Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

thanks. great tool!
please keep us posted here when your new version comes out. It will be interesting to see how you can make such a good thing even better.

Thanks. Your post just helped me to figure out how to improve one of new options (managing programs that autostart from the User Space).

 

[shmu26]

@Andy Ful, hi, I was wondering if you could give us some input on a different thread, where we were discussing powershell and Hard_Configurator, and trying to figure it out:
Security Report - Malware distributors are switching to less suspicious file types

 

[509322]

@Andy Ful, hi, I was wondering if you could give us some input on a different thread, where we were discussing powershell and Hard_Configurator, and trying to figure it out:
Security Report - Malware distributors are switching to less suspicious file types

7. Disabling/Enabling PowerShell script execution (Windows 7+).

By default, Windows has this registry policy set to disable powershell script execution. It can be trivially bypassed. That is what was explained in the linked article. It is a known issue.

He's providing you a convenient means of toggling that registry value for powershell script execution on-off instead of having to do it manually.

Windows doesn't provide robust protection against powershell abuse. If malware can get at it, then it is likely your goose is cooked.

 

[shmu26]

7. Disabling/Enabling PowerShell script execution (Windows 7+).

By default, Windows has this registry policy set to disable powershell script execution. It can be trivially bypassed. That is what was explained in the linked article. It is a known issue.

He's providing you a convenient means of toggling that registry value for powershell script execution on-off instead of having to do it manually.

Windows doesn't provide robust protection against powershell abuse. If malware can get at it, then it is likely your goose is cooked.

thanks, @Lockdown!

 

[509322]

@Andy Ful

Suggestion - add option to configure Powershell language modes: Full, Constrained, Restricted, NoLanguage

Someone suggested that NoLanguage will bork the system, but I am not convinced

 

[Andy Ful]

@Andy Ful

Suggestion - add option to configure Powershell language modes: Full, Constrained, Restricted, NoLanguage

Someone suggested that NoLanguage will bork the system, but I am not convinced

I am not sure if it is possible in PowerShell 2.0 and 1.0 in Windows Home. I'm also thinking about blacklisting the powershell.exe and powershell_ise.exe. Blacklisting in SRP has the advantage of much less impact on the system, because powershell scripts can be run elevated by the system processes.

 

[Andy Ful]

Hard_Configurator new version 2.0.1.0 has been uploaded to GitHub:
GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

Some notable changes:

1. New options in <SRP Extensions> window: Add/Remove script extensions, Save/Restore extensions, Restore default extensions.

2. New <Tools> button with troubleshooting options:
<Run SRP/Scripts EventLogView> - filters the output of NirSoft tool: FullEventLogView, to retrieve information about blocked events.
<Run Autoruns: Scripts/UserSpace> - filters out all numerous autoruns from the System Space leaving only a few entries from the User Space. They are automatically whitelisted.
<Turn ON Advanced SRP logging> - activates Verbose trace logging of SRP, and allows to view the log.
<Restore Windows Defaults> - replaces the registry changes made by Hard_Configurator with Windows default values.

3. <Block Remote Assistance> option has been renamed to <Block Remote Access> and extended to include Remote Shell and Remote Registry.

4. On the first run, Hard_Configurator makes System Restore point , performs autoruns checking and whitelisting User Space autoruns.

5. Updated manual with extended information about how SRP can control file execution/opening, using API functions: ShellExecute, CreateProcess, LoadLibrary, and about unusual shortcuts handling.

Other changes are planned in the next version:
1. Blocking sponsors (system executables that can run binary files).
2. Blocking 16Bit programs.
3. Blocking UnSecure Shell extensions.

 

[Av Gurus]

Review by gHacks:

Harden Windows with Hard Configurator - gHacks Tech News

 

[Andy Ful]

Review by gHacks:

Harden Windows with Hard Configurator - gHacks Tech News

Thanks for the info. Nice review. The problem with help files can occur, if Hard_Configurator folder was not copied to Windows directory. I put Installation info on GitHub webpage, but forgot to include it in Hard_Configurator_2.0.1.0.zip . Martin probably thought that Hard_Configurator is fully portable.

 

[Andy Ful]

Polish version of Hard_Configurator was released.
Hard_Configurator - polska wersja - SafeGroup
Windows 64-bit: Hard_Configurator_setup(x64).zip
Windows 32-bit: Hard_Configurator_setup(x86).zip

 

[Andy Ful]

Important info for users upgrading to Windows 10 Creators Update (compilation 15063.13).

Due to integration with Windows Defender, Microsoft made some important changes in the SmartScreen Application Reputation. So, the Hard_Configurator setting <Run As SmartScreen>='Administrator', fails to force SmartScreen for all files - it works just as the standard 'Run as administrator'.
I have to make some tests to figure out if the previous functionality of this setting could be recovered in the Windows 10 Creators version.
Until this will be done, here are the recommended Hard_Configurator settings:
<Run As SmartScreen> = 'Standard User'
<Hide 'Run As Administrator'> = 'OFF'

With the above settings, when SRP are activated, one can still use the SmartScreen when installing programs from User Space. But, both options: 'Run By SmartScreen' and 'Run as administrator', from Explorer context menu must be used:

1. After using 'Run By SmartScreen' the program is blocked by SRP, but 'Mark of the Web' is added and the program is checked by SmartScreen.
2. 'Run as administrator' allows to bypass SRP and install the file.

So SRP + 'Run By SmartScreen'', with the above settings, can be used as any other, second opinion anti-malware scanner.

 

[Andy Ful]

I must admit, that it is necessary to make Hard_Configurator installer. The last Hard_Configurator review in Computer Active (29.03.2017) has the same mistake as in the gHacks Tech News review. Autors assumed that the program is portable, and did not copy Hard_Configurator folder into Windows directory.
That is my fault to create semi-portable program.
By the way, the Computer Active review is very well organized, and the author knows how to write a good article with useful instructions.
The new program version is almost ready, and all final settings made from the above review, can be configured by two mouse clicks (<Recommended SRP> and <Recommended Restrictions>).
Some options suggested by @Windows_Security were added (Disable 16-bits, Shell Extension Security), and also some new: Disable Command Prompt, Disable Elevation on SUA, Block PowerShell Sponsors, MSI Elevation (Symantec Registry tweak).

 

[Av Gurus]

Will you make also and portable version (for others who know how to use it)?
Can you post a link to that review, please.

UPDATE:
This options "Run As SmartScreen" can't be turned ON?

 

[Andy Ful]

Will you make also and portable version (for others who know how to use it)?
Can you post a link to that review, please.

I can make semi-portable version for MalwareTips members, but one has to remember to copy the Hard_Configurator folder into 'C:\Windows' directory!
Computer Active is a printed magazine (one of the top 15 largest subscription titles in the UK).

 

[Av Gurus]

I don't know why people don't - RTFM!!!



Please, do that semi-portable version for us...thank you

EDIT:
Maybe you miss this question from privies post:
"This options "Run As SmartScreen" can't be turned ON?"

 

[Andy Ful]

...
Maybe you miss this question from privies post:
"This options "Run As SmartScreen" can't be turned ON?"

I can be turned on. Simply go to the Windows Defender settings, and change the 'Warn' to 'Block'. and next change 'Block' to 'Warn'. But, do not use 'Administrator' option after Windows Creators Update in Windows 10. Microsoft changed the way of SmartScreen working, so this option does not force SmartScreen check. Anyway, the <Run As Smartscreen> = 'Standard User' works well.
I solved this issue (related to Windows Creators Update) in the new Hard_Configurator version (coming soon).

 

[Av Gurus]

This:



Yeah, now it's working...

 

[HarborFront]

Hi @Andy Ful

I'm thinking of using the Hard Configurator to harden my Windows.

Just some questions.

Does it come with recommended settings or all settings already enabled without user intervention? If user intervention is needed is there an explanation if the feature is enabled(if it's disabled by default). O&O ShutUp is an interesting software that if you hover the mouse over a feature it gives a short explanation of the feature. Does your software works likewise?

After a Windows firmware update do I need re-enable the features again?

Does this software protects 3rd-party applications or solely protects Windows only?

Thanks

 

[HarborFront]

I can make semi-portable version for MalwareTips members, but one has to remember to copy the Hard_Configurator folder into 'C:\Windows' directory!
Computer Active is a printed magazine (one of the top 15 largest subscription titles in the UK).

Please make it for I'm using all portable software for my set up

Thanks

 

[Av Gurus]

Hi @Andy Ful

I'm thinking of using the Hard Configurator to harden my Windows.

Just some questions.

Does it come with recommended settings or all settings already enabled without user intervention? If user intervention is needed is there an explanation if the feature is enabled(if it's disabled by default). O&O ShutUp is an interesting software that if you hover the mouse over a feature it gives a short explanation of the feature. Does your software works likewise?

After a Windows firmware update do I need re-enable the features again?

Does this software protects 3rd-party applications or solely protects Windows only?

Thanks

You have HELP by every tweak which explain (very detail) what is that tweak doing (check my picture above) .
When you start it it will create Restore Points and check your PC for Autoruns program, then you can enable tweak (one by one or all together).
Just remember to first put Hard Configurator in C:Windows folder.