Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

I am confused about the exact definition of "H_C default deny setup". I remember a time when we were saying that "allow EXE and TMP" is a variation of default/deny. But it seems that now we are calling such a setup "default allow". Correct?

"Allow EXE and TMP" is neither default-deny nor default-allow.
But, that is my point of view. I do not use default-allow for it because it still uses SRP "Default Security Level" = Disallowed.
SRP is a default-allow when SRP "Default Security Level" = Unrestricted.

"Allow EXE and TMP" is similar to default-allow because most applications and installers are allowed (except blocked Sponsors). So, it behaves as default-allow in typical user actions. It is similar to default-deny because many file types (including MSI installers and scripts) are blocked by default. Furthermore, the PowerShell on Windows 10 runs in Constrained Language mode.
I think that the below post (from a couple of months ago) was about it:
https://malwaretips.com/threads/shmu26-windows-config-in-2019.89148/post-819229

 

[shmu26]

"Allow EXE and TMP" is neither default-deny nor default-allow.
But, that is my point of view. I do not use default-allow for it because it still uses SRP "Default Security Level" = Disallowed.
SRP is a default-allow when SRP "Default Security Level" = Unrestricted.

"Allow EXE and TMP" is similar to default-allow because most applications and installers are allowed (except blocked Sponsors). So, it behaves as default-allow in typical user actions. It is similar to default-deny because many file types (including MSI installers and scripts) are blocked by default. Furthermore, the PowerShell on Windows 10 runs in Constrained Language mode.
I think that the below post (from a couple of months ago) was about it:
https://malwaretips.com/threads/shmu26-windows-config-in-2019.89148/post-819229

Thanks Andy

 

[Andy Ful]

Thanks Andy

You are welcome. Thanks again for your help with developing H_C and @askalan's website dedicated to H_C.

 

[ForgottenSeer 823865]

@Andy Ful I never really went deep in H_C specifics, but what benefits it affords over Win10 Enterprise's SRP/applocker and the use of Group Policy tweaks. For example, ConfigureDefender tweaks are GP tweaks.

 

[Andy Ful]

@Andy Ful I never really went deep in H_C specifics, but what benefits it affords over Windows 10 Enterprise's SRP/applocker and the use of Group Policy tweaks.

It is simple.
You can go fishing to have the fish for dinner or just go to the restaurant.
Most people do not know how to fish. Many know it, but they do not know how to cook the fish.
Some people know both things, but prefer restaurants, anyway.
That is why people use Intune on Windows Enterprise and do not mess much with GP tweaks.

But seriously, if one knows how to use GPO properly, then he can read the H_C manual and apply all restrictions by himself. Many people think that they know how to apply SRP properly, but most of them are wrong and their setups have many holes (like allowing shortcuts).
Next, one can make the custom Windows Event views to see what was blocked by WD, Windows Firewall, and SRP. Next, he can add all changed registry keys to the favorite tab in RegEdit to have a quick view of them. But there will be many entries here, so it won't be quick and he must also remember the proper registry values. Next, he can prepare the REG or XML files which can apply the chosen settings and can also revert them if this will be required.
Finally, H_C uses forced SmartScreen that cannot be applied by any known Windows feature.

For example, ConfigureDefender tweaks are GP tweaks.

ConfigureDefender uses only a few Windows Policies. Most settings are applied by PowerShell cmdlets.
H_C uses Windows Policies, but these policies are applied directly in the Windows Registry without using GPO (Group Policy Object does not work on Windows Home). So, the policies configured by H_C are not group policies, even if both H_C and GPO use the same registry keys.

Edit.
If you use AppGuard, then you probably do not have the reason to use H_C, Windows built-in SRP, Applocker or Application Guard.
My notes about H_C on Windows Enterprise editions are related to the home environment, and not to Enterprises. The dangers originated from enterprise networks require something else than H_C.

 

[ForgottenSeer 823865]

So, HC is like NVT SysHardener, a tool to simplify and automatize the implementation of GP/SRP/Applocker and adding its own tweaks.

For Home Version users it gave them what they couldn't have initially; and for Enterprise users, a fastest way to implement some of the GP policies but using PoSh instead of GP.?

I'm I right?

 

[oldschool]

For Home Version users it gave them what they couldn't have initially; and for Enterprise users, a fastest way to implement some of the GP policies but using PoSh instead of GP.?

I'm I right?

Yes, except H_C can apply stronger protection than SysHard.

 

[ForgottenSeer 823865]

Yes, except H_C can apply stronger protection than SysHard.

Indeed, SH is just about LOLbins and UAC.

If you use AppGuard, then you probably do not have the reason to use H_C, Windows built-in SRP, Applocker or Application Guard.

Sure, Win10 SRP/Applocker and all others security components are now the bedrock of my security strategy. I use AppGuard or REHIPS mostly as for testing and as toys.

 

[Andy Ful]

So, HC is like NVT SysHardener, a tool to simplify and automatize the implementation of GP/SRP/Applocker and adding its own tweaks.
...

Yes and No.
H_C is a GUI to simplify and automatize the implementation and management of SRP and some other Windows Policies + its own tweaks and features.

SysHardener does not use Windows built-in SRP. It can use some other Windows Policies and REG tweaks to block/restrict scripts and apply some restrictions/hardening. It also does not have any diagnostic features.

For Home Version users it gave them what they couldn't have initially; and for Enterprise users, a fastest way to implement some of the GP policies but using PoSh instead of GP.?

Yes, on Windows Home the GPO is not installed, and using H_C is far safer and convenient than using REG tweaks, Event Viewer, etc. But, WD Application Control can be used (but not configured) also on Windows Home, especially in the enterprise environment.

The H_C can be used in the home environment on Windows Enterprise editions to quickly and safely configure SRP and some important Windows Policies. This will be much more convenient and safer for most of the home users than using GPO. For advanced users, it will be only a matter of knowledge and convenience.
The experts will probably use only a minority of SRP settings, and will rely on Applocker and WD Application Control. Such a setup is more appropriate when the computer (laptop) is used both in the home and enterprise environments.

 

[tyreman]

To run crap cleaner portable with Hardware_Configurator on win 10 I have to add it to a whitelist correct?
as it wont run with smartscreen

 

[ForgottenSeer 823865]

SysHardener does not use Windows built-in SRP.

Yes I know that I was making a parallel.

The H_C can be used in the home environment on Windows Enterprise editions to quickly and safely configure SRP and some important Windows Policies.

What I wanted to know.

The experts will probably use only a minority of SRP settings, and will rely on Applocker and WD Application Control. Such a setup is more appropriate when the computer (laptop) is used both in the home and enterprise environments.

Exactly my case.

Last question, I already did quite a lot of modifications via GPO/SRP /Applocker , let say now i want to use H_C on my system, you said it uses PoSh cmdlets, so does H_C policies will overide those i made ?

 

[notabot]

Yes I know that I was making a parallel.


What I wanted to know.


Exactly my case.

Last question, I already did quite a lot of modifications via GPO/SRP /Applocker , let say now i want to use H_C on my system, you said it uses PoSh cmdlets, so does H_C policies will overide those i made ?

GPO > powershell cmdlets - but of course cmdlets which are not overridden by GPO will be enforced.

 

[ForgottenSeer 823865]

GPO > powershell cmdlets - but of course cmdlets which are not overridden by GPO will be enforced.

Thanks, wanted to be sure. I saw some weird things in the past. Lol

 

[notabot]

Thanks, wanted to be sure. I saw some weird things in the past. Lol

re weird things, like everything else Microsoft, all statements are modulo bugs, ie I have a core WD component crashing over a 200 entries in another thread here, which shouldn't be happening really -- but this is a bug I've never come across, Group Policy settings always had precedence over powershell cmdlets for me/was working as intended. Also, Group Policy has precedence over registry edits.

 

[Andy Ful]

To run crap cleaner portable with Hardware_Configurator on Windows 10 I have to add it to a whitelist correct?
as it wont run with smartscreen

If CCleaner portable executable is blocked by SmartScreen then it means that this file has a low reputation, so far. This should change after a few days because CCleaner executables are digitally signed.

If you do not want to wait for SmartScreen acceptation, then you have to find another way of checking if the file is clean. After this, you can simply copy the folder of CCleaner to Program Files, which is whitelisted by default. If the file execution will be blocked by SmartScreen, then use right mouse click > file properties > Unblock, and SmartScreen will ignore the file.
If you need to run CCleaner from UserSpace then the executable has to be whitelisted in H_C.

 

[Andy Ful]

...
Last question, I already did quite a lot of modifications via GPO/SRP /Applocker , let say now i want to use H_C on my system, you said it uses PoSh cmdlets, so does H_C policies will overide those i made ?

You have already a complex security setup. Adding H_C will make it even more complex and hard to understand, so I do not recommend it.

If you would like to do it anyway, then it would be necessary to remove SRP by using Gpedit, and then install and configure H_C.
The settings applied by H_C can probably overwrite some of your GPO settings, but the GPO refresh feature will recover them after some hours and wipe out the colliding H_C settings from the Registry. You can easily find out the colliding settings by making a screenshot of H_C main window, just after configuring H_C and comparing it with H_C main window after a day.
The H_C settings will not overwrite Applocker policies.

But, I do not think if all of this is worth your time. The H_C settings can be so restrictive, that adding Applocker policies in the home environment only makes the setup more complex, without adding any important security.

 

[ForgottenSeer 823865]

You have already a complex security setup. Adding H_C will make it even more complex and hard to understand, so I do not recommend it.
[...]
If you would like to do it anyway, then it would be necessary to remove SRP by using Gpedit, and then install and configure H_C.

thanks for the explanation and recommendations, indeed after reading them, it is not worth trying.

 

[Andy Ful]

GPO > powershell cmdlets - but of course cmdlets which are not overridden by GPO will be enforced.

That can depend on the cmdlets. Some cmdlets can configure GPO.
But in H_C (ConfigureDefender), I use the cmdlets which do not use GPO. So, if some WD settings were applied by GPO then they will supersede (but not overwrite) the ConfigureDefender settings.

 

[Andy Ful]

OneDrive and whitelisting.

From March 2019 (maybe earlier) OneDrive can be installed system-wide, so any important binaries are located in "Program Files" (for 32-bit Windows) or "Program Files (x86)" (for 64-bit Windows). The system-wide (per-machine) version is also installed automatically when the user activates "Personal Vault" in OneDrive. If so, then OneDrive starts/updates from SystemSpace and the whitelist entries in H_C can be removed by using:
<Whitelist By Path> ---> OneDrive for Accounts ---> <Remove All>

 

[tyreman]

If CCleaner portable executable is blocked by SmartScreen then it means that this file has a low reputation, so far. This should change after a few days because CCleaner executables are digitally signed.

If you do not want to wait for SmartScreen acceptation, then you have to find another way of checking if the file is clean. After this, you can simply copy the folder of CCleaner to Program Files, which is whitelisted by default. If the file execution will be blocked by SmartScreen, then use right mouse click > file properties > Unblock, and SmartScreen will ignore the file.
If you need to run CCleaner from UserSpace then the executable has to be whitelisted in H_C.

Thank You Very Much!!
Also works with smart screen now