin runs it with random numbers, so the name of the file changes constantly. You have to use something like the below:

1. c:\users\Joni\jogamp_exe_tst???????????????????.exe
2. c:\users\Joni\jogamp_exe_tst*.exe

In the first example, every question mark replaces the digit in the random number, so 19 question marks should be used.
In the second example the whole random number is replaced by the asterisk.

 

[Moonhorse]

Your rules for the executable jogamp_exe are ineffective, because the plugin runs it with random numbers, so the name of the file changes constantly. You have to use something like the below:

1. c:\users\Joni\jogamp_exe_tst???????????????????.exe
2. c:\users\Joni\jogamp_exe_tst*.exe

In the first example, every question mark replaces the digit in the random number, so 19 question marks should be used.
In the second example the whole random number is replaced by the asterisk.

Well that makes sense, thanks. Its 3rd party client, not official one and the developer has posted recommendation to just run it as administrator, since the problem exist on many others so i just rather run it as admin now anyways since it works

 

[shmu26]

My first option was to just use firefox and re:hips, since it cant isolate chrome on free version so i rather just use H_C

Even with Firefox, you will be close to the demo limit, if you use the modern, multi-process Firefox, and you will soon go over the limit.
But IMHO, a secure browser like Chrome doesn't need isolation. It's overkill. You can run ReHIPS demo, and configure Chrome to run out of isolation.
Off-topic!

 

[Andy Ful]

Well that makes sense, thanks. Its 3rd party client, not official one and the developer has posted recommendation to just run it as administrator, since the problem exist on many others so i just rather run it as admin now anyways since it works

It is not recommended to run applications as administrator, except when the administrator rights are required (like in the case of most installers). It seems to me that the plugin can be run without admin rights, so whitelisting it would be the right thing.

 

[Moonhorse]

I did the above, when i run client it takes around 30 secs (?) to fully run but then it works normally. Without having to run it as administrator rights. Should i still be worried about the spam it makes on logs?

Btw as stupid as it sounds i also whitelisted; C:\Users\Joni\.jogamp_????\jogamp_exe_tst???????????????????.exe


Edit: i did read from this thread earlier sometimes its required to restart computer for changes to turn on, i just did that and now the client works as it should