Hard_Configurator - Windows Hardening Configurator

[rashmi]

The version with WDAC is WHHLight (subproject of H_C).

Is it difficult to provide an H_C config including WDAC? I'm just asking for users like me who prefer using H_C.

Such blocking is possible both with H_C and WDAC, although the first is more preventive. Of course, the blocking level depends on the settings.

It was just for information. At a later stage, I meant WDAC blocks an installer, which I allow with "Run By SmartScreen"—WDAC might block the program or DLL file when I open the program?

 

[Andy Ful]

Is it difficult to provide an H_C config including WDAC? I'm just asking for users like me who prefer using H_C.

What additional protection would you expect in the H_C + WDAC? Is WHHLight not enough?

 

[Andy Ful]

It was just for information. At a later stage, I meant WDAC blocks an installer, which I allow with "Run By SmartScreen"—WDAC might block the program or DLL file when I open the program?

Microsoft made WDAC ISG dependent on SmartScreen and AI. It is not well-documented how it exactly works. In most cases, the application's standalone installer (added MotW) is allowed after a positive SmartScreen check. Next, the components of the installation are also allowed (except for some complex installations with updates). However, this is true only for installers.
When the installed application wants to auto-update, the downloaded updater (no MotW) is not automatically allowed, even if it would be allowed as a standalone installer downloaded via a web browser (MotW added).
If the installed application creates temporary executables (like .tmp) to run, it can be blocked by WDAC ISG.
Similar problems can happen when using WHHLight with maximum WDAC restrictions (SUPERSAFE_SETUP).

 

[Parkinsond]

It is not well-documented how it exactly works

With SAC on, I have found some blocker exe and reg files to be allowed when motw is removed (unblocked from properties), while other exe and cmd files remain blocked, even after removing motw.

 

[Andy Ful]

With SAC on, I have found some blocker exe and reg files to be allowed when motw is removed (unblocked from properties), while other exe and cmd files remain blocked, even after removing motw.

SAC works slightly differently from WDAC, even if it is based on WDAC. First, it can block .cmd and .reg files only when they have MotW. However, the actions of those files can be blocked when EXE or DLL files are involved. WDAC cannot block .cmd and .reg files.
SAC uses SmartScreen for EXE files without checking MotW. It is not needed because all new EXE files are automatically checked (on execution) in the cloud.
SAC also allows signed files if they are not detected as malicious in the cloud. WDAC ISG can block many such files and allow only those with sufficient reputation.

 

[rashmi]

What additional protection would you expect in the H_C + WDAC? Is WHHLight not enough?

I believe H_C allows using any of your tools with no basic or default setup—there are no changes to the system if I don't apply the recommended settings.
If the above is true, I can use the H_C package for any standalone tools—I can use the tool I want with no other changes to the system.

It's not just about protection. I believe both the H_C and WHHLight packages provide more or less similar protection; the tools have adjusted recommended settings according to the involved features.

H_C is @Andy Ful's primary tool, includes all your tools, and provides extended configurations. It lacks only WDAC, the module or feature.

As a user who understands your tools or H_C well enough to use it efficiently, an H_C config/profile with WDAC would make H_C more complete or whole for me, allowing me to use any tool or switch to a setup including WDAC with no need to look for another package or uninstall/install, plus I can keep my preferred H_C interface.

 

[Parkinsond]

It lacks only WDAC

Not only this, WHHL is more simple; just a couple of toggles (on and off).

 

[Andy Ful]

As a user who understands your tools or H_C well enough to use it efficiently, an H_C config/profile with WDAC would make H_C more complete or whole for me, allowing me to use any tool or switch to a setup including WDAC with no need to look for another package or uninstall/install, plus I can keep my preferred H_C interface.

H_C + WDAC would be like a family with two wives who want to rule your house.
Most of the time, you would spend on how to reconcile them to keep the peace at home.

 

[n8chavez]

H_C + WDAC would be like a family with two wives who want to rule your house.
Most of the time, you would spend on how to reconcile them to keep the peace at home.

Well damn. Even one is too many though.

 

[Andy Ful]

But seriously, the main problem would be the complexity of such a setup. I think that H_C is already complex enough.
Even a partial combination as WHHLight, is not so easy to understand.
It would be easier to make the H_C_WDAC application than to explain how to effectively use it and avoid misconfigurations.

 

[rashmi]

H_C + WDAC would be like a family with two wives who want to rule your house.

H_C + WDAC would be like a duo of wonder wives... spicing up the bedroom and redefining family dynamics!

 

[rashmi]

But seriously, the main problem would be the complexity of such a setup. I think that H_C is already complex enough.
Even a partial combination as WHHLight, is not so easy to understand.
It would be easier to make the H_C_WDAC application than to explain how to effectively use it and avoid misconfigurations.

Okay, I appreciate the response, and I understand it. Thanks!

 

[rashmi]

@Andy Ful, While you may not frequently reference "Advanced SRP Logging," would it be more effective, and is it practical, to display new events at the top, similar to other tools?

 

[ForgottenSeer 114717]

It would be easier to make the H_C_WDAC application than to explain how to effectively use it and avoid misconfigurations.

That's a people problem. Not a software problem.

Without knowledge, people remain in the Dark Ages. Any default deny security requires knowledge. The only "effective" dumbing down of any default deny solution is by making it much less secure in the name of "usability" - which is the code word for accommodating Hooman ignorance, lack of discipline, and laziness.

Keeping people from challenges, difficulties, and "saving" them from having to solve problems only makes people weak.

However, we live in an era where expecting people to effectively cope with technological challenges on their own is labeled "abuse of the user" and "terrible service/product design."

how to effectively use it and avoid misconfigurations.

That's one of the primary points of default deny in the first place. The knowledge required.

 

[Andy Ful]

@Andy Ful, While you may not frequently reference "Advanced SRP Logging," would it be more effective, and is it practical, to display new events at the top, similar to other tools?

Probably yes. This log is created internally by Windows without execution time. Other Logs are filtered from system logs via the Wevtutil system tool or via FullEventLogView.

Post edited.
The events are sorted (the last event is the newest one).

 

[Andy Ful]

Keeping people from challenges, difficulties, and "saving" them from having to solve problems only makes people weak.

Sorry for being overprotective.
It is too late to change my personality.

 

[ForgottenSeer 114717]

Sorry for being overprotective.
It is too late to change my personality.

It was not meant as a personal criticism. It is just a statement of people and technology, among other things.

It is not as if you give people the capability of creating a block policy of C:\* .

Actually, you give the initiated enough. I've read your documentation which is good and thorough. For a person that is willing to read, knows at least the basics, your documentation combined with a bit of their commonsense and observation, they can figure it out.

But you're correct. People are too ignorant and disinclined to take responsibility for their own security, welfare, and best interests. Most are not interested in knowledge.

I am confident that you could create an AI bot that would do a gosh darn good job of educating users on "how to effectively use it and avoid misconfigurations."

 

[rashmi]

I attempted to run gpupdate /force using CMD as an administrator, but I received an error stating, "The application didn't start properly." I could successfully execute the refresh group policy command after disabling H_C protections.
I uninstalled H_C without disabling the protections, as the uninstallation process restores Windows defaults. After that, I restarted the system. However, I encountered the same error when attempting to run the refresh group policy command. I tried another system restart, ran chkdsk, executed sfc /scannow, and deleted the "registry.pol" file, but none of these actions resolved the issue. Restoring the system to the H_C image resolved the issue.

 

[rashmi]

I attempted to run gpupdate /force using CMD as an administrator, but I received an error stating, "The application didn't start properly." I could successfully execute the refresh group policy command after disabling H_C protections.
I uninstalled H_C without disabling the protections, as the uninstallation process restores Windows defaults. After that, I restarted the system. However, I encountered the same error when attempting to run the refresh group policy command. I tried another system restart, ran chkdsk, executed sfc /scannow, and deleted the "registry.pol" file, but none of these actions resolved the issue. Restoring the system to the H_C image resolved the issue.

I retested the H_C deinstallation feature and got the same results. I then reinstalled H_C and configured it the same as before. After restarting the system, I disabled H_C protections and could successfully execute the refresh group policy command.
This time, I chose "Restore Windows Defaults" and closed the window. I then reopened H_C and clicked "No" for all configurations, deinstalled H_C, and restarted the system. I could successfully execute the refresh group policy command.
It appears the H_C deinstallation feature is corrupting group policy or not properly restoring Windows defaults.

 

[rashmi]

Are your tools compatible with Administrative Templates for Windows 11 24H2? Just for a test, I replaced the "PolicyDefinitions" folder with the 24H2 one. I installed H_C, CD, and FH, and it appears the tools are functioning well.