Update Hard_Configurator - Windows Hardening Configurator

Raiden

Level 19
Verified
Content Creator
May 7, 2018
900
7,449
The firewall rules for Sponsors are used in SysHardener, because it cannot block the execution of Sponsors via shortcuts, CHM files and some other files with dangerous extensions. Those vectors of attack are covered by H_C default-deny settings even without blocking Sponsors.
There is no need to use firewall rules or block Sponsors in H_C default-deny settings, when using Windows 10 with updated system/software. Simply, access to the command line will be blocked, and the Sponsor will not be executed. You can see that also from Malware Hub tests. See the sample in the wild:

I tried to explain in the FAQ when the user should block Sponsors, especially Interpreters. In rare situations, the user could also use firewall rules instead, when some special software cannot work with blocked Sponsor. This would not be especially effective, but better than nothing. The similar idea would be blocking some special executables by the firewall (like rundll32.exe), which cannot be blocked in H_C, because they are often used in Windows. I am not sure it this help much, but can be done.


Thanks for the clarification. I didn't understand it fully and assumed that the firewall rules were needed as well. In that case I will remove Syshardener as it's already covered in H_C via another method.:)

Thanks for clarifying it! (y)
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,801
I'm tempted to try Hard Configurator again. What type of software would be good to add? (If any is needed).
I think about HardConfigurator + Sandboxie (mandatory for me :D) + X What should X be? System Hardener, Voodoo Shield or...
Would be glad for any helpful input :)
If you are a big fan of Sandboxie (paid version), then you do not need H_C. Just use two Explorer instances. One standard Explorer, and the second Sandboxed Explorer. The Sandboxed Explorer should be run via the special shortcut.
The daily work can be done in Sandboxed Explorer. Administrator work, installing applications, and updating, via standard Explorer. Unsafe tasks can be run from the standard Explorer right-click menu in the restricted sandbox. You can also block Interpreters by preparing another total-block sandbox, that can run only notepad + disabled Internet connection + disabled read/write access to all drives.
If you want to use Forced SmartScreen for installing applications, then use my Run By SmartScreen tool.
 
Last edited:

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,801
@Andy Ful Guilty as charged, i really like Sandboxie (paid). Thanks for your helpful suggestion to use a sandboxed explorer.
I sandboxed browsers, pdf reader, mediaplayer... but never really thought about the explorer :D
Be careful! Do not choose to automatically sandbox the executable explorer.exe, because Sandboxie will sandbox all instances of Windows Explorer. Just make a shortcut that can run Explorer in the sandbox, then you can manually run one instance of explorer.exe in the sandbox.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,099
31,054
Like Andy said, if you use Sandboxie paid, and you know what you are doing, and you are disciplined, it can really do a lot.
The guru of sandboxing is Bo Elam. You can find him at Wilders Security and at the official SBIE support forum.
But it isn't easy to build security on Sandboxie alone. There are easier and less frustrating ways of doing it.
 

Freki123

Level 9
Verified
Aug 10, 2013
405
1,437
@shmu26 Sadly i don't think my knowledge is good enough to use sandboxie alone. That's why i wanted to use it in a layered approach.
Testing Hard Configurator and Sandboxie on my old laptop. On my main pc i try SUA to see if SUA and i can work together :D (tried it years ago and i got bad memorys about it). If all went well i think about a clean install (which i hate) and using sandboxie and Hard Configurator also on the main pc.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,801
H_C on SUA is
...
Testing Hard Configurator and Sandboxie on my old laptop. On my main pc i try SUA to see if SUA and i can work together :D (tried it years ago and i got bad memorys about it). If all went well i think about a clean install (which i hate) and using sandboxie and Hard Configurator also on the main pc.
I would like to advise you using first H_C (Recommended settings) on Admin account with Windows 10. You will have fewer problems with installing/updating applications. I assume that you have read the H_C FAQs related to installing and updating applications on SUA.

If you want to use an old laptop with Windows 7 or Vista, then you cannot use SmartScreen. Furthermore, those Windows versions are easier to be exploited. The good setup would be:
  1. Apply the AV + H_C on SUA.
  2. Use applications which are installed in c:\Progran Files or c:\ProgramData (fewer problems with installations/updates).
  3. Do not use applications which install in the user profile (subfolder of c:\Users).
  4. Avoid installing applications in Sandboxie sandbox (sandboxes are located in the UserSpace). But, you can use most applications installed in c:\Program Files and run sandboxed.
 
Last edited:

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,099
31,054
Hi @Andy Ful
here is a link to my edit of the FAQ
It is a MS Word doc with lots of tracked changes and very little embedded malware :)
All changes should be treated as mere suggestions. I changed the font size just to make it easier to read on my computer screen.
Enjoy.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,801
Hi @Andy Ful
here is a link to my edit of the FAQ
It is a MS Word doc with lots of tracked changes and very little embedded malware :)
All changes should be treated as mere suggestions. I changed the font size just to make it easier to read on my computer screen.
Enjoy.
Thanks shmu26. It looks very interesting. I will try to integrate some your important suggestions to the current version of FAQ.:giggle:(y)
 

Gandalf_The_Grey

Level 53
Verified
Trusted
Content Creator
Apr 24, 2016
4,234
41,290
When i open a new blank page in Word I always get a warning about macros being disabled. How do I remove that warning?

210219


I'm using the Windows 10 Recommended Enhanced profile with Office 365.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,801
When i open a new blank page in Word I always get a warning about macros being disabled. How do I remove that warning?

View attachment 210219

I'm using the Windows 10 Recommended Enhanced profile with Office 365.
Have you got this alert before, or this is a new alert.
This alert is a sign that something in your Word, tries to run a VBA code (Word template, VBA Add-in, etc.). The alert can be avoided by changing H_C settings, but it would be better to find out why Word tries to run VBA code (probably macro).
The similar problem had @shmu26. If I correctly remember, he used a Word template with macro.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,099
31,054
Have you got this alert before, or this is a new alert.
This alert is a sign that something in your Word, tries to run a VBA code (Word template, VBA Add-in, etc.). The alert can be avoided by changing H_C settings, but it would be better to find out why Word tries to run VBA code (probably macro).
The similar problem had @shmu26. If I correctly remember, he used a Word template with macro.
Yup, if I use Word add-ons, I get various warnings.
I can get them from ASR, and they are usually harmless, they don't affect functionality.
And I can get them from system-wide document anti-exploit. Those warnings are more debilitating. They don't let you carry on with your work. My solution is to use document anti-exploit for specific user accounts, but not system-wide.
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,275
42,801
The system-wide H_C option <Documents Anti-Exploit> set to 'Adobe + VBA' is a very strong mitigation, and it will block any attempts to use VBA code in MS Office applications. It is much stronger than blocking macros in MS Office documents. Usually, the users do not need VBA in MS Office, unless they need the automation macros in templates, Add-ins, etc. In such a case, the system-wide H_C option <Documents Anti-Exploit> should be set to 'Adobe'. Next, MS Office hardening can be done via Switch Default-Deny >> Documents Anti-Exploit . This hardening is valid only for the current account, so it should be done on all user accounts that use MS Office.
 
Top