Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Why then did it show up in the log when I pressed Blocked Events? That's not only for your tool?

My tool blocks only the entries (by path) which are visible on the list. The <Blocked Events > option gives you a report from Windows Log for outbound blocked connections of all programs (event Id = 5152). So you can see there all applications that are blocked, not only those that you choose to block via my tool.
Do you use any DNS filtering program?

 

[Gandalf_The_Grey]

My tool blocks only the entries (by path) which are visible on the list. The <Blocked Events > option gives you a report from Windows Log for outbound blocked connections of all programs (event Id = 5152). So you can see there all applications that are blocked, not only those that you choose to block via my tool.

Thanks, I figured that out when I saw CCleaner blocks.
Had blocked them myself in Windows Firewall.
Now I have to find the reason for the other blocks..
O&O ShutUp 10 can be a reason.
Will see if there are no more blocks when resetting O&O ShutUp 10 to the default windows values.
Just wanted to say, great new tool and good info on the logs

 

[shmu26]

Thanks for the firewall tool, Andy!

 

[Andy Ful]

You're welcome.

 

[Gandalf_The_Grey]

Do you use any DNS filtering program?

No I only use Kasperky Free Antivirus, Hard Configurator and O&O Shut Up 10.

 

[Andy Ful]

I have blocked connections for all available LOLBins, and can see only a few blocked events daily for compattelrunner.exe and explorer.exe.

 

[shmu26]

I have blocked connections for all available LOLBins, and can see only a few blocked events daily for compattelrunner.exe and explorer.exe.

Is it recommended to block compattelrunner?
I read that it checks your specs to see if your system meets requirements for certain Windows updates. That sounds like a good thing to me.

 

[Andy Ful]

The program compattelrunner.exe is run by 2 Application Experience tasks:

1. Microsoft Compatibility Appraiser
2. ProgramDataUpdater

Both are for users who participate in the Windows Customer Experience Improvement Program. It collects the data about computer usage to help M$ improve Windows. Many users reported an extensive usage of resources when it is running. It is not for the users but for M$:

Turn off the Windows Customer Experience program - gHacks Tech News

Microsoft introduced the Windows Customer Experience Improvement Program in Windows Vista, and has made it a part of any version of Windows since.

www.ghacks.net

It is ticked by default on SysHardener list, but I do not think that it has to be blocked. Your choice.

 

[Andy Ful]

I edited the initial post about Firewall Hardening - the rules start working after restarting Windows!

 

[Windows_Security]

@Andy Ful

Thanks for the new tool.

Feature request, on Hard_Configurator:

a) Since powershell is also included in the block sponsors section, could you change that to running powerscripts RESTRICTED?

b) Could you replace the obselete option of "No removable disk execution" with "Disable CMD and scripts"?

Thanks

Kees

P.S. I changed default setting to Disallowed on my desktop and Asus Transformer. When that runs OK after May Update, I will change it on my Wife's laptop also.

 

[Gandalf_The_Grey]

Okay did a reset on my laptop and going for an almost all Microsoft config with Office 365 Home installed through the store and Edge Dev as daily browser on my laptop with windows 10 1903.
Removed Internet Explorer 11.
Hard_Configurator Beta 4.0.1.0 at recommended settings (asked on first start).
ConfigureDefender 2.0.0.1 at High protection level.
FirewallHardening 1.0.0.0 added Recommended H_C.
Anything I need to add or change for better protection?

 

[Andy Ful]

Okay did a reset on my laptop and going for an almost all Microsoft config with Office 365 Home installed through the store and Edge Dev as daily browser on my laptop with windows 10 1903.
Removed Internet Explorer 11.
Hard_Configurator Beta 4.0.1.0 at recommended settings (asked on first start).
ConfigureDefender 2.0.0.1 at High protection level.
FirewallHardening 1.0.0.0 added Recommended H_C.
Anything I need to add or change for better protection?

Add Firewall Rules (FirewallHardening) for MS Office and HIGH Protection Level for WD (ConfigureDefender). Some ASR rules introduced via HIGH Protection Level are important for MS Office. Stay a while on these settings to see if they work well for you.

 

[Gandalf_The_Grey]

Add Firewall Rules (FirewallHardening) for MS Office and HIGH Protection Level for WD (ConfigureDefender). Some ASR rules introduced via HIGH Protection Level are important for MS Office. Stay a while on these settings to see if they work well for you.

Sorry, forgot to mention that I already set the High protection level for WD (edited post).
The add firewall rules for MS Office doesn't seem to work on my system.
Maybe because I have Office 365 Home installed through the Microsoft Store.
Found that office trough the store had extra ASR rules rolled out recently:

Updates to attack surface reduction rules for Office apps

We’re extending attack surface reduction rules to include Office 365 desktop apps from the Microsoft Store (known as Office Centennial apps)

techcommunity.microsoft.com

So in theory more secure then the regular apps, but don't know if those rules are working on my system
EDIT: found the missing link

 

[Windows_Security]

Okay did a reset on my laptop and going for an almost all Microsoft config with Office 365 Home installed through the store and Edge Dev as daily browser on my laptop with windows 10 1903.

Anything I need to add or change for better protection?

When you don't use an Anti-Virus, Anti-Exploit or AdBlocker which injects its code (a DLL) into the browser, add this Exploit Protection (App & Browser Control of Windows Defender).

 

[shmu26]

Office 365 has a different path than the regular Office.

 

[Andy Ful]

Office 365 has a different path than the regular Office.

FirewallHardening reads the MS Office application path from the Registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\winword.exe

I am afraid that Office 365 may have different paths.

 

[shmu26]

FirewallHardening reads the MS Office application path from the Registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\winword.exe

I am afraid that Office 365 may have different paths.

I have Office 365 and I checked the reg key, and it shows the right path
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

 

[Andy Ful]

@Gandalf_The_Grey and @shmu26
Could you please check the registry key:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Office 365
Under the value: 'InstallLocation' should be the right installation path. If so, then I can add this into FirewallHardening tool.

 

[Andy Ful]

I have Office 365 and I checked the reg key, and it shows the right path
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

So in your case, adding the firewall block rules for Office 365 via FirewallHardening tool should work. The right application paths to excel.exe, powerpoint.exe and word.exe should be visible on the list.

 

[Gandalf_The_Grey]

@Gandalf_The_Grey and @shmu26
Could you please check the registry key:
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Office 365
Under the value: 'InstallLocation' should be the right installation path. If so, then I can add this into FirewallHardening tool.

It's not there (in my case) because of the install from Microsoft Store:

Through the task manager I get these paths:
Access: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Access_16051.11601.20230.0_x86__8wekyb3d8bbwe\Office16
Excel: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Excel_16051.11601.20230.0_x86__8wekyb3d8bbwe\Office16
Outlook: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Outlook_16051.11601.20230.0_x86__8wekyb3d8bbwe\Office16
Powerpoint: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.PowerPoint_16051.11601.20230.0_x86__8wekyb3d8bbwe\Office16
Publisher: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Publisher_16051.11601.20230.0_x86__8wekyb3d8bbwe\Office16
Word: C:\Program Files\WindowsApps\Microsoft.Office.Desktop.Word_16051.11601.20230.0_x86__8wekyb3d8bbwe\Office16

So they are in (access restricted) C:\Program Files\WindowsApps when installed from the store.