Hard_Configurator - Windows Hardening Configurator

[Evjl's Rain]

Regarding Bitsadmin.exe
Firewall can't block it effectively, because the actual connection is made by BITS, which can't be blocked (as far as I know). The only thing you can do is block Bitsadmin.exe from executing, but once it executes, you can't block the firewall access.

I think blocking is still better than not blocking. Perhaps, it can prevent hackers from doing something bad but doesn't break what bitsadmin is doing normally
or maybe bitsadmin uses inbound connections, not outbound. I don't know

 

[Andy Ful]

hi, Andy
I appreciate your effort to make Firewall hardening tool
After comparing it vs syshardener's firewall rules, I saw that:
- Firewall hardening tool has many more rules
- syshardener only has 4 more rules (or 6 if syswow64 rules are also counted):
Bitsadmin.exe (+syswow64)
Csrss.exe
Dwm.exe
Eventvwr.exe (+syswow64)

if you can add these following processes to your tool, I'm very happy to delete all syshardener's firewall rules

by the way, do you consider blocking all of them with inbound connection rules? hackers can abuse inbound connections to access victim's PC
thank you

Hi,
You can easily add any executable you want, when using Firewall Hardening tool.
Please consider the below remarks:

1. Dwm and Eventvwr are already included, although Eventvwr with a mistake (Evntvwr), which I will correct.
2. Csrss is a system process, that is specially protected by PPL (Protected Process Light) in Windows 8.1+. This is very strong protection which is also used to protect AV modules (for example in Kaspersky products). On Windows 7 it can be abused, but only with admin rights. I do not know for sure why this file is included in SysHardener. There were malware samples that used the name csrss.exe and were located somewhere else (not into Windows subfolder) but this cannot be blocked by a firewall rule for system native Csrss.exe . Are you sure that blocking this would be necessary?
3. Protecting Bitsadmin.exe by firewall rules is useless because it only triggers svchost, and this is svchost that downloads the files.

 

[Andy Ful]

That's interesting. I admit that I didn't go back after a day to check the log, everything seemed to be working so well I just forgot about it. But I am curious why the daily blocks from Explorer?

Probably nothing special

...
If the user so wishes, he could rely on the Comodo default/deny, and allow EXE and TMP files in H_C.
...

Yes, that could work for some users.

 

[Evjl's Rain]

Hi,
You can easily add any executable you want, when using Firewall Hardening tool.
Please consider the below remarks:

1. Dwm and Eventvwr are already included, although Eventvwr with a mistake (Evntvwr), which I will correct.
2. Csrss is a system process, that is specially protected by PPL (Protected Process Light) in Windows 8.1+. This is very strong protection which is also used to protect AV modules (for example in Kaspersky products). On Windows 7 it can be abused, but only with admin rights. I do not know for sure why this file is included in SysHardener. There were malware samples that used the name csrss.exe and were located somewhere else (not into Windows subfolder) but this cannot be blocked by a firewall rule for system native Csrss.exe . Are you sure that blocking this would be necessary?
3. Protecting Bitsadmin.exe by firewall rules is useless because it only triggers svchost, and this is svchost that downloads the files.

I don't know what the processes can do but if normally they don't require internet (blocking doesn't break anything) and only require internet when it's manipulated by malwares, I feel it's safer to block using firewall

if I'm not mistaken, I saw bitsadmin.exe connecting to remote addresses and downloading stuffs during my time in the hub
I have never had any problem by blocking everything with syshardener

 

[Andy Ful]

I think blocking is still better than not blocking. Perhaps, it can prevent hackers from doing something bad but doesn't break what bitsadmin is doing normally
or maybe bitsadmin uses inbound connections, not outbound. I don't know
...
I don't know what the processes can do but if normally they don't require internet (blocking doesn't break anything) and only require internet when it's manipulated by malwares, I feel it's safer to block using firewall

Although the idea is interesting for some other files (like notepad.exe), the bitsadmin.exe would be probably the last to block. The logic is simple. Bitsadmin.exe is commonly used by malc0ders to download payloads . So, it is usually monitored by administrators as the very suspicious process. Why someone would want to hide something under a known suspicious process? There are so many innocent processes (like notepad, OneDrive, web browsers, etc.). But, you are probably right that blocking it will not hurt

if I'm not mistaken, I saw bitsadmin.exe connecting to remote addresses and downloading stuffs during my time in the hub
I have never had any problem by blocking everything with syshardener

You can use Firewall Hardening tool or SysHardener to check that blocking bitsadmin.exe does not prevent downloading files. Just use the below command line:

bitsadmin.exe /transfer 'JobName' https://kcsoftwares.com/files/sumo_lite.exe C:\Users\Admin\Downloads\sumo_lite.exe"

It will download the legal (and good) SUMo update application from the developer site.

Anyway, if my arguments do not convince someone, Firewall Hardening tool allows creating the firewall block rule for any program.
I can add some other programs to the predefined list, but FH tool is already paranoid on max settings.

 

[Andy Ful]

It is worth to remember, that firewall hardening and blocking Sponsors by path can be easily bypassed in targetted attacks, when the user applied default-allow setup. The attacker can simply copy the blocked executable to another location, and then it will not be blocked anymore. This is not possible in a properly configured default-deny setup.

 

[Freki123]

I do not think it could be much easier.

Sorry I didn't meant it was complicated. If I take your new GUI idea for example: The left side got no "yellow" spaces instead it is a "grey block". The right side has some small "yellow" space between each grey button which I find a lot better to read. It separates each option more clearly.
So for me sometimes me eyes slip down and instead of from 1>1 I read 1>2 (meaning I dropped a line while reading). Like it would be easier to read on squared paper than on paper without squares.

Anyway I like the new Gui. Hope the picture helps to understand what I mean.

 

[shmu26]

So for me sometimes me eyes slip down and instead of from 1>1 I read 1>2 (meaning I dropped a line while reading)

I totally agree.
And it is especially hard to line everything up right, if you increased font size in Windows.

 

[Andy Ful]

I totally agree.
And it is especially hard to line everything up right, if you increased font size in Windows.

I am not sure what is the problem, so I posted below how looks the GUI on my computer with screen resolution 1680x1050 rescaled to 175% (the graphic is slightly blurred) :

and 1024x768 with rescaling 100%:

I know that on some machines the buttons and labels are not rescaled properly with fonts.
But, this is related to Autoit graphics. By the way, have you similar problems with SwitchDefaultDeny or user-dependent DocmentsAntiExploit tool?

 

[shmu26]

I am not sure what is the problem, so I posted below how looks the GUI on my computer with screen resolution 1680x1050 rescaled to 175% :
View attachment 214457

and 1024x768 with rescaling 100%:
View attachment 214460

I know that on some machines the buttons and labels are not rescaled properly with fonts.
But, this is related to Autoit graphic capabilities. By the way, have you similar problems with SwitchDefaultDeny or user-dependent DocmentsAntiExploit tool?

In your screenshots, the columns line up correctly. I wish mine would do the same. On my machine, if I change the font size, the values don't line up with the names that they relate to.
I am not talking about screen resolution, I am talking about "change the size of text"

 

[Gandalf_The_Grey]

Same here with custom scale of 110:



I even got scrollbars

 

[oldschool]

I'm sorry, but how many demands can one make on the developer of a free tool? How big a deal is this anyway? Does it impact performance or function? I think not. Please learn to live with it as is ... and feel grateful to be able to unlock the full potential of Windows!

 

[shmu26]

I'm sorry, but how many demands can one make on the developer of a free tool? How big a deal is this anyway? Does it impact performance or function? I think not. Please learn to live with it as is ... and feel grateful to be able to unlock the full potential of Windows!

Demands are surely out of place. But if a dev is interested to know what he can improve, then users can give input.

 

[Andy Ful]

In your screenshots, the columns line up correctly. I wish mine would do the same. On my machine, if I change the font size, the values don't line up with the names that they relate to.
I am not talking about screen resolution, I am talking about "change the size of text"

I know I rescaled the fonts to 175% in the first screenshot, the only difference is slightly blurred graphic. The standard rescaling can be changed by multiples of 25%. The nonstandard rescaling is also possible (as it is seen on Gandalf_The_Grey screenshot, 110% in his case). I tried this too and everything is rescaled properly on my computer. I think that Autoit graphics is not fully compatible with some drivers, especially on laptops.

 

[shmu26]

I know I rescaled the fonts to 175% in the first screenshot, the only difference is slightly blurred graphic. The standard rescaling can be changed by multiples of 25%. The nonstandard rescaling is also possible (as it is seen on Gandalf_The_Grey screenshot, 110% in his case). I tried this too and everything is rescaled properly on my computer. I think that Autoit graphics is not fully compatible with some drivers, especially on laptops.

It's no big deal. The kind of people who rescale fonts are usually old enough and patient enough to work out what corresponds to what.

 

[Andy Ful]

Demands are surely out of place. But if a dev is interested to know what he can improve, then users can give input.

Do you remember my question about SwitchDefaultDeny and user dependent DocumentsAntiExploit?
I adopted another Autoit GUI in these applications.

 

[oldschool]

Demands are surely out of place.

I could have used a different word, and yes you are correct.

 

[shmu26]

Do you remember my question about SwitchDefaultDeny and user dependent DocumentsAntiExploit?
I adopted another Autoit GUI in these applications.

Lemme check it out, I need to resize my fonts. I put everything back to default because of other issues, for instance, it makes the top bar in MS Word to be giant, takes up too much screen real estate...

 

[Andy Ful]

I could have used a different word, and yes you are correct.

Demands are surely out of place. But if a dev is interested to know what he can improve, then users can give input.

Same here with custom scale of 110:
...
I even got scrollbars

I know you guys well enough to see a positive attitude in your posts.

 

[Gandalf_The_Grey]

Do you remember my question about SwitchDefaultDeny and user dependent DocumentsAntiExploit?
I adopted another Autoit GUI in these applications.

In those programs there is no lists, so no scrollbars for me. They are looking good/great.