Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

Okay, after reviewing the basics of SRP, I see that my question is not so important after all. Because system-initiated processes run with elevated privileges, so SRP restrictions will not apply to them.
So if I understand right, you won't mess up your OS by blocking sponsors.

That is right. SRP can give strong protection only when set to default-deny, so the system is locked for unsafe files from the Userspace and malware cannot run, so cannot also bypass UAC.
Files from the Userspace are allowed to run by the user only via 'Run As SmartScreen' which is very safe and files can elevate after they pass SmartScreen reputation filter.

 

[shmu26]

I enabled blocking for all sponsors, to see what would happen, and the log registered 1 block for runonce.

 

[509322]

@shmu26

Instead of going crazy trying to harden Windows using all the specific tweaks, the best protection is simply not to use products such as Microsoft Office. Microsoft Office itself introduces a whole lot of vulnerabilities into an already vulnerable OS. Because sooner or later, the malc0ders are going to find a way to bypass those protection rules on Windows. They've been doing that successfully for decades.

SmartScreen has protection holes. There are parts of the world where those protection holes cause massive pandemic infections - where USB BYOD is stupidly and wildly popular - such as India and Southeast Asia.

Windows 10 security is not good enough for the typical user. And by typical user I mean "high-risk" user. We have no way of quantifying the risk level of the typical user - but I can tell you that Microsoft does NOT assume that the typical user is a high risk user. Just look at their default security. The user can do anything they want. The default account is an Admin account. You have to take reality for what it is... and the reality is that Windows was never created with security in mind; security was, always has been, and remains an afterthought. The typical user's priority is not security. The typical user's priority is everything except security. And Microsoft's priority is to cater to what the majority wants - which is predominantly entertainment with some productivity. Security is down in the basement standing in a pool of water.

We have to assume the typical user is a high risk user. For sure, the average household with children members, and no security soft geek knowledge or experience, tends to fall into the high risk category. All you have to do is ask such a family questions and that fact becomes clear very quickly.

When you talk about security, context matters. Who is using the system ? Average Joe or security soft geek ? Grandma Grayson or Keygen-Warez-Fake_KMSActivator User ? 99.99% of the stuff discussed on these forums doesn't apply to anyone who does not regularly visit these forums - and by "regularly visit" I mean visit at least weekly.

If you're a security soft geek, you can handle Windows. If you're not a security soft geek, then you cannot handle Windows.

Anyway, I wouldn't use Windows without default-deny such as Hard_Configurator.

 

[shmu26]

I enabled blocking for all sponsors, to see what would happen, and the log registered 1 block for runonce.

However, I see that the system tray icon did not start for Intel Graphics Settings (it starts up from a bat file).
The tray icon is totally unnecessary because the same menu is accessible from a right-click on desktop. But it's interesting that the block did not get logged.

So the weird thing is that after blocking all sponsors (except for runonce), my system is as fast as a demon. It behaves as if there is no AV (even though MsMpEng is running).
It must be that some system process did not start up.

 

[Andy Ful]

So the weird thing is that after blocking all sponsors (except for runonce), my system is as fast as a demon. It behaves as if there is no AV (even though MsMpEng is running).
It must be that some system process did not start up.

If something is blocked by SRP, it is also logged and can be recognized by the <Run SRP/Scripts EventLog View>. If there are no blocked entries in the log, that means another cause of the performance boost.
Could you post the info from the log about blocked runonce entry?

 

[Andy Ful]

The sad thing is MS Office popularity among home users. It is like using the chainsaw to slice bread. Even when configuring MS Office to block all active content in documents (macros, OLE, ActiveX, DDE, etc.), the user is still vulnerable, because malware can control Office executables programmatically via 'Application Objects' (Word.Application, Excel.Application, PowerPoint.Application). This can be used by malware in many creative ways, because MS Office executables are signed by Microsoft. Also using Adobe Acrobat (desktop application) is not recommended for viewing unsafe documents because of many vulnerabilities.
For viewing MS Office documents on Windows 10, I can recommend (free) Word Mobile, Excel Mobile and PowerPoint Mobile. Those are Universal Applications which run fully in App Container ignoring active content in documents.
There are also good & free Universal Applications for viewing PDF files: Foxit MobilePDF (viewing but no printing), Adobe Touch ( viewing and printing), Perfect PDF Reader (many functions, epub and mobi support).
Also, SumatrPDF (desktop application) can be a good solution because it supports many formats (PDF, DJVU, EPUB, MOBI, etc.), it is blazingly fast, and can be easily restricted via INI file and Exploit Guard. The INI file is accessible from:
sumatrapdfreader/sumatrapdf
The prerelease version is patched against MuPDF vulnerabilities and can be downloaded from:
https://www.sumatrapdfreader.org/prerelease.html

 

[509322]

The sad thing is MS Office popularity among home users.

They don't need it. They think they need it, but they don't need it. Universities, colleges and employers promote a lot of home Microsoft Office and Office365 use. It isn't a coincidence that Office and Office365 is a huge money-maker for Microsoft.

It is like using the chainsaw to slice bread.

Probably the best one-liner about Microsoft Office on the web of all time.

Microsoft Office, like much in Windows, is overkill - packed with many, many features that people just do not need. All that feature-rich "stuff" just introduces vulnerabilities to Windows.

One of the biggest mistakes people make is to add Adobe, Office, Flash, etc, etc...

The sad part is we can preach about this and give away gold to make people stop, and they still won't stop their bad habits. People don't change because they are not interested in changing. In fact, the typical user does not even know that they should change. I pretty much know from interactions with "normal people" that they do not want to be bothered with security stuff. They do not generally know what to make of any of this. And what they do think of it is mostly negative.

For viewing MS Office documents on Windows 10,... ]

There is Microsoft Office Online. I have the extension installed in Edge but never have the time to explore it.

 

[bribon77]

I like Windows for that. It looks like a game of chess. in the middle of the game, where you lose by a bad move.

 

[shmu26]

Could you post the info from the log about blocked runonce entry?

This is the log entry, but I can't figure out how to get more context on it.

Access to C:\WINDOWS\SysWOW64\runonce.exe has been restricted by your Administrator by location with policy rule {1016BBE0-A716-428B-822E-5E544B6A3143} placed on path Runonce.exe.

About the cmd block that I claimed was not logged: I was mistaken. tray icon was disabled from settings, not because of SRP.

 

[Andy Ful]

...
There is Microsoft Office Online. I have the extension installed in Edge but never have the time to explore it.

I use it sometimes for editing, and there is also Google Drive. They are the safest alternative for document editing, but they are not convenient for document viewing (no file extension association, require login to Microsoft or Google account). But, if the user uses Microsoft account and stores documents on OneDrive then Office Online will be both safe and convenient solution for everyone.

 

[Andy Ful]

This is the log entry, but I can't figure out how to get more context on it.

Access to C:\WINDOWS\SysWOW64\runonce.exe has been restricted by your Administrator by location with policy rule {1016BBE0-A716-428B-822E-5E544B6A3143} placed on path Runonce.exe.

About the cmd block that I claimed was not logged: I was mistaken. tray icon was disabled from settings, not because of SRP.

Yes, sometimes the info from the Windows EventLog is very informative. :notworthy:
Anyway, the above entry is from SRP for sure. The GUID:
{1016BBE0-A716-428B-822E-5E544B6A3143}
is added by Hard_Configurator and is related to the Disallowed rule for the Runonce.exe .

 

[shmu26]

Yes, sometimes the info from the Windows EventLog is very informative. :notworthy:
Anyway, the above entry is from SRP for sure. The GUID:
{1016BBE0-A716-428B-822E-5E544B6A3143}
is added by Hard_Configurator and is related to the Disallowed rule for the Runonce.exe .

So I checked an old log from NVT ProcLogger, and I saw that I have a few programs running at startup that use runonce. So I will leave that unticked. Nothing else is causing any problems that I can see.

 

[Andy Ful]

So I checked an old log from NVT ProcLogger, and I saw that I have a few programs running at startup that use runonce. So I will leave that unticked. Nothing else is causing any problems that I can see.

That will be also the case for many home user computers.
Using Hard_Configurator with recommended settings is not complicated, but the user needs some learning when using more advanced settings (like <Block Sponsors>).

 

[MeltdownEnemy]

Hard_Configurator vs NVT Syshardener?

 

[Andy Ful]

Hard_Configurator vs NVT Syshardener?

.
I wrote the below on another thread:
"NVT SysHardener and NVT OSArmor are very useful in the default-allow type security configuration applied by standard AntiVirus. But, the default-deny configuration, based on SRP, is much more restrictive, so most SysHardener & OSArmor features will be not triggered at all.
Anyway, Hard_Configurator + NVT SysHardener + NVT OSArmor can be used together (after adding some exclusions) when the user likes using default-allow configuration for a daily work and default-deny for some unsafe tasks."
.
default-allow = application is OK until it tries doing malicious/suspicious things.
.
default-deny = every application is blocked except Windows system programs or applications already installed in Program Files, or applications manually whitelisted by the User.
Some SRP applications may add more allowed locations.
.
Hard_Configurator uses smart default-deny configuration based on SmartScreen Application Reputation filter. The files (EXE and MSI) which are normally blocked by SRP can be run by the user if they pass SmartScreen filter via 'Run As SmartScreen' option in Explorer context menu.

 

[shmu26]

It depends.
If you are just going to use Hard_Configurator to make a few system tweaks, you will find more tweaks in SysHardener.
But if you are going to use Hard_Configurator for SRP, it's a whole different ballgame. It's real-time protection utilizing advanced Windows features.

 

[MeltdownEnemy]

Step by step I will have to learn how to use them, because my win7ultimate was damaged due by mix between the two products syshardener & os armour + additional hight risk rules with those two programs. Thank you for answer Andy ful & Shmu26.

 

[Andy Ful]

It depends.
If you are just going to use Hard_Configurator to make a few system tweaks, you will find more tweaks in SysHardener.
But if you are going to use Hard_Configurator for SRP, it's a whole different ballgame. It's real-time protection utilizing advanced Windows features.

Yes, you are right. Hard_Configurator uses only those hardening tweaks which can strengthen or support SRP default-deny. There are some tweaks that can be added in the next release, like hardening MS Office applications.

 

[Glynn]

One of the biggest mistakes people make is to add Adobe, Office, Flash, etc, etc...

I have to use adobe to open a certain document, no other pdf viewer\reader works, i tried sumatra/foxit/u name it, only adobe opens up the document fully other wise it looks like the attached thumbnail with sumatra/foxit/u name it. So now i am forced to use adobe reader and i do not want that nonsense on my pc.

 

[Andy Ful]

I have to use adobe to open a certain document, no other pdf viewer\reader works, i tried sumatra/foxit/u name it, only adobe opens up the document fully other wise it looks like the attached thumbnail with sumatra/foxit/u name it. So now i am forced to use adobe reader and i do not want that nonsense on my pc.

That is the problem for some users when using advanced PDF features. The partial solution is installing the latest Adobe Reader DC and tick the option 'Run in App Container'.
If you like, then you can also adjust Exploit Guard settings for Adobe Reader DC. I could do it by myself if you would send me the document that has the problem with opening in SumatraPdf.
.
Anyway, most people use PDF readers to view simple documents like books, magazines, articles, information about transactions from a bank account, e-mail attachments, etc. For such tasks, Adobe Reader is not required and many users can be easily infected when using it. For those who need sometimes Adobe Reader, it is recommended to use one of the secure PDF viewers in daily work (default viewer) and use Adobe Reader only for advanced tasks.