Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

...
In fact, this setup is very similar to the idea I had before creating H_C based on SRP.
There are some differences as compared to the current version of H_C:

1. No need to use the right-click Explorer context menu to check if the program is safe and next run the program.
2. "Trust apps with good reputation" checks all applications (EXE, MSI) and loaded DLLs in the UserSpace, also those which were not downloaded from the Internet.
3. "Trust apps with good reputation" is different from SmartScreen. Some applications can be accepted by SmartScreen but blocked by "Trust apps with good reputation", and vice versa.
4. Windows Script Host scripting is restricted, as compared to SRP where it is blocked.
5. The protection cannot be bypassed by the user when using "Run as administrator" or elevated shell (elevated CMD, elevated PowerShell, elevated Total Commander, etc.).
6. The protection can be bypassed if the file triggered the SmartScreen check and was accepted by SmartScreen or the user bypassed the SmartScreen alert.
   It also means that the protection can be bypassed by the user when using RunBySmartScreen, while in SRP the "Run as administrator" or "Run As SmartScreen" must be used.
7. Blocked programs and DLLs cannot be whitelisted in UserSpace.

...

I thought that the main issue of the setup based on WD Application Guard + "Trust apps with good reputation" feature, would be the lack of whitelisting in the UserSpace.
But, it seems that after a few-days of bypassing this protection via forced SmartScreen (see point 6. above), Windows Defender learns (locally) that application is safe, and it can be run normally without blocking by Application Guard. This is usually limited to a particular computer until the application will gain sufficient reputation to be accepted as safe in the cloud.

Edit.
Applying the above WD Application Guard policies on Windows Home ver. 1903 is very simple. The predefined file SIPolicy.p7b has to be copied with admin rights into the folder C:\Windows\System32\CodeIntegrity, and the computer must be rebooted.
If the user wants to unload the policies, then the file SIPolicy.p7b can be simply renamed or removed and the computer rebooted.

 

[shmu26]

I am trying to mimic the functionality of SRP + forced SmartScreen by using WD Application Control on Windows 10 Home ver. 1903. For now, I am using WDAC policies which work as follows:

1. All drivers are allowed.
2. All programs and DLLs are allowed in the SystemSpace (C:\Windows, C:\Program Files, C:\Program Files (x86) - except writable locations).
3. All Windows Store Apps are allowed.
4. All programs (EXE, MSI) and DLLs which are accepted by Microsoft as safe (Intelligent Security Graph Authorization) are allowed.
5. All other programs (EXE, MSI) and DLLs are blocked (also .NET DLLs).
6. PowerShell and Windows Script Host scripting is restricted.
7. Whitelisting applications in UserSpace is not possible on Windows Home and Pro.

The points 3. and 4. are related to "Trust apps with good reputation" (Microsoft Intune option). It works similarly to Kaspersky's Trusted Application Mode.

PowerShell restrictions are similar to those in SRP (Constrained Language Mode).
Windows Script Host restrictions are similar to PowerShell restrictions, so the user can run VBS, JS, etc., scripts but the advanced functions and some COM objects are blocked.

In fact, this setup is very similar to the idea I had before creating H_C based on SRP.
There are some differences as compared to the current version of H_C:

1. No need to use the right-click Explorer context menu to check if the program is safe and next run the program.
2. "Trust apps with good reputation" checks all applications (EXE, MSI) and loaded DLLs in the UserSpace, also those which were not downloaded from the Internet.
3. "Trust apps with good reputation" is different from SmartScreen. Some applications can be accepted by SmartScreen but blocked by "Trust apps with good reputation", and vice versa.
4. Windows Script Host scripting is restricted, as compared to SRP where it is blocked.
5. The protection cannot be bypassed by the user when using "Run as administrator" or elevated shell (elevated CMD, elevated PowerShell, elevated Total Commander, etc.).
6. The protection can be bypassed if the file triggered the SmartScreen check and was accepted by SmartScreen or the user bypassed the SmartScreen alert.
   It also means that the protection can be bypassed by the user when using RunBySmartScreen, while in SRP the "Run as administrator" or "Run As SmartScreen" must be used.
7. Blocked programs and DLLs cannot be whitelisted in UserSpace.

In fact, all the productivity applications I use are accepted in this setup, so I did not need to whitelist anything. ConfigureDefender and H_C installers are also accepted as safe (but not by SmartScreen).

This is a very interesting experiment indeed.

 

[Andy Ful]

...
The warning refers to the old GUI with the Recommended SRP and Recommended Restrictions where the user makes a previous selection in the wrong order. Because these two buttons no longer exist I suggest this issue be addressed as it can cause confusion.

Also, has the user guide been updated.? I haven't read it.

Corrected in ver. 5.0.0.0.
The H_C manual can be accessed via <General Help> <DOCUMENTATION> (updated).

 

[Andy Ful]

Finally my Windows ver. 1809 decided to upgrade.
Before upgrading, I set H_C, ConfigureDefender, and FirewallHardening to max settings. Furthermore, I activated Windows Defender Application Control with "Trust apps with good reputation" feature and whitelisted folders: c:\Windows and c:\Program Files... .
I suspected that this could possibly break the upgrade, but everything went well.

After the upgrade, all H_C, ConfigureDefender, and FirewallHardening settings survived, but I had to reactivate WDAC. After this most applications in UserSpace (but not all) were still remembered as safe by WDAC. Anyway, some applications installed in UserSpace were blocked after upgrade (Grammarly desktop version and Privacy Eraser). I run them via "Run By SmartScreen" and after that, they were accepted by WDAC.

From my WDAC tests on Windows ver. 1809 it follows that using "Run By SmartScreen" works well on simple applications, but may fail for the complex installations/updates. Such complex applications (like VirtualBox) must be installed in C:\Program Files... .

 

[oldschool]

I never imagined how much I'd enjoy using H_C instead of VoodooShield, and not having to respond to prompts. H_C is looking very good right now with its related modules. Kudos to @Andy Ful!

 

[Andy Ful]

I never imagined how much I'd enjoy using H_C instead of VoodooShield, and not having to respond to prompts. H_C is looking very good right now with its related modules. Kudos to @Andy Ful!

Silence has its pros and cons.

 

[shmu26]

@Andy Ful this issue is probably not because of Hard_Configurator but maybe you know the answer anyway.
Win 10 pro 1903, Admin account, I go to settings/advanced keyboard settings, click on input language hot keys, and I get the typical blue error window with the text:
Contact your system administrator for more info.
Sometimes instead of this I get an error message from control.exe:
Windows cannot access the specified device, path or file. You may not have the appropriate permissions.
I don't have control.exe blocked in sponsors, and this happens even with Switch OFF SRP and Switch OFF Restrictions, and after a reboot.

I don't have any 3rd party security software installed.

The specific issue I want to troubleshoot is the keyboard shortcut for switching between input languages, i.e., between keyboard layouts. I have a split space bar on my keyboard, and I am used to the shortcut of Win key + space bar to switch between languages. As of today, it only works with the right half of the space bar, not the left half.

EDIT: Adding to my confusion, I switched SRP back on, and I rebooted, but it isn't blocking. Restrictions work, but SRP doesn't work. Something is weird here.

 

[shmu26]

@Andy Ful this issue is probably not because of Hard_Configurator but maybe you know the answer anyway.
Windows 10 pro 1903, Admin account, I go to settings/advanced keyboard settings, click on input language hot keys, and I get the typical blue error window with the text:
Contact your system administrator for more info.
Sometimes instead of this I get an error message from control.exe:
Windows cannot access the specified device, path or file. You may not have the appropriate permissions.
I don't have control.exe blocked in sponsors, and this happens even with Switch OFF SRP and Switch OFF Restrictions, and after a reboot.

I don't have any 3rd party security software installed.

The specific issue I want to troubleshoot is the keyboard shortcut for switching between input languages, i.e., between keyboard layouts. I have a split space bar on my keyboard, and I am used to the shortcut of Win key + space bar to switch between languages. As of today, it only works with the right half of the space bar, not the left half.

EDIT: Adding to my confusion, I switched SRP back on, and I rebooted, but it isn't blocking. Restrictions work, but SRP doesn't work. Something is weird here.

UPDATE : I solved the split space bar issue, it apparently was caused by the August Windows update, and now I got my keyboard back to default behavior. But I still have the other, more mysterious issues.

 

[blueblackwow65]

I never imagined how much I'd enjoy using H_C instead of VoodooShield, and not having to respond to prompts. H_C is looking very good right now with its related modules. Kudos to @Andy Ful!

Hi How did you do it oldschool without VS?

 

[oldschool]

Hi How did you do it oldschool without VS?

I think I'm having withdrawal symptoms from my VS addiction! :emoji_cold_sweat::emoji_cold_sweat::emoji_cold_sweat:

 

[Andy Ful]

@shmu26,
Did you installed anything or changed the security settings before having those mysterious issues?
It is hard to say what is happening in your system, but you can temporarily turn off H_C to see how the system will behave without it. Just load All_OFF profile and reboot the computer. Please, let me know if there is a difference.
Did you check in the H_C log if something has been blocked?

 

[shmu26]

@shmu26,
Did you installed anything or changed the security settings before having those mysterious issues?
It is hard to say what is happening in your system, but you can temporarily turn off H_C to see how the system will behave without it. Just load All_OFF profile and reboot the computer. Please, let me know if there is a difference.
Did you check in the H_C log if something has been blocked?

I checked the log immediately but there was nothing there related to the issue. Hmm... what did I install lately... not much besides Edge Chromium.

Interesting but unrelated: the LastPass universal installer uses the deprecated Powershell that you enable or disable from Windows features. I discovered this today, but it was after the other issues I mentioned.

EDIT: I loaded the All_OFF profile and rebooted, but no difference. It seems the issue is not related to H_C. .

 

[Andy Ful]

@Andy Ful
...
Windows 10 pro 1903, Admin account, I go to settings/advanced keyboard settings, click on input language hot keys, and I get the typical blue error window with the text:
Contact your system administrator for more info.
...

This option uses control.exe, it can be blocked by <Block Sponsors>. The block is somewhat strange because it is not logged in the Windows Event Log. Furthermore, if the control.exe is next unblocked in H_C, then restarting Windows is required (normally refreshing Explorer is sufficient).
So, it is probable that the keyboard settings issue was due to the blocked control.exe in H_C.

By the way, what mysterious issues do you have now?

 

[shmu26]

This option uses control.exe, it can be blocked by <Block Sponsors>. The block is somewhat strange because it is not logged in the Windows Event Log. Furthermore, if the control.exe is next unblocked in H_C, then restarting Windows is required (normally refreshing Explorer is sufficient).
So, it is probable that the keyboard settings issue was due to the blocked control.exe in H_C.

By the way, what mysterious issues do you have now?

I saw people saying that the split space bar on Microsoft keyboards was affected by the August update, so I would attribute it to that.

 

[Andy Ful]

I saw people saying that the split space bar on Microsoft keyboards was affected by the August update, so I would attribute it to that.

That is right. But, If you will block control.exe in H_C you will get the same behavior (I tested it on my computer, Windows 10 Pro 64-bit 1903.)

 

[shmu26]

That is right. But, If you will block control.exe in H_C you will get the same behavior (I tested it on my computer, Windows 10 Pro 64-bit 1903.)

Thanks. So I will look in that direction.

 

[simmerskool]

I think I'm having withdrawal symptoms from my VS addiction! :emoji_cold_sweat::emoji_cold_sweat::emoji_cold_sweat:

I know I would have withdrawal symptoms if I uninstalled VS :emoji_flushed::emoji_fearful:
but Andy keep up the good work with H_C!

 

[Andy Ful]

I know I would have withdrawal symptoms if I uninstalled VS :emoji_flushed::emoji_fearful:
but Andy keep up the good work with H_C!

Thanks.

 

[shmu26]

So I needed to restore a system image of Windows 10 1809 in order to sort out the issue with control.exe .
However, I still can't get SRP to work. I downloaded and installed the latest and greatest H_C, I reinstalled SRP, I chose recommended settings, and I rebooted. But it doesn't block anything. @Andy Ful , maybe from the screenshot you can see what I am doing wrong? The screenshot shows my H_C settings and depicts that I can launch installers and blocked sponsors (without using elevated rights).
Sponsors are set to "Enhanced".

 

[Andy Ful]

@shmu26,
The only reason I know is the conflict with Child Account:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-758118