Hard_Configurator - Windows Hardening Configurator

[oldschool]

I prepared a simple Help for Firewall Hardening tool. If someone would like to add/change something, then let me know, please.

***************************************
Firewall Hardening tool can apply and manage Outbound Block Rules in Windows Firewall by using Windows policies. The restart of Windows is required to apply the configuration changes.
The paths of blocked executables are displayed as a list. Each entry can be managed by using the buttons located on the bottom of the application GUI.
<Add Rule> button allows adding the rule for any executable.
<Deactivate Rule> button makes the highlighted rules inactive, but does not remove rules.
<Block Rule> button changes highlighted inactive rules to blocked.
<Remove Rule> button removes highlighted rules from the list (and Windows Firewall settings).

The user can add/remove some predefined rules by using the options visible on the right of application GUI.
<LOLBins> button allows adding the rules for many executables from system folders, which are known to be commonly abused by malc0ders.
<MS Office> button allows adding rules for MS Office executables (Word, Excel, PowerPoint, and Equation Editor).
<Adobe Acrobat Reader> button allows adding rules for Adobe Acrobat Reader application.
<Recommended H_C> button allows adding some rules suited for users who applied Hard_Configurator Recommended settings.

The applied rules may be also viewed when using Windows Firewall Advanced settings, but can be managed only by Firewall Hardening tool, or by editing the Registry under the key: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules.

The user can enable auditing Windows Firewall with Advanced Security in category "Object Access" and subcategory "Audit Filtering Platform Packet Drop". This can be done by choosing the radio button 'ON', under "Start logging events".
If auditing is enabled, then the blocked events can be filtered from Windows Event Log by 5152 Event Id. This can be done when pressing <Blocked Events> button, visible under the OFF/ON radio buttons. The Event Log file can store the entries from several hours (usually 12 hours).
**************************************

Maybe include some short instruction for users who do not use Hard_Configurator?

 

[Andy Ful]

Maybe include some short instruction for users who do not use Hard_Configurator?

The Help is independent of H_C, except the info about <Recommended H_C> button.
I can change it a little:
<Recommended H_C> button allows adding some rules suited for users who installed Firewall Hardening tool as a part of Hard_Configurator Windows hardening application and applied the Recommended settings.

 

[oldschool]

The Help is independent of H_C, except the info about <Recommended H_C> button.
I can change it a little:
<Recommended H_C> button allows adding some rules suited for users who installed Firewall Hardening tool as a part of Hard_Configurator Windows hardening application and applied the Recommended settings.

What I was wondering is what rules might be recommended for those who don't use H_C. I've enabled everything in FHT but I'm not currently using H_C.

 

[Andy Ful]

What I was wondering is what rules might be recommended for those who don't use H_C. I've enabled everything in FHT but I'm not currently using H_C.

The recommended is as much as possible.

 

[Andy Ful]

In the next version of H_C I plan to modify the SwitchDefaultDeny feature. When the user will switch <Default Deny Protection> to OFF, it will automatically add "Run By SmartScreen" option to the Explorer context menu. This will unify the procedure of installation of any application both on Administrator and Standard User type of account:

1. Use SwitchDefaultDeny to turn OFF the protection.
2. Install safely the application by using "Run By SmartScreen" from the right-click Explorer context menu.
3. Use SwitchDefaultDeny to restore the protection.

Edit.
Still, on Administrator type of account, the user can use "Run As SmartScreen" from the Explorer context menu (without switching off the protection) to install 99% of applications.

 

[shmu26]

Today I got a SRP block but Windows thought it was from group policy:

H_C log said:
Access to C:\Users\Shmu\AppData\Local\TogglDesktop\updates\TogglDesktopInstaller-7.4.422.exe has been restricted by your Administrator by the default software restriction policy level.

 

[Andy Ful]

Today I got a SRP block but Windows thought it was from group policy:

View attachment 214803

H_C log said:
Access to C:\Users\Shmu\AppData\Local\TogglDesktop\updates\TogglDesktopInstaller-7.4.422.exe has been restricted by your Administrator by the default software restriction policy level.

SRP is a feature based on Windows policies. But, this alert is somewhat misguiding, because H_C does not use Group Policy Object.

 

[Gandalf_The_Grey]

Installed Kaspersky Free and i have some blocks from FirewallHardening.
One example:
Local Time: 2019/06/11 18:07:33
ProcessId: 3872
Application: C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction: Outbound
SourceAddress: 192.168.178.171
SourcePort: 49764
DestAddress: 88.221.144.49
DestPort: 80
Protocol: 6
FilterRTID: 68344
LayerName: %%14611
LayerRTID: 48
What should I do with this block?

 

[Andy Ful]

Installed Kaspersky Free and i have some blocks from FirewallHardening.
One example:
Local Time: 2019/06/11 18:07:33
ProcessId: 3872
Application: C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction: Outbound
SourceAddress: 192.168.178.171
SourcePort: 49764
DestAddress: 88.221.144.49
DestPort: 80
Protocol: 6
FilterRTID: 68344
LayerName: %%14611
LayerRTID: 48
What should I do with this block?

Isn't it the same event we talk about in May?
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-816321

 

[Gandalf_The_Grey]

Isn't it the same event we talk about in May?
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-816321

Sorry. I forgot that and I think it's the same. Will investigate further. Thanks for your reply.

 

[Andy Ful]

I pushed to GitHub the stable version of Firewall Hardening tool:
For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator

Added help and corrected the evntvr.exe name.

 

[shmu26]

I pushed to GitHub the stable version of Firewall Hardening tool:
For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator

It's the same as the beta?

 

[Andy Ful]

It's the same as the beta?

Added help and corrected the evntvwr.exe name.

 

[Andy Ful]

If someone wants Firewall Hardening tool to log the events from about 24 hours (on Windows 10) then it is included in these executables:
For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator

To apply the extended Log, the user must reset "Start logging events" by pressing "OFF" and next "ON" radio buttons.

In Windows default settings, the security event log maximum file size is 20MB, and once it reaches the maximum size, old events are overwritten by new events. The events related to 5152 Event Id are only a very small fraction of all logged events, and events related to blocking the outbound connection of applications are only a small fraction of 5152 events.
On Windows 7 the default log can keep the blocked outbound connection events for several days, but on Windows 10 (on my computer) those events are kept only about 12 hours. I think that 24 hours will be more useful. So, I decided to extend the maximum log size to 40 MB.

 

[paulderdash]

I have AppGuard SOLO license but do not plan on renewing, but use H_C instead ... I also have licenses for EAM and HmP.A.

Just done a clean install of W10 Home v1903 and I like to play .. would a combination of EAM , HmP.A and H_C be an outrageous combination? (ducks)

Edit: Or H_C and OSA, too much overlap?

 

[Andy Ful]

I have AppGuard SOLO license but do not plan on renewing, but use H_C instead ... I also have licenses for EAM and HmP.A.

Just done a clean install of W10 Home v1903 and I like to play .. would a combination of EAM , HmP.A and H_C be an outrageous combination? (ducks)

Edit: Or H_C and OSA, too much overlap?

EAM + H_C or HmP.A + H_C, would be fine.
H_C + OSA would not be a good idea.

 

[shmu26]

I have AppGuard SOLO license but do not plan on renewing

Just curious why you are not planning on renewing? Financial considerations?

 

[paulderdash]

Just curious why you are not planning on renewing? Financial considerations?

Yes I was given a special rate, for a year only ...

And I am just a casual user, would prefer to stick with consumer-targeted offerings.

 

[shmu26]

Yes I was given a special rate, for a year only ...

And I am just a casual user, would prefer to stick with consumer-targeted offerings.

Before you uninstall AppGuard, copy your UserSpace exceptions to a text file or something, because you will probably want to use them in Hard_Configurator. Just makes your life easier that way...

 

[Freki123]

Would it be a good Idea to add two new lolbins: update.exe and squirrel.exe ?

Microsoft Teams Can Be Used to Download and Run Malicious Packages

The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system.

www.bleepingcomputer.com

Edit: My guess is Discordapp.com (desktop version) also use them. Atleast there is an squirrel.exe and update.exe in the folder.