Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Sources (e.g. Microsoft Learn, others) that you used to determine the "What & How" to harden Windows and make Hard_Configurator make those hardening steps. (Not source code.)

Unfortunately, all official resources are related to SRP configuration via GPO.
H_C does not use GPO to apply SRP, so it is documented only in the H_C manual (based on my research).
The initial idea was mentioned on Wilderssecurity forum many years ago (on Windows XP).
Some SRP configurations are specific only to H_C.
That is why H_C will never be listed on the internal US DoD.

 

[ForgottenSeer 114717]

H_C does not use GPO to apply SRP, so it is documented only in the H_C manual (based on my research).

Some SRP configurations are specific only to H_C.

That is why H_C will never be listed on the internal US DoD.

The DoD and other agencies do not have a 100% official Microsoft documented method requirement to obtain approval for use. They all use undocumented methods.

It is possible to obtain approval by supplying the infos of how something was achieved by either adapting official, documented methods or via discovery that it works (e.g. research).

Never say "Never."

 

[dronefox1166]

Reinstalling Windows is the last thing to do. Please do as follows:

• Run the UserDiag and remember the time. Restart the Windows. Run FirewallHardening and inspect the <Blocked events>. Deactivate the block rules for LOLBins blocked at that time.

or

• Deactivate all rules in FirewallHardening. Restart Windows.

If UserDiag is still offline, then the issue is unrelated to FirewallHardening.

explorer.exe in LOLBins rules was the problem, I think.
I removed the rule, and now all I have to do is restart the computer and make sure that's what it is.

Many thanks again!

I'm starting to understand this tool a little bit thanks to you here...

 

[dronefox1166]

If Office is on block with LOLBins or H_C Recommended, Excel or Word works fine or not?

What is the interest of blocking Office if you use it?

I use Office 2019 Pro Plus regulary.

 

[Andy Ful]

If Office is on block with LOLBins or H_C Recommended, Excel or Word works fine or not?

It should work well, except if you use documents that want to auto-update the content using resources from the Internet or local Network.
Microsoft Office updates are not blocked.

Did you notice any issues?

 

[dronefox1166]

the problem remains... even after removing explorer.exe from the list in Firewall Hardening.

 

[Andy Ful]

the problem remains... even after removing explorer.exe from the list in Firewall Hardening.

What is the problem - Office, Portmaster, or something else?
Which blocked LOLBins can be seen in the FirewallHardening Log?

 

[dronefox1166]

- Word or Excel "winword.exe" etc.

- Portmaster not blocking I think...

 

[Andy Ful]

- Word or Excel "winword.exe" etc.

- Portmaster not blocking I think...

Does the issue persist after removing all FirewallHardening rules (Windows restart required)?

 

[dronefox1166]

FirewallHardening rules stay if I switch off "Switch Defaut Deny" ?

I will test... in the future.

 

[Andy Ful]

FirewallHardening rules stay if I switch off "Switch Defaut Deny" ?

Yes. SwitchDefaultDeny will unblock the execution. FirewallHardening does not block the execution of LOLBins - only the outbound connections are blocked.

 

[dronefox1166]

Office doesn't seem to update with this:

Is this normal?

What exactly is the purpose of this Office block (I don't quite understand).
Maybe you've answered my question, or I'll have a look at the documentation.

Thanks a lot!

 

[dronefox1166]

Another question : does H_C blocks the Copilot icon in the taskbar ?

thanks :=)

 

[Andy Ful]

Office doesn't seem to update with this:

To see which LOLBin is the issue you must use <Blocked Events> and see which LOLBins are in the LOG. Usually, there can be many events related to Explorer.exe and a few events of rundll32.exe (mainly Windows telemetry).

What exactly is the purpose of this Office block (I don't quite understand).

MS Office applications can be exploited and serve as a trojan. But, if you use Microsoft Office 365, such outbound connections are normal. You can use the the DestAdress from the FirewallHardening Logto see where the outbound traffic goes:

Event[1]:
Local Time: 2024/10/04 11:36:45
ProcessID: 14868
Application: C:\windows\system32\rundll32.exe
Direction: Outbound
SourceAddress: 192.168.0.165
SourcePort: 54672
DestAddress: 51.124.78.146
DestPort: 443
Protocol: 6
.....

IP Whois Online, Whois Lookup Online | IPVoid

In this case the DestAddress is related to Microsoft.

 

[dronefox1166]

In "ConfigureDefender" what the difference between "Warn" and "Audit" ?

 

[dronefox1166]

To see which LOLBin is the issue you must use <Blocked Events> and see which LOLBins are in the LOG. Usually, there can be many events related to Explorer.exe and a few events of rundll32.exe (mainly Windows telemetry).



MS Office applications can be exploited and serve as a trojan. But, if you use Microsoft Office 365, such outbound connections are normal. You can use the the DestAdress from the FirewallHardening Logto see where the outbound traffic goes:

Event[1]:
Local Time: 2024/10/04 11:36:45
ProcessID: 14868
Application: C:\windows\system32\rundll32.exe
Direction: Outbound
SourceAddress: 192.168.0.165
SourcePort: 54672
DestAddress: 51.124.78.146
DestPort: 443
Protocol: 6
.....

IP Whois Online, Whois Lookup Online | IPVoid

View attachment 285684

In this case the DestAddress is related to Microsoft.

To sum up, I can block Office telemetry without any problem ?

Thanks again !

 

[dronefox1166]

ConfigureDefender like this, is OK for home usage ?

 

[oldschool]

ConfigureDefender like this, is OK for home usage ?

Yes.

 

[Andy Ful]

View attachment 285686
ConfigureDefender like this, is OK for home usage ?

I am not sure. You disabled the protection for MS Office. Many settings are set to Audit.
Audit will show an alert but will not stop the infection. The details are included in the help.

 

[dronefox1166]

Hello !

When I block Office in FirewallHardening, this is different than that (AntiExploit) ?

And what about telemetry ? Is the same or not ?