Hard_Configurator - Windows Hardening Configurator

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
How do you get the Allow EXE settings of H_C?
Discussed here:
Is that more or less the same as the WIndows_10_MT_Windows_Security_hardening profile?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
How do you get the Allow EXE settings of H_C?
Discussed here:
Is that more or less the same as the WIndows_10_MT_Windows_Security_hardening profile?
You can choose any profile and next use <Whitelist By Path> to choose <Add> under the label "Allow EXE and TMP".
Here are the H_C profiles that use it by default:
Windows_7_Avast_Hardened_Mode_Aggressive
Windows_8_Avast_Hardened_Mode_Aggressive
Windows_10_Avast_Hardened_Mode_Aggressive
Windows_10_MT_Windows_Security_hardening

You will see EXE, TMP displayed on the left on <Whitelist By Path> button.
Allow-EXE.png
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
I must have missed this previously. I thought it was only Windows_Security profile.
'Allow EXE and TMP'' simply adds two Unrestricted SRP rules:
*.exe
*.tmp
So any EXE or TMP file in any folder is whitelisted. These rules could be also added manually via <Add Path*Wildcards> feature, but most users probably do not know which rules can globally whitelist files by file extension.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Ha, ha.:)
Someone used Chrome to manually download Hard_Configurator, installed it and configured - all was done in my favorite online Interactive malware hunting service Any.run.
The most dangerous action was recognized when after applying Recommended Settings, H_C stopped the Remote Registry service (part of <Block Remote Access> restrictions).
All important H_C alerts, displayed during the whole process (installation and configuration), are visible, so I could use it as a guide for the H_C users.:sneaky:(y)
To see the clips, one has to point the mouse cursor just under the taskbar of the displayed Windows screen and move it horizontally:
H_C_anyrun.png

 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Ha, ha.:)
Someone used Chrome to manually download Hard_Configurator, installed it and configured - all was done in my favorite online Interactive malware hunting service Any.run.
The most dangerous action was recognized when after applying Recommended Settings, H_C stopped the Remote Registry service (part of <Block Remote Access> restrictions).
All important H_C alerts, displayed during the whole process (installation and configuration), are visible, so I could use it as a guide for the H_C users.:sneaky:(y)
To see the clips, one has to point the mouse cursor just under the taskbar of the displayed Windows screen and move it horizontally:
View attachment 230283
Link link, where are you? 👀
You forgot to attach the link 😛
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
@Andy Ful it was requested on the other forum if you could add in Configure Defender the setting "Run WD in sandbox mode"
Yes, I could do it. But, I am still waiting until it will be fully developed to avoid compatibility problems.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Hello. I've whizzed thru three Insider builds in rapid succession, landing at 19037.1. Should one be concerned about anything new outside of H_C's pre-defined rules enforcement? I've called up the user interface and re-enabled LOLBins and recommended rules but a message box stated "some of the rules are already in effect" or something like that. Why only some, should that be "all"?

What prompted my question was: on a freshly installed Insider build, HitmanPro had to upload nearly 600 new Windows processes to its cloud. That implies some significant changes in Windows from, say, v. 1909. Thanks for any help!
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
What prompted my question was: on a freshly installed Insider build, HitmanPro had to upload nearly 600 new Windows processes to its cloud. That implies some significant changes in Windows from, say, v. 1909.

HMPA's response would seem to indicate that you are on an experimental Windows build, with which it isn't familiar.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Hello. I've whizzed thru three Insider builds in rapid succession, landing at 19037.1. Should one be concerned about anything new outside of H_C's pre-defined rules enforcement? I've called up the user interface and re-enabled LOLBins and recommended rules but a message box stated "some of the rules are already in effect" or something like that. Why only some, should that be "all"?:whistle:
...
"All" would be more precise for sure. :)
Anyway, I will simply add this information to the HELP (Recommended H_C < LOLBins) .(y)

Right. And it's not the end product by a long shot. Nevertheless, I wanted to know if Andy Ful is testing H_C running the later Insiders versions. And if not, would there be concern that Firewall Hardener may not cover the ground it does in release Windows versions. :giggle:
H_C modules were tested in the Windows 20H1 some time ago. I will repeat the test in the next year. But, there is no reason to think that Windows Firewall policies might not work well. They are used all around the world.(y)
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Hi,

I nearly finished a Bachelor in webdesign & digital marketing (just finishing my final thesis while working). Part of this study also included User Experience and Usability. I am not commenting on the interface and color scheme you choose (@Andy Ful ), just suggesting a new program which is basically a combination of your existing programs.

I suggest a zero config version with just two settings Default and Hardened mode (like an ON=hardened and OFF=default switch). The aim is to maximize security while minimizing the functional impact. This is the reason why I suggest to allow executables to run in user space when they are whitelsted by Windows Defender, but dangerous file formats and lolbins should be restricted.

DEFAULT mode
Software Restriction Policies OFF and Windows Defender on Default and Windows FW block rules disabled

HARDENED mode
Configure defender on MAX
Firewall hardening enable LOLbins block rules.
Software Restriction policies on DISALLOWED, but allow EXE, TMP, MSI and MSU,
Enforcement Skip DLLs,, Designated File types default + Windows Script Hist + Powershell,
Block sponsors Script Interpreters + DotNet compilers, Protect Windowss Folders ON, Protect shortcuts ON,
Documents Anti-Exploit ON, Block remote access ON, Disable 16 bits ON, Disable SMB ON, Disable Cached Logons ON


Now your software is signed this would extend the usability for a larger audience.

Regards Lenny
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Hi,

I nearly finished a Bachelor in webdesign & digital marketing (just finishing my final thesis while working). Part of this study also included User Experience and Usability. I am not commenting on the interface and color scheme you choose (@Andy Ful ), just suggesting a new program which is basically a combination of your existing programs.

I suggest a zero config version with just two settings Default and Hardened mode (like an ON=hardened and OFF=default switch). The aim is to maximize security while minimizing the functional impact. This is the reason why I suggest to allow executables to run in user space when they are whitelsted by Windows Defender, but dangerous file formats and lolbins should be restricted.

DEFAULT mode
Software Restriction Policies OFF and Windows Defender on Default and Windows FW block rules disabled

HARDENED mode
Configure defender on MAX
Firewall hardening enable LOLbins block rules.
Software Restriction policies on DISALLOWED, but allow EXE, TMP, MSI and MSU,
Enforcement Skip DLLs,, Designated File types default + Windows Script Hist + Powershell,
Block sponsors Script Interpreters + DotNet compilers, Protect Windowss Folders ON, Protect shortcuts ON,
Documents Anti-Exploit ON, Block remote access ON, Disable 16 bits ON, Disable SMB ON, Disable Cached Logons ON


Now your software is signed this would extend the usability for a larger audience.

Regards Lenny
I already created a similar application (Casual User Protection) :

CUP.png


But, later I found out that smart-default-deny setup with whitelisted EXE (TMP) and MSI files in Appdata and ProgramData folders is worth investigating. So, I plan to finish Hard_Configurator first, and then I will probably finish CUP.:)(y)
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
@Andy Ful Thanks (y)

Being the IT-student in the family, I have some experience in this type of setups and have had no problems by whitelisting AppData, since it is protected by UAC. When you enable Validate Admin Signatures the combination UAC protected and only allowing signed software to elevate seems to do the job (no family members have reported infections yet). So my guess is that in stead of trying to work out granular exceptions for AppData, it would be easier and simpler to whitelist AppData and offer an option to enable Validate Admin Signatures in the advanced options.

By the way that UI looks a lot better also 😎 (y)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top