Hard_Configurator - Windows Hardening Configurator

[Freki123]

I realy like the work the dev and you all put in it What i found is that you change from Hard_Configurator to Hard Configurator throughout the website. So sometimes with _ and sometimes without.
For me the "windows vista at least" confused me more than win7,win 8,win 10( like on softpedia) but im not native so take all i say with a grain of salt pls.

 

[Andy Ful]

@Andy Ful my wife keeps asking me if the stuff I find on MT is really not malware. How you really know? she says!

You can say to her that MT is the worst forum to propagate the malware.

 

[AlanOstaszewski]

I realy like the work the dev and you all put in it What i found is that you change from Hard_Configurator to Hard Configurator throughout the website. So sometimes with _ and sometimes without.
For me the "windows vista at least" confused me more than win7,win 8,win 10( like on softpedia) but im not native so take all i say with a grain of salt pls.

You're right, oops. I think that I will use on the site "Hard Configurator". I will correct it in the near future.

 

[Andy Ful]

Thanks to @Jack, I added the Hard Configurator link to the starting post.

 

[SHvFl]

@askalan It's a cute website and looks clean so I must give you that. Consider allowing me to open images in spoiler in full size with a click so I can clearly see the gui which may lead to more downloads. Sure i can right click open image in a new tab which is fine for me but still less convenient.
The website also needs a link to a manual of some sort explaining each function. Probably a faq will work with explaining stuff.
@Andy Ful I know this tool might not be for the average user but you made it easy enough that if they understand what to press and why they might use it. You used all your time to build it so a few more hours for a proper faq is maybe worth it. It doesn't need to get technical so yeah. Maybe explaining only the default profiles you made is easier and sufficient. Can't be sure if i don't see it.

 

[Andy Ful]

...
@Andy Ful I know this tool might not be for the average user but you made it easy enough that if they understand what to press and why they might use it. You used all your time to build it so a few more hours for a proper faq is maybe worth it. It doesn't need to get technical so yeah. Maybe explaining only the default profiles you made is easier and sufficient. Can't be sure if i don't see it.

Thanks. I think that adding manual, F.A.Q., and maybe a short video clip about installing/configuring H_C would be a good idea. I will work on it, If @askalan agree.

 

[paulderdash]

Apologies, I haven't read through this whole thread but after installing I do have 'Hard_Configurator' and 'Switch Default Deny' shortcuts on desktop, but without customised icons ... is that for the new version, or did I mess up during installation?

 

[Andy Ful]

Apologies, I haven't read through this whole thread but after installing I do have 'Hard_Configurator' and 'Switch Default Deny' shortcuts on desktop, but without customised icons ... is that for the new version, or did I mess up during installation?

Will be added in the new version. You can add some icons manually, from the folder:
C:\Windows\Hard_Configurator\Skins\Icons

 

[Windows_Security]

@Andy Ful (another feature request )

After recent Christmas, I helped a few family members moving the 2-3 year old PC's of the kids of wealthy family members to the kids of less fortunate family members. An easy trick of making those PC's fly again was by adding an SSD. In the spirit of Christmas I paid the SSD of the first family member (luckily it stopped after four PC's, so It stayed within limits cost wise). Installing Windows 1809 from scratch turned out the easiest way (less time spend) of accomplishing this. I also installed free-office (of softmaker)*

Using Hard_Configurator and Defender_Configurator (I always add folder of D partition where I put their data but did not enable Protected Folders).Because I don't want to get called every time, I removed H_C and D_C after the job and manualy changed SRP (Safer) registry settings making sure the SRP:
- is valid for all executables except DLL's
- is valid for all users except Administrators
- removed the values EXE, MSI, MSU, LNK from Executables from registry Multi-MZ field

I manually add a "DENY TRAVERSE FOLDER/EXECUTE FILE" for EVERYONE to their Downloads/Documents/Movies/Pictures/Videos user folders (on data partition D) and on root folder of Public user. I also have two reg-files which lock some settings of Chrome and Edge by manually setting the registry keys of corresponding Edge/Chrome group policies (and set some Chrome flags increasing security).
Finally I disable IE11 and WMP and install VLC from Windows Store and set Edge as default for PDF.

Although not as strong as a default deny. This zero config/zero really is a great addition to any average JOE/JANE home user pc setup. Under normal usage this does not put any functional restriction on the usability of their PC, but reduces the attack surface substantially. Best of all IMO that it uses Windows internal mechanisms (spend no cpu cycles or money on extra software).

Any chance of inspiring you to make it a special version of Hard_Configurator, called ZERO_configurator?

Regards Kees

P.S. *
Another reason to use it this way is that FREE OFFICE does not run nicely in a default deny SRP. On internet revews still mention that free-office does not allow you to save files in M$Office formats, just go into FILES section in OPTIONS for each application and set it default save format as DOCX (in Textmaker), XLSS (in Planmager), etc. Also you can download free Hunspell spellingcheck in free version Softmaker website.

 

[Gandalf_The_Grey]

@SHvFl Adding a FAQ would be a great idea
You could start with the best way to install windows according to you @Andy Ful
Then cover for example the setup discussed by @Windows_Security and @Andy Ful using the Windows 10 Recommended Enhanced profile.
And of couse the profile with Avast in hardened mode.
End with some troubleshooting like white list by path or hash.

 

[Freki123]

Any chance to put sha256 checksum (or so) on the website?
When i remember correct when i first tried the software i just clicked activate right side stuff first did apply and after that the left side stuff.
Pc got messed up
So any chance to get a big safty warning of any kind for activating stuff in the right order. I don't think i'm the only one who will just
activate stuff and after that read a manual and look for tweaks. (Before you get post and emails like: ahhh you broke my pc)
Since i got a backup and it was my fault no harm done but some may got no backup

 

[AlanOstaszewski]

Any chance to put sha256 checksum (or so) on the website?

When the download page is finished, you will also find checksums there

 

[Andy Ful]

Any chance to put sha256 checksum (or so) on the website?
When i remember correct when i first tried the software i just clicked activate right side stuff first did apply and after that the left side stuff.
Pc got messed up
So any chance to get a big safty warning of any kind for activating stuff in the right order. I don't think i'm the only one who will just
activate stuff and after that read a manual and look for tweaks. (Before you get post and emails like: ahhh you broke my pc)
Since i got a backup and it was my fault no harm done but some may got no backup

The info about quick configuration is displayed after installing H_C. It contains the clear instruction:
-----------------------------------------------------------------------------------------------------------------------------------------------------
QUICK CONFIGURATION (after the fresh installation).

1. On the first run, let Hard_Configurator make System Restore Point and check/whitelist autoruns - it costs nothing, and can save you a lot of time when in trouble.
2. When the above job is done, the Tools window may be closed, and the main Hard_Configurator window should appear.
3. Press first <Recommended SRP> button, and next <Recommended Restrictions> button to make a quick configuration (the order of pressing the buttons does matter!).
4. Use <ConfigureDefender> button to configure advanced Windows Defender settings (if required).
5. The changes are applied, when pressing <APPLY CHANGES> button.
6. Read the help files to get info about Hard_Configurator options.
7. Full information about a program and SRP can be accessed using <Documentation> button, available after pressing <General Help> button.

-----------------------------------------------------------------------------------------------------------------------------------------------------
If you press first <Recommended Restrictions> and next <Recommended SRP> then "Run By SmartScreen" option in the Explorer context menu will be available, which cannot bypass SRP. So, the user cannot run applications in the UserSpace. Such setup is good for children or computer illiterate users. The computer is still functional because H_C and applications already installed in 'c:\Program Files' can be run as usual.
Of course, after wrongly pressed buttons, the user can simply press them in the right order to get the recommended settings.
The info about the order of pressing those buttons is repeated in the General Help (point 4.).

But, it would not probably hurt, If the quick configuration info could be easily available on the website.

 

[Andy Ful]

@Andy Ful (another feature request )

After recent Christmas, I helped a few family members moving the 2-3 year old PC's of the kids of wealthy family members to the kids of less fortunate family members. An easy trick of making those PC's fly again was by adding an SSD. In the spirit of Christmas I paid the SSD of the first family member (luckily it stopped after four PC's, so It stayed within limits cost wise). Installing Windows 1809 from scratch turned out the easiest way (less time spend) of accomplishing this. I also installed free-office (of softmaker)*

Using Hard_Configurator and Defender_Configurator (I always add folder of D partition where I put their data but did not enable Protected Folders).Because I don't want to get called every time, I removed H_C and D_C after the job and manualy changed SRP (Safer) registry settings making sure the SRP:
- is valid for all executables except DLL's
- is valid for all users except Administrators
- removed the values EXE, MSI, MSU, LNK from Executables from registry Multi-MZ field

I manually add a "DENY TRAVERSE FOLDER/EXECUTE FILE" for EVERYONE to their Downloads/Documents/Movies/Pictures/Videos user folders (on data partition D) and on root folder of Public user. I also have two reg-files which lock some settings of Chrome and Edge by manually setting the registry keys of corresponding Edge/Chrome group policies (and set some Chrome flags increasing security).
Finally I disable IE11 and WMP and install VLC from Windows Store and set Edge as default for PDF.

Although not as strong as a default deny. This zero config/zero really is a great addition to any average JOE/JANE home user pc setup. Under normal usage this does not put any functional restriction on the usability of their PC, but reduces the attack surface substantially. Best of all IMO that it uses Windows internal mechanisms (spend no cpu cycles or money on extra software).

Any chance of inspiring you to make it a special version of Hard_Configurator, called ZERO_configurator?

Regards Kees

P.S. *
Another reason to use it this way is that FREE OFFICE does not run nicely in a default deny SRP. On internet revews still mention that free-office does not allow you to save files in M$Office formats, just go into FILES section in OPTIONS for each application and set it default save format as DOCX (in Textmaker), XLSS (in Planmager), etc. Also you can download free Hunspell spellingcheck in free version Softmaker website.

Almost all of the above can be accomplished by applying Avast profile in H_C:

1. The DLL and EXE files are allowed (MSU also because it is not blocked by H_C file extension list).
2. The shortcuts (LNK files) are allowed on the Desktop and Start Menu, but blocked in the UserSpace (can be bypassed by administrator).
3. You can use "Run as administrator" to run MSI installers (and bypass SRP) - that will be rarely used, because most installers are just EXE files.
4. VBScript and JScript scripts are blocked in the UserSpace (can be whitelisted or bypassed by administrator).
5. PowerShell scripts are blocked (also as administrator), and PowerShell commands are restricted by Constrained Language mode (can be bypassed by administrator).

Other settings for web browsers and media players are not available in H_C, because people use several applications for that. This would require another application.
The only problem will be when applying 'UAC deny elevation of unsigned' (ValidateAdminCodeSignatures) which will block RunAsSmartScreen. In this case, two options must be reconfigured:
<Run As SmartScreen> = OFF
<Hide 'Run as administrator> = OFF

By, the way - what problems did you have with Free Office? I am using Softmaker Office Standard without issues - even H_C manual is an exported DOCX file to PDF, all made in Softmaker Office.

Edit.
I checked the Avast profile and it applies the reconfigured options already.

 

[Windows_Security]

@Andy Ful

Free office would start with an error when clicking on a document. It woud open (e.g.) Textmaker but with a blank document in stead of the document clicked on. It ran normally when starting the executables via shortcut from taskbar. I will use your tip next time and see whether free-office works okay (also a good reason to stop using my tweaks through reg-files).

Regards Kees

 

[paulderdash]

I am beginning to think all I probably really need is HC (and uBO in medium mode?).

After all, I am not Julian Assange or El Chapo ... or @Umbra .

 

[Andy Ful]

I am beginning to think all I probably really need is HC (and uBO in medium mode?).

After all, I am not Julian Assange or El Chapo ... or @Umbra .

There are some people who probably would agree with you, but most people will advise you to keep the light AV or at least a good driver/process monitoring tool.

 

[paulderdash]

There are some people who probably would agree with you, but most people will advise you to keep the light AV or at least a good driver/process monitoring tool.

And your personal recommendation in each case would be?

 

[Andy Ful]

Windows_Security,
I edited my previous post because the corrections are already included in Avast profile.
Discuss - Hard_Configurator - Windows Hardening Configurator
But you still have to apply ACL or manually apply blacklist rules in SRP for Downloads/Documents/Movies/Pictures/Videos user folders (on data partition D) and on root folder of Public user.

 

[Andy Ful]

And your personal recommendation in each case would be?

The cautious user on Windows 10, can probably use no-AV + H_C default-deny + tool for monitoring drivers/software. From time to time the full scan by Windows Defender in passive mode.