Hard_Configurator - Windows Hardening Configurator

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
I prepared a simple Help for Firewall Hardening tool. If someone would like to add/change something, then let me know, please.

***************************************
Firewall Hardening tool can apply and manage Outbound Block Rules in Windows Firewall by using Windows policies. The restart of Windows is required to apply the configuration changes.
The paths of blocked executables are displayed as a list. Each entry can be managed by using the buttons located on the bottom of the application GUI.
<Add Rule> button allows adding the rule for any executable.
<Deactivate Rule> button makes the highlighted rules inactive, but does not remove rules.
<Block Rule> button changes highlighted inactive rules to blocked.
<Remove Rule> button removes highlighted rules from the list (and Windows Firewall settings).

The user can add/remove some predefined rules by using the options visible on the right of application GUI.
<LOLBins> button allows adding the rules for many executables from system folders, which are known to be commonly abused by malc0ders.
<MS Office> button allows adding rules for MS Office executables (Word, Excel, PowerPoint, and Equation Editor).
<Adobe Acrobat Reader> button allows adding rules for Adobe Acrobat Reader application.
<Recommended H_C> button allows adding some rules suited for users who applied Hard_Configurator Recommended settings.

The applied rules may be also viewed when using Windows Firewall Advanced settings, but can be managed only by Firewall Hardening tool, or by editing the Registry under the key: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules.

The user can enable auditing Windows Firewall with Advanced Security in category "Object Access" and subcategory "Audit Filtering Platform Packet Drop". This can be done by choosing the radio button 'ON', under "Start logging events".
If auditing is enabled, then the blocked events can be filtered from Windows Event Log by 5152 Event Id. This can be done when pressing <Blocked Events> button, visible under the OFF/ON radio buttons. The Event Log file can store the entries from several hours (usually 12 hours).
**************************************

Maybe include some short instruction for users who do not use Hard_Configurator? :unsure:
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Maybe include some short instruction for users who do not use Hard_Configurator? :unsure:
The Help is independent of H_C, except the info about <Recommended H_C> button.:giggle:
I can change it a little:
<Recommended H_C> button allows adding some rules suited for users who installed Firewall Hardening tool as a part of Hard_Configurator Windows hardening application and applied the Recommended settings.
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
The Help is independent of H_C, except the info about <Recommended H_C> button.:giggle:
I can change it a little:
<Recommended H_C> button allows adding some rules suited for users who installed Firewall Hardening tool as a part of Hard_Configurator Windows hardening application and applied the Recommended settings.

What I was wondering is what rules might be recommended for those who don't use H_C. I've enabled everything in FHT but I'm not currently using H_C.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
In the next version of H_C I plan to modify the SwitchDefaultDeny feature. When the user will switch <Default Deny Protection> to OFF, it will automatically add "Run By SmartScreen" option to the Explorer context menu. This will unify the procedure of installation of any application both on Administrator and Standard User type of account:
  1. Use SwitchDefaultDeny to turn OFF the protection.
  2. Install safely the application by using "Run By SmartScreen" from the right-click Explorer context menu.
  3. Use SwitchDefaultDeny to restore the protection.
Edit.
Still, on Administrator type of account, the user can use "Run As SmartScreen" from the Explorer context menu (without switching off the protection) to install 99% of applications.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Today I got a SRP block but Windows thought it was from group policy:

Annotation 2019-06-10 174648.png


H_C log said:
Access to C:\Users\Shmu\AppData\Local\TogglDesktop\updates\TogglDesktopInstaller-7.4.422.exe has been restricted by your Administrator by the default software restriction policy level.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Today I got a SRP block but Windows thought it was from group policy:

View attachment 214803

H_C log said:
Access to C:\Users\Shmu\AppData\Local\TogglDesktop\updates\TogglDesktopInstaller-7.4.422.exe has been restricted by your Administrator by the default software restriction policy level.
SRP is a feature based on Windows policies. But, this alert is somewhat misguiding, because H_C does not use Group Policy Object.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Installed Kaspersky Free and i have some blocks from FirewallHardening.
One example:
Local Time: 2019/06/11 18:07:33
ProcessId: 3872
Application: C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction: Outbound
SourceAddress: 192.168.178.171
SourcePort: 49764
DestAddress: 88.221.144.49
DestPort: 80
Protocol: 6
FilterRTID: 68344
LayerName: %%14611
LayerRTID: 48
What should I do with this block?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Installed Kaspersky Free and i have some blocks from FirewallHardening.
One example:
Local Time: 2019/06/11 18:07:33
ProcessId: 3872
Application: C:\program files (x86)\kaspersky lab\kaspersky free 19.0.0\avp.exe
Direction: Outbound
SourceAddress: 192.168.178.171
SourcePort: 49764
DestAddress: 88.221.144.49
DestPort: 80
Protocol: 6
FilterRTID: 68344
LayerName: %%14611
LayerRTID: 48
What should I do with this block?
Isn't it the same event we talk about in May?:giggle:
https://malwaretips.com/threads/hard_configurator-windows-hardening-configurator.66416/post-816321
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
If someone wants Firewall Hardening tool to log the events from about 24 hours (on Windows 10) then it is included in these executables:
For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator

To apply the extended Log, the user must reset "Start logging events" by pressing "OFF" and next "ON" radio buttons.

In Windows default settings, the security event log maximum file size is 20MB, and once it reaches the maximum size, old events are overwritten by new events. The events related to 5152 Event Id are only a very small fraction of all logged events, and events related to blocking the outbound connection of applications are only a small fraction of 5152 events.
On Windows 7 the default log can keep the blocked outbound connection events for several days, but on Windows 10 (on my computer) those events are kept only about 12 hours. I think that 24 hours will be more useful. So, I decided to extend the maximum log size to 40 MB.(y)
 
Last edited:

paulderdash

Level 6
Verified
Well-known
Apr 28, 2015
271
I have AppGuard SOLO license but do not plan on renewing, but use H_C instead ... I also have licenses for EAM and HmP.A.

Just done a clean install of W10 Home v1903 and I like to play .. would a combination of EAM , HmP.A and H_C be an outrageous combination? :eek: (ducks) :D

Edit: Or H_C and OSA, too much overlap?
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I have AppGuard SOLO license but do not plan on renewing, but use H_C instead ... I also have licenses for EAM and HmP.A.

Just done a clean install of W10 Home v1903 and I like to play .. would a combination of EAM , HmP.A and H_C be an outrageous combination? :eek: (ducks) :D

Edit: Or H_C and OSA, too much overlap?
EAM + H_C or HmP.A + H_C, would be fine.
H_C + OSA would not be a good idea.(y)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Yes I was given a special rate, for a year only ...

And I am just a casual user, would prefer to stick with consumer-targeted offerings. :)
Before you uninstall AppGuard, copy your UserSpace exceptions to a text file or something, because you will probably want to use them in Hard_Configurator. Just makes your life easier that way...
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
Would it be a good Idea to add two new lolbins: update.exe and squirrel.exe ?

Edit: My guess is Discordapp.com (desktop version) also use them. Atleast there is an squirrel.exe and update.exe in the folder.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top