Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
The real problem for the whitelisting setup is not with MS Office and Defender ASR mitigations, because the same can be accomplished much easier without MS Office, at all. As I wrote in my previous post, SETTINGCONTENT-MS files can run cmd.exe (in fact any executable) similarly to LNK files.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
How does the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" compare to Avast Hardened/Aggressive? Which is better?
 
  • Like
Reactions: oldschool

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
MIcrosoft says they are stopping development on SRP:

Features we’re no longer developing

Instead of using the Software Restriction Policies through Group Policy, you can use AppLocker or Windows Defender Application Control to control which apps users can access and what code can run in the kernel
Windows 10, version 1803 - Features that have been removed
In fact, they stopped to develop SRP a few years ago, but it is still useful. We cannot expect to see the new SRP features. The problem will be when Microsoft will remove SRP.
I hope that we have some years ahead, because SRP is used in some Enterprises.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
In fact, they stopped to develop SRP a few years ago, but it is still useful. We cannot expect to see the new SRP features. The problem will be when Microsoft will remove SRP.
I hope that we have some years ahead, because SRP is used in some Enterprises.
I see. So maybe we should interpret their solemn "announcement" as an ad for their paid business solutions...
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
How does the ASR rule "Block executable files from running unless they meet a prevalence, age, or trusted list criteria" compare to Avast Hardened/Aggressive? Which is better?
We must wait until Microsoft will push some info about how to configure this rule.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hard_Configurator in the present form (ver. 4.0.0.0), works well as an admin tool when started from the Administrator type of account.
Furthermore, all Hard_Configurator settings required to configure any Standard User Account, can be set from Administrator Account (except OneDrive issue).
It is possible to start Hard_Configurator from SUA, but then some issues are visible (reported by the testers):
1. Whitelisting OneDrive on SUA is possible via <Add File>, <Add Folder>, <Add Path *Wildcards> buttons, but is not possible via OneDrive <Add> button.
2. The option <Refresh Explorer> available for Windows 10, does not work properly on SUA. After killing all instances of Explorer, the refreshed Explorer process is running on Admin Account instead of SUA. So, the user on SUA cannot access the Explorer shell (Desktop is not visible), and has to run Explorer manually via Task Manager.
.
The above issues are related to the fact that any application started from SUA with Administrative Rights, is running on Administrator Account. It is not obvious to the user because Windows makes some magic with shared Desktop and the application window is available on SUA while application processes are running on Administrator Account. The magic works for most programs, but not for the Explorer shell.
.
The OneDrive issue can be easily fixed, because the whitelisted path is written to HKLM registry hive (system-wide).
The <Refresh Explorer> issue could be also solved by asking the user for the SUA password. But, I do not like this solution for the privacy reasons. Personally, I do not like applications which are asking for account credentials. I am thinking about keeping <Refresh Explorer> option when only one user is logged to the system (Administrator type of account). In other cases, the <Refresh Explorer> option will be skipped.
It is also possible, to move the <Refresh Explorer> option to SwitchDefaultDeny tool.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Hard_Configurator in the present form (ver. 4.0.0.0), works well as an admin tool when started from the Administrator type of account.
Furthermore, all Hard_Configurator settings required to configure any Standard User Account, can be set from Administrator Account (except OneDrive issue).
It is possible to start Hard_Configurator from SUA, but then some issues are visible (reported by the testers):
1. Whitelisting OneDrive on SUA is possible via <Add File>, <Add Folder>, <Add Path *Wildcards> buttons, but is not possible via OneDrive <Add> button.
2. The option <Refresh Explorer> available for Windows 10, does not work properly on SUA. After killing all instances of Explorer, the refreshed Explorer process is running on Admin Account instead of SUA. So, the user on SUA cannot access the Explorer shell (Desktop is not visible), and has to run Explorer manually via Task Manager.
.
The above issues are related to the fact that any application started from SUA with Administrative Rights, is running on Administrator Account. It is not obvious to the user because Windows makes some magic with shared Desktop and the application window is available on SUA while application processes are running on Administrator Account. The magic works for most programs, but not for the Explorer shell.
.
The OneDrive issue can be easily fixed, because the whitelisted path is written to HKLM registry hive (system-wide).
The <Refresh Explorer> issue could be also solved by asking the user for the SUA password. But, I do not like this solution for the privacy reasons. Personally, I do not like applications which are asking for account credentials. I am thinking about keeping <Refresh Explorer> option when only one user is logged to the system (Administrator type of account). In other cases, the <Refresh Explorer> option will be skipped.
It is also possible, to move the <Refresh Explorer> option to SwitchDefaultDeny tool.
Thanks. That explains some issues I had on SUA. Especially interesting is "any application started from SUA with Administrative Rights, is running on Administrator Account "
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thanks. That explains some issues I had on SUA. Especially interesting is "any application started from SUA with Administrative Rights, is running on Administrator Account "
That is why SUA is more secure than Admin Account (SPLIT-TOKEN ADMINISTRATOR).
On SUA, the process elevation (Over-The-Shoulder elevation) requires logging on to another account (Admin Account), so the user is prompted by UAC to write the admin password. If the user does not write the password the elevation fails. Furthermore, the UAC can be set to block elevation of unsigned programs (forced on all accounts) or block elevation of all programs on SUA (<Disable Elevation on SUA > in Hard_Configurator).
On Admin Account, the process elevation does not require another account, so normally the user can see the UAC prompt, but the password is not required. Furthermore, the programs signed by Microsoft can silently auto-elevate on Admin Account (no UAC prompt). This is not possible on SUA.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
If the user (like @shmu26) has to use the vulnerable applications (like MS Office with allowed macros), then the best practice is using the custom restricted SUA for those applications. This can be made by using the Hard_Configurator profiles: Windows_10_NoElevationSUA_Enhanced, Windows_8_NoElevationSUA_Enhanced or Windows_7_NoElevationSUA_Enhanced.
The above is especially convenient when those applications are updated via Windows Updates or via Task Scheduler (as Administrator). This is also a limitation for such SUA, because there are not many applications which can update is such way. Sometimes it is possible to force an application to update via Task Scheduler by adding the custom task. Alternatively, the user can make updates manually on Admin Account.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
There is only a limited number of processes that can auto-elevate, correct? I saw that at least some of them are in the list of sponsors. Are they all there?
No, some should not be blacklisted if the system is going to be usable. The Bouncer blacklist has all programs which are relatively safe to block. A few programs will be probably added in the future.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Can't decide whether to use Hard Configurator or Manually configure the Windows built-in security to harden the system? :unsure:
Install HC to easily see what your options are. If you then prefer to manually configure, go right ahead.
AFAIK if you configure by powershell, it really makes no difference at all if you do it by HC or manually, the result is the same.
But if you configure by Group Policy, that is different. HC doesn't touch GP.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Can't decide whether to use Hard Configurator or Manually configure the Windows built-in security to harden my system? :unsure:
If you have the time and motivation, then do it by manually configuring SRP and Windows policies. This also requires some learning. If you are not an SRP expert, then the below links may be helpful:
Using Software Restriction Policies to Protect Against Unauthorized Software
Stop mal(icious soft)ware with Software Restriction Policies alias SAFER
Tutorial - How do Software Restriction Policies work (part 1) ?
Tutorial - How do Software Restriction Policies work (part 2) ?
Tutorial - How do Software Restriction Policies work (part 3) ?
Tutorial - Windows Pro owner? Use Software Restriction Policies!
SRP: Protecting Windows Folder in Win 10
Furthermore, the Hard_Configurator manual includes many useful pieces of information which are hard to find elsewhere.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I just tested a cracked software against Windows smartscreen. It was allowed to run, even though on VT it has 12 detections (microsoft is not one of them).
It was extracted from a zipped file. I did right-click on installer, and chose "run as smartscreen."

So I guess smartscreen is mainly effective against unknowns.


VirusTotal
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I just tested a cracked software against Windows smartscreen. It was allowed to run, even though on VT it has 12 detections (microsoft is not one of them).
It was extracted from a zipped file. I did right-click on installer, and chose "run as smartscreen."

So I guess smartscreen is mainly effective against unknowns.


VirusTotal
SmartScreen is a very good reputation service (maybe the best available). So, if the file is not malicious and many people choose to install it, then it will be allowed (even when includes adware like in VirusTotal example).
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top