Hard_Configurator - Windows Hardening Configurator

[blackice]

Yes, it is a nice tool if you cannot block/restrict something by H_C. Did you see it working when using H_C in default-deny setup?

Edit.
Nobody can deny that the life ring (OSA) is a great thing on the boat (AV). But, is it really necessary on the boat in the desert (AV + H_C)? You will probably never see it working (the Noah case can be an exception).

To be fair I never see it, or my AV for that matter, working. With the exception of when I try to open CMD and forget to disable OSA.

 

[Andy Ful]

To be fair I never see it, or my AV for that matter, working. With the exception of when I try to open CMD and forget to disable OSA.

You can even block CMD in H_C, and open it elevated via "open file location" + "Run As SmartScreen" when you want to execute CMD command lines.
Many users do not need CMD, but some still do. After blocking CMD, the advanced user can easily recognize if something needs it by looking at the H_C blocked events. The CMD scripts (*.bat, *.cmd) can be also whitelisted by path or (better) by hash.
CMD is used mostly to run obfuscated scripts and these scripts (also CMD scripts *.bat, *.cmd) are blocked by SRP (except when initiated from the elevated shell).

 

[RoboMan]

Hello @Andy Ful. Exactly what locations does H_C whitelist automatically?

 

[Andy Ful]

Hello @Andy Ful. Exactly what locations does H_C whitelist automatically?

Most locations in C:\Windows, all locations in C:\Program Files, C:\Program Files (x86) - for Windows 64-bit, and Windows Defender application folder.

 

[Marana]

Yes, it is a nice tool if you cannot block/restrict something by H_C. Did you see it working when using H_C in default-deny setup?

Edit.
Nobody can deny that the life ring (OSA) is a great thing on the boat (AV). But, is it really necessary on the boat in the desert (AV + H_C)? You will probably never see it working (the Noah case can be an exception).

I'm still using SSRP default-deny setup in my main computer, and when I started using OSA I saw it working. Luckily for me - as I mentioned - I found the Exclusion rules to fulfill my needs, so after some tweaking OSA has been silent.

I'm currently building a new Windows 10 golden image using 1809 LTSC, and I have replaced SSRP with H_C there. So I don't have yet much experience with H_C, but I have played around with it a little in VirtualBox while hardening the golden image. So far H_C is looking quite promising, and I might very well drop SSRP. My plans are to upgrade from 1607 to 1809 maybe somewhere in August, so in the fall I'll expect to have obtained some real experience with H_C.

(I think that I may be missing one thing in SSRP. It was written in AutoIT and the source code was included, so I was able to integrate MemProtect with it: When I unlocked the policy to e.g. install some software, MemProtect automatically turned itself into install mode, too. I was actually just about to integrate also Windows Firewall Control with SSRP, but then I happened to download the current H_C version and got stuck in it. However, I guess that I'd better not dream of some kind of interface in H_C which could allow one to run some commands when switching on/off SRP...)

About Noah, I think that all he needed was the boat because he had the best "AEW&C" one could imagine to alert him about the time to climb in :emoji_pray:. Since that's not available to us nowadays, I find it good to have both the boat and life ring at hand (at least so far as neither of them cause me headache).

 

[Andy Ful]

I'm still using SSRP default-deny setup in my main computer, and when I started using OSA I saw it working. Luckily for me - as I mentioned - I found the Exclusion rules to fulfill my needs, so after some tweaking OSA has been silent.

Did you saw the same with H_C? the H_C setup can be much stronger than the common setups made by SSRP.

(I think that I may be missing one thing in SSRP. It was written in AutoIT and the source code was included, so I was able to integrate MemProtect with it: When I unlocked the policy to e.g. install some software, MemProtect automatically turned itself into install mode, too. I was actually just about to integrate also Windows Firewall Control with SSRP, but then I happened to download the current H_C version and got stuck in it. However, I guess that I'd better not dream of some kind of interface in H_C which could allow one to run some commands when switching on/off SRP...)
...

You can still do it via a simple script, or a simple AutoIt program that first turns off MemProtect driver to install mode and next runs SwitchDefaultDeny tool. If you want to restore the protection then the AutoIt program first turns MemProtect on and next runs SwitchDefaultDeny tool.

 

[Marana]

Did you saw the same with H_C? the H_C setup can be much stronger than the common setups made by SSRP.

Well, I think that my "problem" was in the opposite direction, so to say.

For example, at default settings OSA apparently denies svchost.exe launching PowerShell, ("Block suspicious Svchost.exe process behaviours"?). Generally that's what I want, but with one exception: I want svchost.exe to be able to launch my daily backup. So I created an exception rule for OSA to allow svchost.exe to run my backup.

Or actually I use Macrium for backups, but I use a powershell script to name the backup files, and Macrium seems to utlize svchost.exe in launching the backup job via Powershell.

After a quick look to H_C I have not found a way to limit running powershell with as fine granularity as I have been able to do using OSA. Can you see a way to do this using only H_C?

You can still do it via a simple script, or a simple AutoIt program that first turns off MemProtect driver to install mode and next runs SwitchDefaultDeny tool. If you want to restore the protection then the AutoIt program first turns MemProtect on and next runs SwitchDefaultDeny tool.

I think that if there were a command line interface to SwitchDefaultDeny (e.g. "-on" and "-off") to switch the setting accordingly, that would be a workable solution. I wonder if there is a way to append this into the wish list...?

 

[shmu26]

I want svchost.exe to be able to launch my daily backup.

What about setting it as a scheduled task with elevated privileges? Won't that bypass SRP restrictions?

 

[Marana]

What about setting it as a scheduled task with elevated privileges? Won't that bypass SRP restrictions?

I have no need to change my current setup; everything works well and smoothly.

I can use the native Macrium Reflect user interface to manage my backup jobs; I can use OSA to block uncontrolled Powershell launches; and the OSA exception rules allow me to tweak Macrium with Powershell scripts. Everything also works well together with my default-deny SRP, and now it seems to me that the configuration should also be compatible with the "ComodoFix" configuration.

Or to be exact, I think that quite likely I will swap SSRP to H_C as my future default-deny SRP tool. But I consider that to be a piece of so called continual improvement.

 

[Andy Ful]

Well, I think that my "problem" was in the opposite direction, so to say.

For example, at default settings OSA apparently denies svchost.exe launching PowerShell, ("Block suspicious Svchost.exe process behaviours"?). Generally that's what I want, but with one exception: I want svchost.exe to be able to launch my daily backup. So I created an exception rule for OSA to allow svchost.exe to run my backup.

It is much safer set H_C to allow PowerShell scripts and block PowerShell executables via <Block Sponsors>. With these settings, you can use PowerShell as Administrator (elevated) without restrictions from H_C. PowerShell scripting will be still blocked for malware. The H_C default-deny will prevent malware to elevate.

I think that if there were a command line interface to SwitchDefaultDeny (e.g. "-on" and "-off") to switch the setting accordingly, that would be a workable solution. I wonder if there is a way to append this into the wish list...?

I do not plan to add the command line interface. It is very easy to set SRP Default Security Level to Unrestricted/Disallowed via reg tweaks. You can simply add a few command lines to your PowerShell or CMD script and run it with elevation via shortcut. You can do a similar thing in Autoit.

If you want, here is the source code of H_C:

AndyFul/Hard_Configurator---old-versions

Contribute to AndyFul/Hard_Configurator---old-versions development by creating an account on GitHub.

github.com

You can use it to make a custom AutoIt scripts for your personal use. I should warn you that the code is rather "dirty" and not well annotated.

 

[shmu26]

It is much safer set H_C to allow PowerShell scripts and block PowerShell executables via <Block Sposors>. With these settings, you can use PowerShell as Administrator (elevated) without restrictions from H_C. PowerShell scripting will be still blocked for malware. The H_C default-deny will prevent malware to elevate.

@Marana this is what I was talking about when I suggested the elevated startup entry. I understand you have everything set up just the way you like it, I was just talking about the future switch to H_C

 

[Andy Ful]

Some changes in SwitchDefaultDeny tool (planned in the next beta of H_C):

All H_C executables will be signed, so they will work well with <Validate Admin Code Signatures>.

 

[Gandalf_The_Grey]

Some changes in SwitchDefaultDeny tool (planned in the next beta of H_C):

View attachment 216233

View attachment 216234

All H_C executables will be signed, so they will work well with <Validate Admin Code Signatures>.

Will be interesting to see what apps are not properly signed and mabe time to search for alternatives.
Is there a warning in the logs?

 

[Andy Ful]

Will be interesting to see what apps are not properly signed and mabe time to search for alternatives.
Is there a warning in the logs?

You get the Windows error alerts, like:

1. "c:\Program Files\MyProg\myprog.exe
   A referral was returned from the server."
2. "ShellExecuteEx failed; code 8235.
   A referral was returned from the server."

 

[Windows_Security]

@Andy Ful

Great news that H_C will be signed. Inevitable question which follows, could you add it as an option in H_C and add it as a setting in Windows_Security configuration? :emoji_clap:

Offer stands to support you when you decide to start a crowd funding action.

Regards Kees

 

[blueblackwow65]

Just wodering for a newbie wher do I start with windows hardening app? Thks
wow I can't spell... wondering where

 

[Andy Ful]

@Andy Ful

Great news that H_C will be signed. Inevitable question which follows, could you add it as an option in H_C and add it as a setting in Windows_Security configuration? :emoji_clap:

Offer stands to support you when you decide to start a crowd funding action.

Regards Kees

Yes, after publishing the upcoming beta version, I will work on adding this option also to the main H_C panel and will include Windows_Security profile in H_C profiles.
Thanks for the support.

 

[Andy Ful]

It should be mentioned that <Validate Admin Code Signatures> can be useful in the below configurations:

1. Windows Vista or Windows 7.
2. Windows 8+ with Allow EXE setup.

This setting is also stronger on SUA than on Admin account. It is a good solution for casual users who use only digitally signed software and are not cautious enough to use RunBySmartScreen (on Windows 8+).

It is also not recommended on Windows 8+ with default-deny setup. The reason for it follows from forced SmartScreen (via RunAsSmartScreen) which is much safer and does not benefit from using <Validate Admin Code Signatures>. Furthermore, this setting prevents installing unsigned applications via "Run As SmartScreen".

 

[Windows_Security]

Just wodering for a newbie wher do I start with windows hardening app? Thks
wow I can't spell... wondering where

When you are using your PC as Admin (not a seperate basic user account) and use Windows Defender as antivirus, simple use this profile and you are good to go. It is not a Default Deny (it has a hole in it, but uses the whitelist of WD to protect this hole). You probably end up using a full default deny policy, but this is a good first step in using a whitelist in stead of blacklist approach.

Using Hard_Configurator in HARDENEDmode with ConfigureDefender in HIGHEST protection on Windows10

I do not think this UAC setting useful with H_C Recommended settings. This profile does not require whitelisting applications in UserSpace, so it is easier to manage. It is worth to remember that the UAC setting 'Only elevate executables that are signed and validated', will block application...

malwaretips.com

 

[Andy Ful]

I have just finished the tests of the new feature on Windows Vista and Windows 7.

Windows Vista did not recognize my digitally signed executables. It did not recognize also the Firefox installer signed with SHA1 certificate and AppGuard installer (signed with SHA1 and SHA256 certificates). I read that there is a Windows Update for Vista to accept SHA256 certificates. On Windows 7 the situation is similar. Without the proper updates, applying <Validate Admin Code Signatures> would block all H_C executables, which would be also a very unpleasant situation for the user.

So, I decided to allow <Validate Admin Code Signatures> only for Windows 8+ versions which have built-in support for SHA256 certificates.