Hard_Configurator - Windows Hardening Configurator

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Sounds a little bit like an amalgam of sites I visit and services I use. netfree is my content filter service, matzav is a news site I visit, bezeq is an Israeli phone service, etc.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Sounds a little bit like an amalgam of sites I visit and services I use. netfree is my content filter service, matzav is a news site I visit, bezeq is an Israeli phone service, etc.
Why do some of them use explorer.exe (like matzav)? Are they installed in the system (outside the browser)?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Why do some of them use explorer.exe (like matzav)? Are they installed in the system (outside the browser)?
No, matzav is not installed. I asked Netfree for an explanation, but they don't seem to understand what I want. I sent them the log, and they replied that they need to see a screenshot of the "problem". I don't know what to send them. :unsure:
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
No, matzav is not installed. I asked Netfree for an explanation, but they don't seem to understand what I want. I sent them the log, and they replied that they need to see a screenshot of the "problem". I don't know what to send them. :unsure:
Just now someone higher up answered me and says it has nothing to do with Netfree. :(
In any case, I don't experience any difference whether I block explorer.exe or allow explorer.exe. Either way, everything works.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
I see a new beta of Hard_Configurator: beta ver. 4.1.1.1:
What is the recommended way to install this version and get all the recommended settings?
For now I just installed over the existing version and clicked "Recommended Settings", ConfigureDefender on High and Firewall hardening at Recommended H_C. After that "Apply changes" and logoff.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Hard_Configurator beta ver. 4.1.1.1

For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator

This beta version was created to strengthen the Allow-Exe setup. I added three security features:

  1. FirewallHardening tool.
  2. <ValidateAdminCodeSignatures> option (available on Windows 8+).
  3. <Paranoid Extensions> option (over 250 protected file extensions).
Hard_Configurator's Allow-Exe setup is functionally similar to SysHardener settings but more comprehensive and more configurable because it allows whitelisting the blocked entries, which is impossible in SysHardener. The user can also check if the restrictions do not block silently something important. Still, the SysHardener application will be OK for many users, because its default settings usually do not require user attention.
The example of the Allow-Exe profile is WIndows_10_MT_Windows_Security_hardening, which was discussed here: Windows Defender - Using Hard_Configurator in HARDENEDmode with ConfigureDefender in HIGHEST protection on Windows10

The full changelog:
Version 4.1.1.1
  1. Added, "Paranoid Extensions" (259 potentially dangerous file type extensions).
  2. Added FirewallHardening tool, which blocks by Windows Firewall many LOLBins and allows the user to block any application.
  3. Removed explorer.exe paths from FirewallHardening LOLBins on Windows 8 and 8.1., for compatibility with SmartScreen.
  4. Two buttons <Recommended SRP> and <Recommended Restrictions> are replaced by one green button <Recommended Settings>.
  5. Reorganization of buttons: the violet buttons <Firewall Hardening> and <ConfigureDefender> are now located in the upper part of the main window.
    The button <No Removable Disks Exec.> was replaced by the new option button <Validate Admin Code Signatures> (see point 7).
  6. If Default Deny Protection is turned OFF by 'Switch Default Deny' tool, then "Run By SmartScreen" option is automatically enabled in Explorer context menu. It can be used for installing safely the applications both on Administrator and Standard User type of accounts.
  7. Added the option <Validate Admin Code Signatures> which changes the UAC settings to enforce cryptographic signatures on any interactive application that requests elevation of privilege. This setting will prevent the user to run from Explorer the applications which require Administrative rights but are not digitally signed.
  8. Added the profile "Windows_10_MT_Windows_Security_hardening.hdc" which uses the new option <Validate Admin Code Signatures>.
  9. The option <Restore Windows Defaults> does restore also Windows Defender defaults and removes FirewallHardening Outbound block rules.
  10. All Hard-Configurator native executables are digitally signed by SHA256 certificate (Certum Code Signing CA SHA2).
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Hard_Configurator beta ver. 4.1.1.1

For Windows 64-bit: AndyFul/Hard_Configurator
For Windows 32-bit: AndyFul/Hard_Configurator

This beta version was created to strengthen the Allow-Exe setup. I added three security features:

  1. FirewallHardening tool.
  2. <ValidateAdminCodeSignatures> option (available on Windows 8+).
  3. <Paranoid Extensions> option (over 250 protected file extensions).
Hard_Configurator's Allow-Exe setup is functionally similar to SysHardener settings but more comprehensive and more configurable because it allows whitelisting the blocked entries, which is impossible in SysHardener. The user can also check if the restrictions do not block silently something important. Still, the SysHardener application will be OK for many users, because its default settings usually do not require user attention.

The full changelog:
Version 4.1.1.1
  1. Added, "Paranoid Extensions" (259 potentially dangerous file type extensions).
  2. Added FirewallHardening tool, which blocks by Windows Firewall many LOLBins and allows the user to block any application.
  3. Removed explorer.exe paths from FirewallHardening LOLBins on Windows 8 and 8.1., for compatibility with SmartScreen.
  4. Two buttons <Recommended SRP> and <Recommended Restrictions> are replaced by one green button <Recommended Settings>.
  5. Reorganization of buttons: the violet buttons <Firewall Hardening> and <ConfigureDefender> are now located in the upper part of the main window.
    The button <No Removable Disks Exec.> was replaced by the new option button <Validate Admin Code Signatures> (see point 7).
  6. If Default Deny Protection is turned OFF by 'Switch Default Deny' tool, then "Run By SmartScreen" option is automatically enabled in Explorer context menu. It can be used for installing safely the applications both on Administrator and Standard User type of accounts.
  7. Added the option <Validate Admin Code Signatures> which changes the UAC settings to enforce cryptographic signatures on any interactive application that requests elevation of privilege. This setting will prevent the user to run from Explorer the applications which require Administrative rights but are not digitally signed.
  8. Added the profile "Windows_10_MT_Windows_Security_hardening.hdc" which uses the new option <Validate Admin Code Signatures>.
  9. The option <Restore Windows Defaults> does restore also Windows Defender defaults and removes FirewallHardening Outbound block rules.
  10. All Hard-Configurator native executables are digitally signed by SHA256 certificate (Certum Code Signing CA SHA2).
Already installed. Thanks, Andy, for the hard work and the great product!
I really like the ability to toggle ValidateAdminCodeSignatures with a mouse click. That makes it much more practical.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
The full changelog:
Version 4.1.1.1
  1. Added, "Paranoid Extensions" (259 potentially dangerous file type extensions).
  2. Added FirewallHardening tool, which blocks by Windows Firewall many LOLBins and allows the user to block any application.
  3. Removed explorer.exe paths from FirewallHardening LOLBins on Windows 8 and 8.1., for compatibility with SmartScreen.
  4. Two buttons <Recommended SRP> and <Recommended Restrictions> are replaced by one green button <Recommended Settings>.
  5. Reorganization of buttons: the violet buttons <Firewall Hardening> and <ConfigureDefender> are now located in the upper part of the main window.
    The button <No Removable Disks Exec.> was replaced by the new option button <Validate Admin Code Signatures> (see point 7).
  6. If Default Deny Protection is turned OFF by 'Switch Default Deny' tool, then "Run By SmartScreen" option is automatically enabled in Explorer context menu. It can be used for installing safely the applications both on Administrator and Standard User type of accounts.
  7. Added the option <Validate Admin Code Signatures> which changes the UAC settings to enforce cryptographic signatures on any interactive application that requests elevation of privilege. This setting will prevent the user to run from Explorer the applications which require Administrative rights but are not digitally signed.
  8. Added the profile "Windows_10_MT_Windows_Security_hardening.hdc" which uses the new option <Validate Admin Code Signatures>.
  9. The option <Restore Windows Defaults> does restore also Windows Defender defaults and removes FirewallHardening Outbound block rules.
  10. All Hard-Configurator native executables are digitally signed by SHA256 certificate (Certum Code Signing CA SHA2).
Well done :emoji_clap: @Andy Ful
I'm glad that all main executable are signed now (y)
 

pcalvert

Level 1
Nov 21, 2018
13
Currently using H_C along with MBAE and Windows Defender on Windows 8.1 (default web browser is Chrome). I'm not sure it's enough, though. I was thinking of adding OSArmor, but then I read that adding OSA to H_C is not such a good idea. Instead, I'm thinking of replacing Windows Defender with FortiClient 6.0 (tweaked). Any thoughts?

By the way, the reason I'm thinking about changing things on that system is that something odd (and suspicious) recently happened. Windows Defender was found to have been turned off. And then, while trying to fix that problem, a second discovery was made -- in Windows Update, someone or something had hidden the most recent important updates. I haven't yet had a chance to closely examine that system (it's a remote machine), but hopefully I'll have a better idea of what happened in a few days.

Phil
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Currently using H_C along with MBAE and Windows Defender on Windows 8.1 (default web browser is Chrome). I'm not sure it's enough, though. I was thinking of adding OSArmor, but then I read that adding OSA to H_C is not such a good idea. Instead, I'm thinking of replacing Windows Defender with FortiClient 6.0 (tweaked). Any thoughts?

By the way, the reason I'm thinking about changing things on that system is that something odd (and suspicious) recently happened. Windows Defender was found to have been turned off. And then, while trying to fix that problem, a second discovery was made -- in Windows Update, someone or something had hidden the most recent important updates. I haven't yet had a chance to closely examine that system (it's a remote machine), but hopefully I'll have a better idea of what happened in a few days.

Phil
If you update to Windows 10 1903, you will have Tamper protection for Windows Defender. Then, nothing can turn it off or mess with its settings.
IMHO Windows Defender, with the tweaks available in H_C, is very strong protection. You can complain about FPs if you run WD at high settings, but you can't complain about protection
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
The max settings of the old 4.0.1.0 really keep windows safe :DView attachment 217717
We must wait a few weeks until SmartScreen will accept H_C installers. :giggle:
But, the new version can be installed (even with ConfigureDefender MAX settings) by using the <Update> button from H_C panel.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Thanks I completely forgot that update works for beta and not only stable versions. Thanks a lot :)
By the way, why you use ConfigureDefender MAX settings? I intended these settings for casual users in the first place. That is why SmartScreen settings are set to Block (no user bypass) and the WD Security Center (now called Windows Security) are hidden. Non-casual users can set SmartScreen settings to "Warn" and unhide WD Security Center.:giggle: (y)
Most users can just use HIGH settings.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top