Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
In fact, this setup is very similar to the idea I had before creating H_C based on SRP.
There are some differences as compared to the current version of H_C:
  1. No need to use the right-click Explorer context menu to check if the program is safe and next run the program.
  2. "Trust apps with good reputation" checks all applications (EXE, MSI) and loaded DLLs in the UserSpace, also those which were not downloaded from the Internet.
  3. "Trust apps with good reputation" is different from SmartScreen. Some applications can be accepted by SmartScreen but blocked by "Trust apps with good reputation", and vice versa.
  4. Windows Script Host scripting is restricted, as compared to SRP where it is blocked.
  5. The protection cannot be bypassed by the user when using "Run as administrator" or elevated shell (elevated CMD, elevated PowerShell, elevated Total Commander, etc.).
  6. The protection can be bypassed if the file triggered the SmartScreen check and was accepted by SmartScreen or the user bypassed the SmartScreen alert.
    It also means that the protection can be bypassed by the user when using RunBySmartScreen, while in SRP the "Run as administrator" or "Run As SmartScreen" must be used.
  7. Blocked programs and DLLs cannot be whitelisted in UserSpace.
...
I thought that the main issue of the setup based on WD Application Guard + "Trust apps with good reputation" feature, would be the lack of whitelisting in the UserSpace.
But, it seems that after a few-days of bypassing this protection via forced SmartScreen (see point 6. above), Windows Defender learns (locally) that application is safe, and it can be run normally without blocking by Application Guard. This is usually limited to a particular computer until the application will gain sufficient reputation to be accepted as safe in the cloud.

Edit.
Applying the above WD Application Guard policies on Windows Home ver. 1903 is very simple. The predefined file SIPolicy.p7b has to be copied with admin rights into the folder C:\Windows\System32\CodeIntegrity, and the computer must be rebooted.
If the user wants to unload the policies, then the file SIPolicy.p7b can be simply renamed or removed and the computer rebooted. :giggle: (y)
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I am trying to mimic the functionality of SRP + forced SmartScreen by using WD Application Control on Windows 10 Home ver. 1903. For now, I am using WDAC policies which work as follows:
  1. All drivers are allowed.
  2. All programs and DLLs are allowed in the SystemSpace (C:\Windows, C:\Program Files, C:\Program Files (x86) - except writable locations).
  3. All Windows Store Apps are allowed.
  4. All programs (EXE, MSI) and DLLs which are accepted by Microsoft as safe (Intelligent Security Graph Authorization) are allowed.
  5. All other programs (EXE, MSI) and DLLs are blocked (also .NET DLLs).
  6. PowerShell and Windows Script Host scripting is restricted.
  7. Whitelisting applications in UserSpace is not possible on Windows Home and Pro.
The points 3. and 4. are related to "Trust apps with good reputation" (Microsoft Intune option). It works similarly to Kaspersky's Trusted Application Mode.

PowerShell restrictions are similar to those in SRP (Constrained Language Mode).
Windows Script Host restrictions are similar to PowerShell restrictions, so the user can run VBS, JS, etc., scripts but the advanced functions and some COM objects are blocked.

In fact, this setup is very similar to the idea I had before creating H_C based on SRP.
There are some differences as compared to the current version of H_C:
  1. No need to use the right-click Explorer context menu to check if the program is safe and next run the program.
  2. "Trust apps with good reputation" checks all applications (EXE, MSI) and loaded DLLs in the UserSpace, also those which were not downloaded from the Internet.
  3. "Trust apps with good reputation" is different from SmartScreen. Some applications can be accepted by SmartScreen but blocked by "Trust apps with good reputation", and vice versa.
  4. Windows Script Host scripting is restricted, as compared to SRP where it is blocked.
  5. The protection cannot be bypassed by the user when using "Run as administrator" or elevated shell (elevated CMD, elevated PowerShell, elevated Total Commander, etc.).
  6. The protection can be bypassed if the file triggered the SmartScreen check and was accepted by SmartScreen or the user bypassed the SmartScreen alert.
    It also means that the protection can be bypassed by the user when using RunBySmartScreen, while in SRP the "Run as administrator" or "Run As SmartScreen" must be used.
  7. Blocked programs and DLLs cannot be whitelisted in UserSpace.
In fact, all the productivity applications I use are accepted in this setup, so I did not need to whitelist anything. ConfigureDefender and H_C installers are also accepted as safe (but not by SmartScreen).
This is a very interesting experiment indeed.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
...
The warning refers to the old GUI with the Recommended SRP and Recommended Restrictions where the user makes a previous selection in the wrong order. Because these two buttons no longer exist I suggest this issue be addressed as it can cause confusion.

Also, has the user guide been updated.? I haven't read it.
Corrected in ver. 5.0.0.0.
The H_C manual can be accessed via <General Help> <DOCUMENTATION> (updated).
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Finally my Windows ver. 1809 decided to upgrade.
Before upgrading, I set H_C, ConfigureDefender, and FirewallHardening to max settings. Furthermore, I activated Windows Defender Application Control with "Trust apps with good reputation" feature and whitelisted folders: c:\Windows and c:\Program Files... .
I suspected that this could possibly break the upgrade, but everything went well.:giggle:

After the upgrade, all H_C, ConfigureDefender, and FirewallHardening settings survived, but I had to reactivate WDAC. After this most applications in UserSpace (but not all) were still remembered as safe by WDAC. Anyway, some applications installed in UserSpace were blocked after upgrade (Grammarly desktop version and Privacy Eraser). I run them via "Run By SmartScreen" and after that, they were accepted by WDAC.

From my WDAC tests on Windows ver. 1809 it follows that using "Run By SmartScreen" works well on simple applications, but may fail for the complex installations/updates. Such complex applications (like VirtualBox) must be installed in C:\Program Files... .
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@Andy Ful this issue is probably not because of Hard_Configurator but maybe you know the answer anyway.
Win 10 pro 1903, Admin account, I go to settings/advanced keyboard settings, click on input language hot keys, and I get the typical blue error window with the text:
Contact your system administrator for more info.
Sometimes instead of this I get an error message from control.exe:
Windows cannot access the specified device, path or file. You may not have the appropriate permissions.
I don't have control.exe blocked in sponsors, and this happens even with Switch OFF SRP and Switch OFF Restrictions, and after a reboot.

I don't have any 3rd party security software installed.

The specific issue I want to troubleshoot is the keyboard shortcut for switching between input languages, i.e., between keyboard layouts. I have a split space bar on my keyboard, and I am used to the shortcut of Win key + space bar to switch between languages. As of today, it only works with the right half of the space bar, not the left half. :unsure:

EDIT: Adding to my confusion, I switched SRP back on, and I rebooted, but it isn't blocking. Restrictions work, but SRP doesn't work. Something is weird here.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@Andy Ful this issue is probably not because of Hard_Configurator but maybe you know the answer anyway.
Windows 10 pro 1903, Admin account, I go to settings/advanced keyboard settings, click on input language hot keys, and I get the typical blue error window with the text:
Contact your system administrator for more info.
Sometimes instead of this I get an error message from control.exe:
Windows cannot access the specified device, path or file. You may not have the appropriate permissions.
I don't have control.exe blocked in sponsors, and this happens even with Switch OFF SRP and Switch OFF Restrictions, and after a reboot.

I don't have any 3rd party security software installed.

The specific issue I want to troubleshoot is the keyboard shortcut for switching between input languages, i.e., between keyboard layouts. I have a split space bar on my keyboard, and I am used to the shortcut of Win key + space bar to switch between languages. As of today, it only works with the right half of the space bar, not the left half. :unsure:

EDIT: Adding to my confusion, I switched SRP back on, and I rebooted, but it isn't blocking. Restrictions work, but SRP doesn't work. Something is weird here.
UPDATE : I solved the split space bar issue, it apparently was caused by the August Windows update, and now I got my keyboard back to default behavior. But I still have the other, more mysterious issues.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@shmu26,
Did you installed anything or changed the security settings before having those mysterious issues?
It is hard to say what is happening in your system, but you can temporarily turn off H_C to see how the system will behave without it. Just load All_OFF profile and reboot the computer. Please, let me know if there is a difference.(y)
Did you check in the H_C log if something has been blocked?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
@shmu26,
Did you installed anything or changed the security settings before having those mysterious issues?
It is hard to say what is happening in your system, but you can temporarily turn off H_C to see how the system will behave without it. Just load All_OFF profile and reboot the computer. Please, let me know if there is a difference.(y)
Did you check in the H_C log if something has been blocked?
I checked the log immediately but there was nothing there related to the issue. Hmm... what did I install lately... not much besides Edge Chromium.

Interesting but unrelated: the LastPass universal installer uses the deprecated Powershell that you enable or disable from Windows features. I discovered this today, but it was after the other issues I mentioned.

EDIT: I loaded the All_OFF profile and rebooted, but no difference. It seems the issue is not related to H_C. .
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful
...
Windows 10 pro 1903, Admin account, I go to settings/advanced keyboard settings, click on input language hot keys, and I get the typical blue error window with the text:
Contact your system administrator for more info.
...
This option uses control.exe, it can be blocked by <Block Sponsors>. The block is somewhat strange because it is not logged in the Windows Event Log. Furthermore, if the control.exe is next unblocked in H_C, then restarting Windows is required (normally refreshing Explorer is sufficient).
So, it is probable that the keyboard settings issue was due to the blocked control.exe in H_C.

By the way, what mysterious issues do you have now?
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
This option uses control.exe, it can be blocked by <Block Sponsors>. The block is somewhat strange because it is not logged in the Windows Event Log. Furthermore, if the control.exe is next unblocked in H_C, then restarting Windows is required (normally refreshing Explorer is sufficient).
So, it is probable that the keyboard settings issue was due to the blocked control.exe in H_C.

By the way, what mysterious issues do you have now?
I saw people saying that the split space bar on Microsoft keyboards was affected by the August update, so I would attribute it to that.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I saw people saying that the split space bar on Microsoft keyboards was affected by the August update, so I would attribute it to that.
That is right. But, If you will block control.exe in H_C you will get the same behavior (I tested it on my computer, Windows 10 Pro 64-bit 1903.):giggle:(y)
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
So I needed to restore a system image of Windows 10 1809 in order to sort out the issue with control.exe .
However, I still can't get SRP to work. I downloaded and installed the latest and greatest H_C, I reinstalled SRP, I chose recommended settings, and I rebooted. But it doesn't block anything. @Andy Ful , maybe from the screenshot you can see what I am doing wrong? The screenshot shows my H_C settings and depicts that I can launch installers and blocked sponsors (without using elevated rights).
Sponsors are set to "Enhanced".

Annotation 2019-08-20 121217.png
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top