Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Andy, great work, bravo

Maybe a suggestion to add 'Signed' as option to both windows scripts and powerscripts?

Signed scripts
Signature Verification Policy
Microsoft Windows 2000 Scripting Guide - Enforcing the Use of Signed Scripts

AllSigned execution policy of PowerScript
Change Execution Policy in the Registry

Please add 16 bits hardening in this section for 32 bits systems
Prevent access to 16-bit applications | Windows security encyclopedia

I have done some research about signed scripts.

Windows Script Host JS,JSE,VBS,VBE,WSF,WSH scripts:
Registry settings for running only signed scripts (the second key is for 32Bit Windows Script Host in 64Bit system):
***********************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"UseWINSAFER"="0"
"Enabled"=dword:00000001
"TrustPolicy"=dword:00000002

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
"UseWINSAFER"="0"
"Enabled"=dword:00000001
"TrustPolicy"=dword:00000002
***********************************************************************
In Windows 64Bit there are two Windows Script Hosts (32Bit and 64Bit).
If UseWINSAFER is set to 1 (default value), Windows will ignore the TrustPolicy setting.
If UseWINSAFER is set to 0 Windows Script Host will not call into Software Restriction Policies to apply software restriction policies to scripts that are being run. So, the above scripts can be blocked only by extension like for example PowerShell scripts (no big issue for home users).
All system 'Windows Script Host' scripts are not signed (gatherNetworkInfo.vbs , slmgr.vbs, SyncAppvPublishingServer.vbs, winrm.vbs, manage-bde.wsf).
Most scripts (maybe all) from Microsoft Script Center (Powershell, VB Script, SQL and JavaScript - TechNet IT Pro's and Scripting Guys) are not signed.
The local scripts can be signed by hash in SRP.
I think that an advantage of using signed scripts may be evident only in enterprises.

PowerShell Scripts.
Registry settings for running only signed scripts (the second key is for 32Bit Powershell in 64Bit system):
************************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="AllSigned"

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="AllSigned"
************************************************************************************
In Windows 64Bit there are two PowerShell Hosts (32Bit and 64Bit).
All numerous (c:\Windows\diagnostics\) system PowerShell scripts are signed.
Most scripts from Microsoft Script Center (Powershell, VB Script, SQL and JavaScript - TechNet IT Pro's and Scripting Guys) are not signed.
The local scripts can be signed by hash in SRP.
There's an advantage of using signed scripts, while doing system maintenance.
Which is better: RemoteSigned or AllSigned, that is the question.
RemoteSigned blocks only unsigned scripts downloaded from the Internet (added 'Mark of the Web'), and does not touch local scripts.

Any ideas would be welcomed.

@WindowsSecurity, thanks for pointing out the potential usability of signed scripts option.

 

[AtlBo]

I think that the problem with iseguard64.dll is similar to the problem with a2hooks64.dll from Emsisoft Antimalware. See Fabian Wosar answer:
Code Integrity is unable to verify the image integrity of the file a2hooks64.dll because the set of per-page image hashes could not be found on the sy

Yes, thanks. I read the thread. Seems Emsisoft employee was eventually convinced by one of the posters that the problem must be with Emsisoft. I am still considering reposting this on the Comodo forum. I have a post up already, but I have doubts they will pay any attention.

I like the idea you have in your concept. Anyway, I am not bound to Comodo firewall that's for sure. I have installed most of the versions since v3, and it still has a long way to go imo. They need to focus on the delivery and presentation on information I think. This way, I feel they will better be able to know what the bugs are. As it is, most users will never understand the configurability of the program, which means that probably 90% of their customers use the Firewall configuration. OK, but it should be much better and could be if many more users were able to adjust the configuration and then could comprehend the meaning of alerts better.

Not sure how to incorporate what you are doing into a full security scenario. I would like to have better internet security and, for example, alerts when someone is attempting to contact through a port. Many pro version firewalls (Emsisoft/Kaspersky/ESET does this too) have this, but CF doesn't mention this kind of thing. I focus on this element of security, but there doesn't seem to be much designed to collect data and oversee with alerts. Wireshark I may get into. Have it on another PC. As for Hard_Configurator, I think I would need a dedicated PC to attempt to build around and I guess some time too. Maybe your work will take you into interesting territory. Seems interesting already, and I wonder how IT types would respond if it were easily deployable. Just seems like you are on your way to something. Never know.

 

[Andy Ful]

Yes, thanks. I read the thread. Seems Emsisoft employee was eventually convinced by one of the posters that the problem must be with Emsisoft. I am still considering reposting this on the COMODO forum. I have a post up already, but I have doubts they will pay any attention.

I like the idea you have in your concept. Anyway, I am not bound to COMODO firewall that's for sure. I have installed most of the versions since v3, and it still has a long way to go imo. They need to focus on the delivery and presentation on information I think. This way, I feel they will better be able to know what the bugs are. As it is, most users will never understand the configurability of the program, which means that probably 90% of their customers use the Firewall configuration. OK, but it should be much better and could be if many more users were able to adjust the configuration and then could comprehend the meaning of alerts better.

Not sure how to incorporate what you are doing into a full security scenario. I would like to have better internet security and, for example, alerts when someone is attempting to contact through a port. Many pro version firewalls (Emsisoft/Kaspersky/ESET does this too) have this, but CF doesn't mention this kind of thing. I focus on this element of security, but there doesn't seem to be much designed to collect data and oversee with alerts. Wireshark I may get into. Have it on another PC. As for Hard_Configurator, I think I would need a dedicated PC to attempt to build around and I guess some time too. Maybe your work will take you into interesting territory. Seems interesting already, and I wonder how IT types would respond if it were easily deployable. Just seems like you are on your way to something. Never know.

I used many security programs in the past. My old laptop has still: CF + Sandboxie + ShadowDefender on board. On my new machines with Windows 10, I decided to maximally exploit Windows built-in security. Hard_Configurator + 'SmartScreen App on the Run' is in some way similar to 'CF + Cloud Lookup' (AutoSandbox set to block Untrusted, HIPS off). Both are based on default deny and App Reputation Cloud. I think that SmartScreen Reputation service is better than Comodo Cloud (less false positives). But, Comodo has decent firewall. There are of course so many differences, that further comparisons between them are useless. If Microsoft would integrate CF to Windows, that could be my favorite security setup.

 

[AtlBo]

If Microsoft would integrate CF to Windows, that could be my favorite security setup.

Interesting way to look at Windows security. Who can say? MS has been known to shell out for programming and ideas before that's for sure.

I was looking at Hard_Configurator as something you could develop might in part to sort of focus on the known bad practices that occur on office workstations, sort of like VoodooShield but a 100% under the hood UAC hardener. It is as the program name implies a full hardener against bad practices I guess.

I think I need to get a couple of new PCs. One I'd like to run to test and work with software and the other to test malware. With software, I prefer to use the PC and really work with the software and run it through a grinder of use rather than just install it and look it over.

 

[Handsome Recluse]

I used many security programs in the past. My old laptop has still: CF + Sandboxie + ShadowDefender on board. On my new machines with Windows 10, I decided to maximally exploit Windows built-in security. Hard_Configurator + 'SmartScreen App on the Run' is in some way similar to 'CF + Cloud Lookup' (AutoSandbox set to block Untrusted, HIPS off). Both are based on default deny and App Reputation Cloud. I think that SmartScreen Reputation service is better than COMODO Cloud (less false positives). But, COMODO has decent firewall. There are of course so many differences, that further comparisons between them are useless. If Microsoft would integrate CF to Windows, that could be my favorite security setup.

Don't you need to right click to run as smartscreen? Also, why would you want CF integrated if it was similar to the other one?

 

[Andy Ful]

Don't you need to right click to run as smartscreen? Also, why would you want CF integrated if it was similar to the other one?

You have pointed out one important reason of integration.
I would like to avoid right clicking. There are of course many other reasons : less bugs, stability, etc.
Also, I have the impression that Windows 10 is evolving too quickly for antivirus developers.
Hard_Configurator is slightly another case. I created it to quickly configure computers of inexperienced friends and relatives. It is not a bodyguard, but rather babysitter with some bodyguard skils.
On my computer I prefer minimalistic security setup (Windows 10 + Shadow Defender + backups).

 

[Andy Ful]

I was looking at Hard_Configurator as something you could develop might in part to sort of focus on the known bad practices that occur on office workstations, sort of like VoodooShield but a 100% under the hood UAC hardener.

I also like the idea of VS.
Hard_Configurator is only a handy tool to dig up the security already hidden in Windows. The problem is how to transfer some good security solutions from enterprises to home users. There are two different worlds.
The second problem is making this tool to be babysitter, but not OS killer.

 

[Andy Ful]

Windows Software Restriction Policies were not treated by Microsoft as security solution against external threats. Anyway, in default deny setup, this solution was very successful in enterprises, because stopped users to constantly infect computers. I call this 'Babysitter Security'. In home users world, it can be even more successful, because malware in the wild is not prepared to bypass such obstacles. The second element of 'Babysitter Security' is a good 'File Reputation Cloud'. If it gives too many false positives (like Virus Total), the users will soon ignore the alerts. It is possible to use Virus Total, but someone has to think out the smart algorithm to minimize false positives, and there is still the problem of true 0-day malware.

Default deny 'Babysitter Security' will work best in Windows 10 for several reasons:
1. There are useful Windows Store Apps that update in harmony with default deny restrictions, and run safely in AppContainer.
2. In the new Windows 10 version, developers have the tool that can transform programs to Windows Store Apps.
3. OS and Windows Defender gets stronger.
4. Windows SmartScreen gets better.
5. Edge gets more useful.
6. Less habits have to be changed to accept 'Babysitter'.
7. Home user can be pretty secure without third party real-time solutions.

'Babysitter' still requires the experienced user to solve some default deny configuration problems.

 

[Andy Ful]

But anyway, I like my simple setup: Windows 10 + Shadow Defender + backups.

 

[Handsome Recluse]

@Andy Ful Don't you need someone to manage Babysitter Security? What if you're a home user and you're on your own?
The problem I have with Windows Defender though is random slowdowns probably due to auto scanning.

 

[Andy Ful]

@Andy Ful Don't you need someone to manage Babysitter Security? What if you're a home user and you're on your own?
The problem I have with Windows Defender though is random slowdowns probably due to auto scanning.

There are so many answers : Emsisoft, Kaspersky, Eset, Bitdefender, Comodo, ....
Maybe Windows Defender for many users with Windows 10 ? It depends. I have a friend that has problem how to install a program, but she never been infected using Avast free with Firefox.
The slowdowns may occur for several reasons: silent updates, scheduled system maintenance, etc.
Some people experienced slowdowns due to Defender, when opening folders with many executables.

I think that your problem will be solved soon. MalwareTips make people wiser.

 

[Andy Ful]

Prevent access to 16-bit applications.

This option exists in most Windows versions, even in Windows 10 64Bit (at least Windows Server 2003).
GPEDIT: Administrative Templates-Windows Components-Application Compatibility-Prevent access to 16-bit applications.

Windows 64Bit has not got NTVDM subsystem, so 16Bit applications cannot run (yet, there are 64Bit NTVDM alternatives available on GitHub). Also, 32Bit applications that rely on 16Bit components will not run properly. In Windows 64Bit is possible to run 16Bit applications in 32Bit virtual machine or in DosBox (DOS emulator) - both works independently of VDMDisallowed settings made in Windows 64Bit.

Registry settings:
*********************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001
*********************************************************************************

There is also another registry key that can control 16Bits if the above key is absent.
HKLM\System\CurrentControlSet\Control\WOW\!DisallowedPolicyDefault

It is not easy to run 16Bit applications in Windows 10 32Bit
First, NTVDM subsystem must be installed:
Programs and Features -> Turn Windows Features on or off -> Legacy Components -> Enable NTVDM
Next, legacy console (old Command Prompt) have to be activated:
"Command prompt" > Right click over the title "Command prompt" > "Properties" > "Use legacy console (require relaunch)" > "Accept" > close and re-open "Command prompt".

Disable 16Bits option will be added soon to Hard_Configurator.

 

[Andy Ful]

Enable/disable SafeSearchDLL

Safe DLL search mode.
This setting is enabled by default starting with Windows XP with Service Pack 2 (SP2) and can be controlled by the registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\!SafeDllSearchMode

see also:
Dynamic-Link Library Security (Windows)

There's no need to add a special option to Hard_Configurator, yet maybe, this option and some other important options should be checked to inform the user about vulnerability. I will think about it. Thanks, for pointing out this.

 

[Andy Ful]

Apply Secure Shell extensions only
Enforce Shell Extension Security at Registry Guide for Windows
Only allow approved Shell extensions

Secure Shell extensions.

Registry settings:
*****************************************************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"EnforceShellExtensionSecurity"=dword:00000001
*****************************************************************************************************************

A shell extension only runs if there is an entry in at least one of the following locations in Registry:

Shell Extensions approved by Administrator for all users:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

Shell Extensions to run on a per-user basis:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

There were problems with this setting, even for Microsoft software (Internet Explorer, Microsoft Security Essentials), because developers sometimes forget to add shell integration registry value to one of the above Registry keys.
Securing Shell Extensions prevents well known path that malware can use for persistence. Anyway, it is worth to know that there is a trick that can bypass EnforceShellExtensionSecurity setting, to obtain persistence without Administrative Rights:
Malware Persistence: HKEY_CURRENT_USER Shell Extension Handlers

Secure Shell extensions option will be added soon in Hard_Configurator.

 

[Andy Ful]

Andy my last additional request (which I added manualy before you made this great tool)

Remote SHELL access:
See Policy to disable remote shell on win7
Disabled = 0

Remote REGISTRY access
Windows 7 - Disable Remote Registry Access (disable service)

Disable Remote Shell and Remote Registry access.

Disable Remote Shell Registry settings:
*****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS]
"AllowRemoteShellAccess"=dword:00000000
*****************************************************************************

Disable Remote Registry settings:
*****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry]
"Start"=dword:00000004
*****************************************************************************

Those options will be added soon in Hard_Configurator. Thanks again @Windows_Security for all valuable insights.

 

[Andy Ful]

...
Maybe a suggestion to add 'Signed' as option to both windows scripts and powerscripts?
...

I decided to defer solving the case of signed scripts. I rarely use scripts, but it seems, that most scripts downloaded from the Internet are not signed. There are many signed PowerShell scripts in 'C:\Windows\diagnostics\' subfolders, but they can be run safely with Hard_Configurator 'OFF' setting. This setting means that scripts can run, restricted by the ExecutionPolicy value in the Registry (default value=Restricted):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]
"ExecutionPolicy"="Restricted"

Restricted - No scripts can be run. Windows PowerShell can be used only in interactive mode.
AllSigned - Only scripts signed by a trusted publisher can be run.
RemoteSigned - Downloaded scripts must be signed by a trusted publisher before they can be run.
Unrestricted - No restrictions; all Windows PowerShell scripts can be run.

Default value is 'Restricted' which is safer than 'AllSigned' or 'RemoteSigned', and all scripts can be 'Run with PowerShell' using Explorer context menu (even scripts invoked by other scripts).

I think that in enterprises the situation is different. Administrators can sign their scripts and set ExecutionPolicy to AllSigned, forcing others to use only signed scripts.

Anyway, I may be wrong.

 

[shmu26]

can you manage hard-configurator settings from a standard user account?

 

[Andy Ful]

Yes. But, most changes are in HKLM Registry key, so they restrict all accounts. Some SRP settings (<Deny Shortcuts>) are applied to %USERPROFILE% paths, and affect only Local Account.
There's a possibility to make SRP to restrict only Local Account (very simple), but it is not implemented in Hard_Configurator.

 

[shmu26]

Yes. But, most changes are in HKLM Registry key, so they restrict all accounts. Some SRP settings (<Deny Shortcuts>) are applied to %USERPROFILE% paths, and affect only Local Account.
There's a possibility to make SRP to restrict only Local Account (very simple), but it is not implemented in Hard_Configurator.

thanks. great tool!
please keep us posted here when your new version comes out. It will be interesting to see how you can make such a good thing even better.

 

[Andy Ful]

Yes. But, most changes are in HKLM Registry key, so they restrict all accounts. Some SRP settings (<Deny Shortcuts>) are applied to %USERPROFILE% paths, and affect only Local Account.
There's a possibility to make SRP to restrict only Local Account (very simple), but it is not implemented in Hard_Configurator.

One correction (I am sick, so sometimes my thinking is not clear). All changes are in HKLM Registry key. <Deny Shortcuts> uses paths with %USERPROFILE% environment variable, and this variable is translated to concrete path, after the user 'log on' to his account. So finally, all accounts are restricted by using Hard_Configurator from one of them.