Hard_Configurator - Windows Hardening Configurator

[shmu26]

I have hard_configurator version 4.2 on Windows 10 but 'Configure defender' and 'Run As Smartscreen' feature is not applicable on the tool .
is there any setting that I have to enable to turn on the feature?

ConfigureDefender only will work if Windows Defender is your active AV. Are you using a 3rd party AV, or have you disabled Windows Defender somehow?

'Run As Smartscreen' feature is not applicable on the tool

Perhaps you have some other security software that is interfering? Try turning off other security, and see if it helps. If not, @Andy Ful to the rescue...

 

[iTech]

ConfigureDefender only will work if Windows Defender is your active AV. Are you using a 3rd party AV, or have you disabled Windows Defender somehow?

I am using Bitdefender , is it the reason?

 

[shmu26]

ConfigureDefender only will work if Windows Defender is your active AV. Are you using a 3rd party AV, or have you disabled Windows Defender somehow?

I am using Bitdefender , is it the reason?

Yes, that's the reason. ConfigureDefender is a dedicated tool for tweaking Windows Defender settings. It needs to communicate with Window Defender. Bitdefender, like most other anti-virus programs, disables Windows Defender. If you are using Bitdefender, you don't need ConfigureDefender; ConfigureDefender is irrelevant in your case.

Maybe Bitdefender is interfering also with the Smartscreen settings. You could try disabling Bitdefender temporarily, and see if you can access the Smartscreen settings.

 

[Andy Ful]

I have hard_configurator version 4.2 on Windows 10 but 'Configure defender' and 'Run As Smartscreen' feature is not applicable on the tool .
is there any setting that I have to enable to turn on the feature?

Is the <Run As SmartScreen> option in H_C grayed out? Can you change this option? It has 3 settings: Administrator, Standard User, OFF.

 

[iTech]

Is the <Run As SmartScreen> option in H_C grayed out? Can you change this option? It has 3 settings: Administrator, Standard User, OFF.

No i Can't, Although I'm using windows 10

 

[iTech]

I did the same, but nothing changed.

 

[Andy Ful]

No i Can't, Although I'm using windows 10

You have probably disabled SmartScreen for applications. Can you enable it in Windows Defender Security Center?

 

[Janl1992l]

Run As SmartScreen

Hey, sorry for the ignorant question. What does this function exctly do?

 

[shmu26]

Hey, sorry for the ignorant question. What does this function exctly do?

There is a feature built in to Windows 10 called SmartScreen, it examines new files that come on to your computer, and if they look too new and unfamiliar and kind of suspicious, it blocks them or warns you (depending on your settings).
But by default, Windows doesn't apply this feature to all files. H_C forces Windows to apply the feature wherever possible.
@Andy Ful can give you more details and/or corrections.

 

[Janl1992l]

There is a feature built in to Windows 10 called SmartScreen, it examines new files that come on to your computer, and if they look too new and unfamiliar and kind of suspicious, it blocks them or warns you (depending on your settings).
But by default, Windows doesn't apply this feature to all files. H_C forces Windows to apply the feature wherever possible.
@Andy Ful can give you more details and/or corrections.

Thanks mate. I understand it right? When i chose a file and than click "Run as SmartScreen" and when it does not match the rules like digitaly singd etc it get blocked?

 

[shmu26]

Thanks mate. I understand it right? When i chose a file and than click "Run as SmartScreen" and when it does not match the rules like digitaly singd etc it get blocked?

That's basically how it works, yes.

When you choose "Run as SmartScreen," it tells Windows to check for a digital signature, to check how new the file is, how many people have already run it on their computer, etc. If it doesn't pass the test, it is blocked.

But that doesn't mean it is malicious. It means there is an increased chance that it is malicious.
For instance, let's say Andy puts out a new version of Hard_Configurator, and you are the first person to download it and install it. SmartScreen might block it, because it looks very unfamiliar.

 

[Andy Ful]

Hey, sorry for the ignorant question. What does this function exctly do?

Run As SmartScreen just does what every popular web browsers can do. It adds Mark Of The Web (MOTW) before executing the file. Windows thinks that the file was downloaded from the Internet and triggers Windows SmartScreen to check the executable against the Application Reputation filter in the cloud. Additionally Run As SmartScreen executes the files (EXE, MSI) with Administrator rights to automatically bypass SRP protection.
When using Hard_Configurator, you can see 'Run As SmartScreen' entry in the right-click Explorer context menu.

... I understand it right? When i chose a file and than click "Run as SmartScreen" and when it does not match the rules like digitaly singd etc it get blocked?

Yes, you will see the SmartScreen prompt, even when normally the file would be ignored by SmartScreen (like files from pendrives, memory cards, and compressed archives). If you set SmartScreen to 'Block', then the SmartScreen prompt cannot be bypassed by the user.

 

[Janl1992l]

Thanks @shmu26 and @Andy Ful for the good explaining

 

[Andy Ful]

In May 2019, I plan to push the new H_C version 4.0.1.0.
1. Added new version of RunBySmartScreen (minor changes)
2. Added new version of ConfigureDefender (corrected the issue with closing the application)
3. Added more blocked Sponsors (total number 171, LOLBins included).
4. Added more blocked Sponsors to Enhanced profiles.
5. Added new icons for H_C executables.

The new Sponsors added in ver. 4.0.1.0:
AddInProcess.exe, AddInProcess32.exe, AddInUtil.exe, at.exe, dvpack.dll, appvlp.exe, atbroker.exe, certutil.exe, cmdkey.exe, cmstp.exe, control.exe, diskshadow.exe, dnscmd.exe, dxcap.exe, esentutl.exe, expand.exe, extexport.exe, extrac32.exe, findstr.exe, forfiles.exe, ftp.exe, gpscript.exe, ie4uinit.exe, ieadvpack.dll, ieaframe.dll, jscript*.dll*, kill.exe, lxrun.exe, makecab.exe, manage-bde.wsf*, mavinject.exe, mftrace.exe, Microsoft.Workflow.Compiler.exe, msconfig.exe, msdeploy.exe, msdt.exe, mshtml.dll, mspub.exe, msra.exe, msxsl.exe, pcalua.exe, pcwrun.exe, pcwutl.dll, pester.bat*, PowershellCustomHost.exe, print.exe, psr.exe, pubprn.vbs*, regedit.exe, Register-cimprovider.exe, replace.exe, robocopy.exe, rpcping.exe, sc.exe, scriptrunner.exe, setupapi.dll, shdocvw.dll, shell32.dll, slmgr.vbs*, sqldumper.exe, sqlps.exe, SQLToolsPS.exe, SyncAppvPublishingServer.exe, SyncAppvPublishingServer.vbs*, syssetup.dll, te.exe, TextTransform.exe, tracker.exe, url.dll, verclsid.exe, vsjitdebugger.exe, wab.exe, winrm.vbs, wfc.exe, wsl.exe, wslconfig.exe, wslhost.exe, wsreset.exe, xwizard.exe, zipfldr.dll

The DLLs are blocked only when <Enforcement> = 'All files'. This setting is not included in H_C Recommended Settings, because it requires advanced whitelisting for DLLs. But, it may be used by really advanced users.

I would like to underline that blocking Sponsors make sense on the vulnerable system, vulnerable environment (public network), or when using vulnerable (not patched) software.

 

[shmu26]

In May 2019, I plan to push the new H_C version 4.0.1.0.
1. Added new version of RunBySmartScreen (minor changes)
2. Added new version of ConfigureDefender (corrected the issue with closing the application)
3. Added more blocked Sponsors (total number 171, LOLBins included).
4. Added more blocked Sponsors to Enhanced profiles.
5. Added new icons for H_C executables.

The new Sponsors added in ver. 4.0.1.0:
AddInProcess.exe, AddInProcess32.exe, AddInUtil.exe, at.exe, dvpack.dll, appvlp.exe, atbroker.exe, certutil.exe, cmdkey.exe, cmstp.exe, control.exe, diskshadow.exe, dnscmd.exe, dxcap.exe, esentutl.exe, expand.exe, extexport.exe, extrac32.exe, findstr.exe, forfiles.exe, ftp.exe, gpscript.exe, ie4uinit.exe, ieadvpack.dll, ieaframe.dll, jscript*.dll*, kill.exe, lxrun.exe, makecab.exe, manage-bde.wsf*, mavinject.exe, mftrace.exe, Microsoft.Workflow.Compiler.exe, msconfig.exe, msdeploy.exe, msdt.exe, mshtml.dll, mspub.exe, msra.exe, msxsl.exe, pcalua.exe, pcwrun.exe, pcwutl.dll, pester.bat*, PowershellCustomHost.exe, print.exe, psr.exe, pubprn.vbs*, regedit.exe, Register-cimprovider.exe, replace.exe, robocopy.exe, rpcping.exe, sc.exe, scriptrunner.exe, setupapi.dll, shdocvw.dll, shell32.dll, slmgr.vbs*, sqldumper.exe, sqlps.exe, SQLToolsPS.exe, SyncAppvPublishingServer.exe, SyncAppvPublishingServer.vbs*, syssetup.dll, te.exe, TextTransform.exe, tracker.exe, url.dll, verclsid.exe, vsjitdebugger.exe, wab.exe, winrm.vbs, wfc.exe, wsl.exe, wslconfig.exe, wslhost.exe, wsreset.exe, xwizard.exe, zipfldr.dll

The DLLs are blocked only when <Enforcement> = 'All files'. This setting is not included in H_C Recommended Settings, because it requires advanced whitelisting for DLLs. But, it may be used by really advanced users.

I would like to underline that blocking Sponsors make sense on the vulnerable system, vulnerable environment (public network), or when using vulnerable (not patched) software.

Great news. Thanks, Andy!

 

[AlanOstaszewski]

Hello! the H_C page got its own download page. There you can also find the @Andy Ful message about the new version.

I formatted the FAQ a bit better, so that you can link certain sections now!

In the future I would like to integrate my test results with this website. Otherwise I am of course open for further suggestions. Thanks a lot!

Download site:

Hard_Configurator — Download

FAQ:

Hard_Configurator — FAQ

 

[oldschool]

@askalan @Andy Ful It's looking good and it has me thinking. Have you thought about incorporating separate pages or at least links for ConfigureDefender and RunBySmartscreen into the website? Maybe a short section on the Downloads page? This might be useful for those unwilling to take the plunge into the full H_C package?

 

[JamieLanger]

The dedicated website (thanks to @askalan):
Hard Configurator

Hard_Configurator was created after discussion on the below treads:

Secure Windows - Software restriction Policies to Windows Home
Windows Pro owner? Use Software Restriction Policies!
Poll - Do you use security reg tweaks?
Run by Smartscreen utility

Some useful information is also available here:
1. Download Hard_Configurator 4.0.0.2
2. GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS


What it can do?

This program can configure Windows built-in security to harden the system. When you close Hard_Configurator it closes all its processes. The real-time protection comes from the reconfigured Windows settings. Hard_Configurator can be seen as a Medium Integrity Level smart default-deny setup, which is based on SRP + Application Reputation Service (forced SmartScreen) + Windows hardening settings (restricting vulnerable features).
Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:

1. Enabling Software Restriction Policies (SRP) in Windows Home editions.
2. Changing SRP Security Levels, Enforcement options, and Designated File Types.
3. Whitelisting files in SRP by path (also with wildcards) and by hash.
4. Blocking vulnerable system executables via SRP (Bouncer black list).
5. Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
6. Restricting shortcut execution to some folders only (via SRP).
7. Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
8. Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
9. Enabling "Run as administrator" for MSI files.
10. Disabling PowerShell script execution (Windows 7+).
11. Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
12. Disabling execution of scripts managed by Windows Script Host.
13. Removing "Run As Administrator" option from the Explorer right-click context menu.
14. Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
15. Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
16. Disabling execution of 16-bit applications.
17. Securing Shell Extensions.
18. Disabling SMB protocols.
19. Disabling program elevation on Standard User Account.
20. Disabling Cached Logons.
21. Forcing Secure Attention Sequence before User Account Control prompt.
22. Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
23. Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
24. Enabling&Filtering Advanced SRP logging.
25. Turning ON/OFF all above restrictions.
26. Restoring Windows Defaults.
27. Making System Restore Point.
28. Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
29. Saving the chosen restrictions as a profile, and restoring when needed.
30. Backup management for Profile Base (whitelist profiles and setting profiles).
31. Changing GUI skin.
32. Updating application.
33. Uninstalling application (Windows defaults restored).

All the above tasks (except forcing Smartscreen check) can be made by hand using Windows regedit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
This program was created for advanced users to secure inexperienced users.

Great ffeatures :

1. Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
2. Restricting shortcut execution to some folders only (via SRP).
3. Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.

 

[Andy Ful]

Hello! the H_C page got its own download page. There you can also find the @Andy Ful message about the new version.

I formatted the FAQ a bit better, so that you can link certain sections now!

In the future I would like to integrate my test results with this website. Otherwise I am of course open for further suggestions. Thanks a lot!

Download site:

Hard_Configurator — Download

FAQ:

Hard_Configurator — FAQ

Looks very good.:emoji_ok_hand:
I think that the "Spoiler Contents" may be expanded by default. This will save the reader one click.

 

[Andy Ful]

I noticed that people on other forums have a problem with understanding how SmartScreen works.
First, it is not generally true that if the archive has Mark OF The Web (MOTW) after downloading from the Internet, then the extracted EXE file will have MOTW too. This is not true, for example, when the file was extracted by 7-ZIP.

Furthermore, one member noticed that:

1. After running (from the Explorer) the downloaded file.exe, the Mark OF The Web is removed from the file by the SmartScreen.
2. When running the downloaded file.exe via the command prompt, the Mark OF The Web is not removed from the file by the SmartScreen.

The member's conclusion ---> "looks like a bug".

But, in fact it is not, because running the file.exe from the command prompt is equal to the command: cmd.exe /k file.exe. The file is run by cmd shell that does not trigger the SmartScreen. SmartScreen checks only cmd.exe and ignores file.exe. That is why the MOTW is not removed - simply the file is not checked by SmartScreen, so SmartScreen cannot remove MOTW.

If one uses the "start" command in the cmd console, then it is equal to:
cmd.exe /k start file.exe. The SmartScreen is now triggered (like from Explorer) by using the start command. In this case, the MOTW will be removed (if the file.exe is accepted by SmartScreen).