Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I have to confess, I even have CFW (with CS settings) running on there - though I have disabled Auto-Containment now while playing with H_C.
Most likely will just keep H_C. Oh, and OSA (some overlap, I know). :rolleyes:
The danger is that overlapping configuration is inconvenient. So after some time, the users are irritated with such kind of setup, and they throw out default-deny protection.
With default-deny, is better to keep things as simple as possible and try to accustom to it, first. Even a very simple default-deny is very strong.
 

bribon77

Level 35
Verified
Top Poster
Well-known
Jul 6, 2017
2,392
On Windows 7, the recommended settings block Windows Script Host and PowerShell. You can use the predefined profile Windows_7_Recommended_Enhanced.hdc . If everything works well then you can add HH.exe and Mshta.exe . In this way you have blocked the most dangerous script interpreters. Keep an eye on blocked items, because some printers and other hardware, can sometimes use interpreters to configure settings.
Sorry for my clumsiness, but I can't find Enhanced.hdc. Where is it?:emoji_innocent:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I have to confess, I even have CFW (with CS settings) running on there - though I have disabled Auto-Containment now while playing with H_C.
Most likely will just keep H_C. Oh, and OSA (some overlap, I know). :rolleyes:
Also CFW is extremely light on the system, in my experience. But it does seem to me like you have a lot of overlap there. My "unsolicited advice" would be to run CFW + H_C at "Avast" settings. There is a special template for it. It basically means that .exe and .tmp files are not monitored by H_C, because they are instead monitored by Avast hardened/aggressive, or in your case, by CFW. Andy will please correct me if I am wrong.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Sorry for my clumsiness, but I can't find Enhanced.hdc. Where is it?:emoji_innocent:
H_C.png

LoadProfile.png


You have to install the version 4.0.0.0 at least.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Also CFW is extremely light on the system, in my experience. But it does seem to me like you have a lot of overlap there. My "unsolicited advice" would be to run CFW + H_C at "Avast" settings. There is a special template for it. It basically means that .exe and .tmp files are not monitored by H_C, because they are instead monitored by Avast hardened/aggressive, or in your case, by CFW. Andy will please correct me if I am wrong.
You are right.:giggle:
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

Idea for a new product: Edge Configurator : here are Edge Policies mentioned, they also work when adding registry policies through registry: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)

Here are mine for reference: (export of registry renamed to txt) on my Asus Transformer which I use for travel (hence passwords blocked etc) (Edge_policies.txt).

EDIT: I checked the policies on my Desktop (have a Win10 Pro) and noticed some differences (Edge_GPO.txt).
 

Attachments

  • Edge_Policies.txt
    4.7 KB · Views: 667
  • Edge_GPO.txt
    6 KB · Views: 721
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful

Idea for a new product: Edge Configurator : here are Edge Policies mentioned, they also work when adding registry policies through registry: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)

Here are mine for reference: (export of registry renamed to txt) on my Asus Transformer which I use for travel (hence passwords blocked etc).

I am busy now with Casual User Protection and researching WD Application Control for Windows Home. But I like that idea. If there would be an accepted Edge setting profile, I could add it to H_C.(y)
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@Andy Ful

There is a secure base line which works for average users, but there would be two optional settings which depend whether user wants a
A) Blank start screen or allowing users to set all startscreen/new tab related functionality through Edge GUI
B) Block passwords or allowing users to set all passwords/forms related functionality through Edge GUI

There are also some additional protections possible through WD exploit protection. That is why I thought you could make it a separate option (like you did with documents anti-exploit).

Send me a PM when you have the time to look at it.

Regards Kees
 

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
The danger is that overlapping configuration is inconvenient. So after some time, the users are irritated with such kind of setup, and they throw out default-deny protection.
With default-deny, is better to keep things as simple as possible and try to accustom to it, first. Even a very simple default-deny is very strong.
Thanks, this is pretty much an expendable computer, and just playing at the moment, but yes, will probably just keep H_C, for simplicity.
 
Last edited:

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
Also CFW is extremely light on the system, in my experience. But it does seem to me like you have a lot of overlap there. My "unsolicited advice" would be to run CFW + H_C at "Avast" settings. There is a special template for it. It basically means that .exe and .tmp files are not monitored by H_C, because they are instead monitored by Avast hardened/aggressive, or in your case, by CFW. Andy will please correct me if I am wrong.
You are right.:giggle:
Thanks guys! Will do, if I keep CFW!
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
It's almost time! The website of Hard_Configurator (hard-configurator.com) will start on 1.2.2019 or 2.2.2019! Final preparations have yet to be made. Be excited!

P.S.: before the start I will publish the latest screenshots, so that you can give one or the other tip!
Looking forward to it (y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
It's almost time! The website of Hard_Configurator (hard-configurator.com) will start on 1.2.2019 or 2.2.2019! Final preparations have yet to be made. Be excited!

P.S.: before the start I will publish the latest screenshots, so that you can give one or the other tip!
Excellent!:giggle:(y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top