Hard_Configurator - Windows Hardening Configurator

[ForgottenSeer 72227]

This is already well known. While MS will no longer develop SRP, no one can say if or when full deprecation might occur.

Thanks @oldschool , I must have missed that memo lol. I guess we will have to wait and see when it will happen. Being that it's MS, it may take them a while.

 

[Andy Ful]

@Andy Ful

I was reading Windows Ten Forums and I found a thread that was discussing the fact that MS is no longer developing SRP and at some point they are planning to remove those features entirely at some point. I couldn't find any other info on the matter, but was wondering if you heard this as well? It looks like they want people to use Applocker and WDAC instead of the built in SRP. I guess if this is true, H_C may be limited down the road. I am sure you can still do an SRP via other 3rd party apps (granted not using built in settings), but it won't be the same as what H_C can do currently.

We discussed it in the middle of the 2018 year. Microsoft officially announced that SRP will not be further developed. It means that there will not be the new SRP improvements, and MS will focus on the new features like WD Application Control, WD Application Guard, etc. It does not mean that SRP will be throw out from Windows (it still works in the upcoming Windows ver. 1903). There are some other features in Windows which are not developed for years, like CMD and Windows Script Host, but are continued because of compatibility.
SRP is used in organizations for years, so it will not be easy to remove it from Windows. Yet, Windows 10 is quickly evolving too, so you never know what will happen for sure. We will see.

 

[ForgottenSeer 72227]

We discussed it in the middle of the 2018 year. Microsoft officially announced that SRP will not be further developed. It means that there will not be the new SRP improvements, and MS will focus on the new features like WD Application Control, WD Application Guard, etc. It does not mean that SRP will be throw out from Windows (it still works in the upcoming Windows ver. 1903). There are some other features in Windows which are not developed for years, like CMD and Windows Script Host, but are continued because of compatibility.
SRP is used in organizations for years, so it will not be easy to remove it from Windows. Yet, Windows 10 is quickly evolving too, so you never know what will happen for sure. We will see.

Thanks @Andy Ful

Ya I assumed that it would be hard for them to remove, but with all the things they are introducing (sandboxing, tamper protection, the new browser extension, etc...), you can see that they are slowly positioning themselves to pull the plug if you will. The question that remains is when?

 

[Andy Ful]

Thanks @Andy Ful

Ya I assumed that it would be hard for them to remove, but with all the things they are introducing (sandboxing, tamper protection, the new browser extension, etc...), you can see that they are slowly positioning themselves to pull the plug if you will. The question that remains is when?

Who knows?

 

[shmu26]

Thanks @Andy Ful

Ya I assumed that it would be hard for them to remove, but with all the things they are introducing (sandboxing, tamper protection, the new browser extension, etc...), you can see that they are slowly positioning themselves to pull the plug if you will. The question that remains is when?

As you mentioned, they are developing WD Application Control and WD Application Guard , and they are gradually making these features available on non-Enterprise editions of Windows. My crystal ball predicts that we will have a bigger and better SRP by the time that the old SRP is de-activated.

 

[Andy Ful]

As you mentioned, they are developing WD Application Control and WD Application Guard , and they are gradually making these features available on non-Enterprise editions of Windows. My crystal ball predicts that we will have a bigger and better SRP by the time that the old SRP is de-activated.

Yes, I am waiting...
If this will not happen, then probably, I will use Excubits drivers with Admin Bypass.

 

[shmu26]

Yes, I am waiting...
If this will not happen, then probably, I will use Excubits drivers with Admin Bypass.

After playing around with Excubits Bouncer for a few days, it seems to me that it has the same problem with whitelisting dll paths that SRP has. Specific paths often don't work. However, the log tells you faithfully when a dll is blocked, so you can widen out the path to make it work.

Bouncer seems to affect system performance a bit, maybe because of the dll monitoring.

 

[Andy Ful]

After playing around with Excubits Bouncer for a few days, it seems to me that it has the same problem with whitelisting dll paths that SRP has. Specific paths often don't work. However, the log tells you faithfully when a dll is blocked, so you can widen out the path to make it work.

Bouncer seems to affect system performance a bit, maybe because of the dll monitoring.

If I correctely remember, Bouncer (like SRP) cannot block .NET DLLs (Fides can).

 

[shmu26]

If I correctely remember, Bouncer (like SRP) cannot block .NET DLLs (Fides can).

Right. But when Fides blocks, it is absolute. So when you apply this to powershell, it means no powershell at all, even when the OS or trusted software wants to run it for maintenance purposes, even when run with system privileges.

 

[SHvFl]

Applocker is the replacement. None cares if it's not available on non enterprise versions. If they kill srp completely then companies can switch to it.

 

[Andy Ful]

Applocker is the replacement. None cares if it's not available on non enterprise versions. If they kill srp completely then companies can switch to it.

... or will not leave Windows 7, which is not the purpose of MS.

 

[SHvFl]

... or will not leave Windows 7, which is not the purpose of MS.

Nope, I think you are wrong there. MS wants those on 7 that are left behind because they are about to pay a huge amount for them to receive security update. That amount is a lot more than the one for xp.
Windows 7 is not something we should discuss anymore. It's about to die and will stay on the ventilator for a few more years and then only crazy people will use it.

 

[Andy Ful]

Nope, I think you are wrong there. MS wants those on 7 that are left behind because they are about to pay a huge amount for them to receive security update. That amount is a lot more than the one for xp.
Windows 7 is not something we should discuss anymore. It's about to die and will stay on the ventilator for a few more years and then only crazy people will use it.

We agree. I did not say that they will not leave Windows 7 after a few years, but rather in the period of about 3 years. MS will probably extend the Windows 7 support for Enterprises, but also wants them to use Windows 10 as soon as possible. Yet, I do not think that MS wants organizations to 'keep Windows 7 and pay forced tribute'. Organizations are known from not updating the systems even when they could do it for free.
Anyway, all of this is pure speculation. The most important thing will be, if SRP will not conflict with some new security features in the future Windows 10 versions. If not, then SRP can last for a long time (for compatibility), as CMD, Windows Script Host, WMI, SMB, etc.
The paradox could be when MS would remove SRP, which increases security, and would keep CMD, Windows Script Host, WMI, SMB which are used commonly by the malc0ders.

 

[Andy Ful]

For now, SRP is the optimal background for H_C settings. But, in the future, I could probably adopt Bouncer + Fides (demo) in H_C, and the users would not see any difference. I think, that I could also use MemProtect to accomplish a kind of memory sandbox. But first, let's allow MS to improve Windows security, and we will see...

 

[shmu26]

I could probably adopt Bouncer

Can you handle shortcuts that way?
AFAIK you can do powershell constricted language and documents anti-exploit without SRP support.
What features might be problematic?

 

[Andy Ful]

Can you handle shortcuts that way?
AFAIK you can do powershell constricted language and documents anti-exploit without SRP support.
What features might be problematic?

Shortcuts and other dangerous file extensions can be blocked/whitelisted by using Fides via blocking read access. I do not know if Fides uses Admin Bypass feature, but this will not be an important difference. There should not be any serious problems with using Bouncer + Fides as a background for H_C.

 

[shmu26]

Shortcuts and other dangerous file extensions can be blocked/whitelisted by using Fides via blocking read access. I do not know if Fides uses Admin Bypass feature, but this will not be an important difference. There should not be any serious problems with using Bouncer + Fides as a background for H_C.

While we are on the subject of Bouncer, let's say you were a paranoid, and you wanted to add lol bins to the CMDBLACKLIST that are not on the sponsors list of H_C for whatever reason. Which ones would you add?
The only one that jumps to my mind is rundll32.

 

[Freki123]

When i looked at the "Designated File Types" i got confused. The order ist Z>A. No clue if there is a reason for that but as a novice user i was expecting A>Z and was confused when i was searching for stuff in that list. Like a telephone book suddenly starting with Z and now my alphabet is totaly messed up
How about that the button called "Gui Skin" changes to "Gui Skin 2", "Gui Skin3" and so on when pressed? Since some look a bit alike it's easier to remember 5 and 8 look good than counting my keypresses for both.

What does the "*" mean in the blocked sponsors list? In the help file i found no mention of the "*" under "block sponsor" section. If some files are marked special through a "*" im curios and want to know why

 

[Andy Ful]

When i looked at the "Designated File Types" i got confused. The order ist Z>A. No clue if there is a reason for that but as a novice user i was expecting A>Z and was confused when i was searching for stuff in that list. Like a telephone book suddenly starting with Z and now my alphabet is totaly messed up

You were probably confused for 2 seconds.

How about that the button called "Gui Skin" changes to "Gui Skin 2", "Gui Skin3" and so on when pressed? Since some look a bit alike it's easier to remember 5 and 8 look good than counting my keypresses for both.

It can be done in the future.

What does the "*" mean in the blocked sponsors list? In the help file i found no mention of the "*" under "block sponsor" section. If some files are marked special through a "*" im curios and want to know why

The asterisk is the usual wildcard (see the H_C FAQ).

 

[iTech]

I have hard_configurator version 4.2 on Windows 10 but 'Configure defender' and 'Run As Smartscreen' feature is not applicable on the tool .
is there any setting that I have to enable to turn on the feature?