Andy Ful

Level 49
Verified
Trusted
Content Creator
I am confused about the exact definition of "H_C default deny setup". I remember a time when we were saying that "allow EXE and TMP" is a variation of default/deny. But it seems that now we are calling such a setup "default allow". Correct?
"Allow EXE and TMP" is neither default-deny nor default-allow. (y)
But, that is my point of view. I do not use default-allow for it because it still uses SRP "Default Security Level" = Disallowed.
SRP is a default-allow when SRP "Default Security Level" = Unrestricted.

"Allow EXE and TMP" is similar to default-allow because most applications and installers are allowed (except blocked Sponsors). So, it behaves as default-allow in typical user actions. It is similar to default-deny because many file types (including MSI installers and scripts) are blocked by default. Furthermore, the PowerShell on Windows 10 runs in Constrained Language mode.
I think that the below post (from a couple of months ago) was about it:
https://malwaretips.com/threads/shmu26-windows-config-in-2019.89148/post-819229
 
Last edited:

shmu26

Level 83
Verified
Trusted
Content Creator
"Allow EXE and TMP" is neither default-deny nor default-allow. (y)
But, that is my point of view. I do not use default-allow for it because it still uses SRP "Default Security Level" = Disallowed.
SRP is a default-allow when SRP "Default Security Level" = Unrestricted.

"Allow EXE and TMP" is similar to default-allow because most applications and installers are allowed (except blocked Sponsors). So, it behaves as default-allow in typical user actions. It is similar to default-deny because many file types (including MSI installers and scripts) are blocked by default. Furthermore, the PowerShell on Windows 10 runs in Constrained Language mode.
I think that the below post (from a couple of months ago) was about it:
https://malwaretips.com/threads/shmu26-windows-config-in-2019.89148/post-819229
Thanks Andy :)
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
@Andy Ful I never really went deep in H_C specifics, but what benefits it affords over Windows 10 Enterprise's SRP/applocker and the use of Group Policy tweaks.
It is simple.
You can go fishing to have the fish for dinner or just go to the restaurant. :giggle:
Most people do not know how to fish. Many know it, but they do not know how to cook the fish.:unsure:
Some people know both things, but prefer restaurants, anyway.:giggle:(y)
That is why people use Intune on Windows Enterprise and do not mess much with GP tweaks.

But seriously, if one knows how to use GPO properly, then he can read the H_C manual and apply all restrictions by himself. Many people think that they know how to apply SRP properly, but most of them are wrong and their setups have many holes (like allowing shortcuts).
Next, one can make the custom Windows Event views to see what was blocked by WD, Windows Firewall, and SRP. Next, he can add all changed registry keys to the favorite tab in RegEdit to have a quick view of them. But there will be many entries here, so it won't be quick and he must also remember the proper registry values. Next, he can prepare the REG or XML files which can apply the chosen settings and can also revert them if this will be required.
Finally, H_C uses forced SmartScreen that cannot be applied by any known Windows feature.

For example, ConfigureDefender tweaks are GP tweaks.
ConfigureDefender uses only a few Windows Policies. Most settings are applied by PowerShell cmdlets.
H_C uses Windows Policies, but these policies are applied directly in the Windows Registry without using GPO (Group Policy Object does not work on Windows Home). So, the policies configured by H_C are not group policies, even if both H_C and GPO use the same registry keys.

Edit.
If you use AppGuard, then you probably do not have the reason to use H_C, Windows built-in SRP, Applocker or Application Guard.:giggle:
My notes about H_C on Windows Enterprise editions are related to the home environment, and not to Enterprises. The dangers originated from enterprise networks require something else than H_C.
 
Last edited:

Umbra

Level 11
Verified
So, HC is like NVT SysHardener, a tool to simplify and automatize the implementation of GP/SRP/Applocker and adding its own tweaks.

For Home Version users it gave them what they couldn't have initially; and for Enterprise users, a fastest way to implement some of the GP policies but using PoSh instead of GP.?

I'm I right?
 

Umbra

Level 11
Verified
Yes, except H_C can apply stronger protection than SysHard.
Indeed, SH is just about LOLbins and UAC.

If you use AppGuard, then you probably do not have the reason to use H_C, Windows built-in SRP, Applocker or Application Guard.:giggle:
Sure, Windows 10 SRP/Applocker and all others security components are now the bedrock of my security strategy. I use AppGuard or REHIPS mostly as for testing and as toys.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
So, HC is like NVT SysHardener, a tool to simplify and automatize the implementation of GP/SRP/Applocker and adding its own tweaks.
...
Yes and No.
H_C is a GUI to simplify and automatize the implementation and management of SRP and some other Windows Policies + its own tweaks and features.

SysHardener does not use Windows built-in SRP. It can use some other Windows Policies and REG tweaks to block/restrict scripts and apply some restrictions/hardening. It also does not have any diagnostic features.

For Home Version users it gave them what they couldn't have initially; and for Enterprise users, a fastest way to implement some of the GP policies but using PoSh instead of GP.?
Yes, on Windows Home the GPO is not installed, and using H_C is far safer and convenient than using REG tweaks, Event Viewer, etc. But, WD Application Control can be used (but not configured) also on Windows Home, especially in the enterprise environment.

The H_C can be used in the home environment on Windows Enterprise editions to quickly and safely configure SRP and some important Windows Policies. This will be much more convenient and safer for most of the home users than using GPO. For advanced users, it will be only a matter of knowledge and convenience.
The experts will probably use only a minority of SRP settings, and will rely on Applocker and WD Application Control. Such a setup is more appropriate when the computer (laptop) is used both in the home and enterprise environments.
 
Last edited:

tyreman

New Member
To run crap cleaner portable with Hardware_Configurator on Windows 10 I have to add it to a whitelist correct?
as it wont run with smartscreen
 
  • Like
Reactions: Andy Ful

Umbra

Level 11
Verified
SysHardener does not use Windows built-in SRP.
Yes I know that I was making a parallel.

The H_C can be used in the home environment on Windows Enterprise editions to quickly and safely configure SRP and some important Windows Policies.
What I wanted to know.

The experts will probably use only a minority of SRP settings, and will rely on Applocker and WD Application Control. Such a setup is more appropriate when the computer (laptop) is used both in the home and enterprise environments.
Exactly my case.

Last question, I already did quite a lot of modifications via GPO/SRP /Applocker , let say now i want to use H_C on my system, you said it uses PoSh cmdlets, so does H_C policies will overide those i made ?
 

notabot

Level 14
Yes I know that I was making a parallel.


What I wanted to know.


Exactly my case.

Last question, I already did quite a lot of modifications via GPO/SRP /Applocker , let say now i want to use H_C on my system, you said it uses PoSh cmdlets, so does H_C policies will overide those i made ?
GPO > powershell cmdlets - but of course cmdlets which are not overridden by GPO will be enforced.
 

notabot

Level 14
Thanks, wanted to be sure. I saw some weird things in the past. Lol
re weird things, like everything else Microsoft, all statements are modulo bugs, ie I have a core WD component crashing over a 200 entries in another thread here, which shouldn't be happening really -- but this is a bug I've never come across, Group Policy settings always had precedence over powershell cmdlets for me/was working as intended. Also, Group Policy has precedence over registry edits.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
To run crap cleaner portable with Hardware_Configurator on Windows 10 I have to add it to a whitelist correct?
as it wont run with smartscreen
If CCleaner portable executable is blocked by SmartScreen then it means that this file has a low reputation, so far. This should change after a few days because CCleaner executables are digitally signed.

If you do not want to wait for SmartScreen acceptation, then you have to find another way of checking if the file is clean. After this, you can simply copy the folder of CCleaner to Program Files, which is whitelisted by default. If the file execution will be blocked by SmartScreen, then use right mouse click > file properties > Unblock, and SmartScreen will ignore the file.
If you need to run CCleaner from UserSpace then the executable has to be whitelisted in H_C.
 
  • Like
Reactions: harlan4096

Andy Ful

Level 49
Verified
Trusted
Content Creator
...
Last question, I already did quite a lot of modifications via GPO/SRP /Applocker , let say now i want to use H_C on my system, you said it uses PoSh cmdlets, so does H_C policies will overide those i made ?
You have already a complex security setup. Adding H_C will make it even more complex and hard to understand, so I do not recommend it.

If you would like to do it anyway, then it would be necessary to remove SRP by using Gpedit, and then install and configure H_C.
The settings applied by H_C can probably overwrite some of your GPO settings, but the GPO refresh feature will recover them after some hours and wipe out the colliding H_C settings from the Registry. You can easily find out the colliding settings by making a screenshot of H_C main window, just after configuring H_C and comparing it with H_C main window after a day.
The H_C settings will not overwrite Applocker policies.

But, I do not think if all of this is worth your time. The H_C settings can be so restrictive, that adding Applocker policies in the home environment only makes the setup more complex, without adding any important security.
 

Umbra

Level 11
Verified
You have already a complex security setup. Adding H_C will make it even more complex and hard to understand, so I do not recommend it.
[...]
If you would like to do it anyway, then it would be necessary to remove SRP by using Gpedit, and then install and configure H_C.
thanks for the explanation and recommendations, indeed after reading them, it is not worth trying. ;)
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
GPO > powershell cmdlets - but of course cmdlets which are not overridden by GPO will be enforced.
That can depend on the cmdlets. Some cmdlets can configure GPO.
But in H_C (ConfigureDefender), I use the cmdlets which do not use GPO. So, if some WD settings were applied by GPO then they will supersede (but not overwrite) the ConfigureDefender settings.
 

Andy Ful

Level 49
Verified
Trusted
Content Creator
OneDrive and whitelisting.

From March 2019 (maybe earlier) OneDrive can be installed system-wide, so any important binaries are located in "Program Files" (for 32-bit Windows) or "Program Files (x86)" (for 64-bit Windows). The system-wide (per-machine) version is also installed automatically when the user activates "Personal Vault" in OneDrive. If so, then OneDrive starts/updates from SystemSpace and the whitelist entries in H_C can be removed by using:
<Whitelist By Path> ---> OneDrive for Accounts ---> <Remove All>
 

tyreman

New Member
If CCleaner portable executable is blocked by SmartScreen then it means that this file has a low reputation, so far. This should change after a few days because CCleaner executables are digitally signed.

If you do not want to wait for SmartScreen acceptation, then you have to find another way of checking if the file is clean. After this, you can simply copy the folder of CCleaner to Program Files, which is whitelisted by default. If the file execution will be blocked by SmartScreen, then use right mouse click > file properties > Unblock, and SmartScreen will ignore the file.
If you need to run CCleaner from UserSpace then the executable has to be whitelisted in H_C.

Thank You Very Much!!
Also works with smart screen now
 
  • Like
Reactions: ErzCrz and Andy Ful