Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
@Andy Ful

Came across something interesting when I was converting a word document to PDF and later deleting the PDF.
  • Trying to convert an existing word document to PDF using Microsoft Word 2013 would not go through.
    • The word document was under a protected folder and the PDF was going to be saved under the same directory.
    • Protection history lists WINWORD.EXE as the app/process.
    • I allowed the process via Protection history.
    • An entry in ConfigureDefender CFA exclusions is now listed: C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE
  • Later when trying to delete the PDF document, the deletion was blocked.
    • Protection history lists explorer.exe as the app/process.
    • I allowed the process via Protection history.
    • An entry in ConfigureDefender CFA exclusions list is now listed: C:\Windows\explorer.exe

My questions are:
  • What caused CFA to trigger these blocks in H_C 5.1.1.1/.2?
    • I did the same actions as above on Friday and they weren't blocked. I can't remember if this was before or after I updated to version 5.1.1.1/.2.
  • Do the explorer.exe and winword.exe CFA exclusions pose a security risk?
I have attached my current configuration to this post for reference. I think the only modifications I made compared to my 5.0.0.0 configuration was:
  • Enabled Harden Archivers
  • Enabled Harden Email Clients
  • Enabled Allow MSI (which turns Update Mode to OFF)
Did this issue persist after a reboot (adding CFA exclusions may require a reboot)?
Can you delete files in that protected folder directly from the Explorer?
Please, look at the H_C Log (<Tools><Blocked Events / Security Logs>) if any process was blocked at the time of file conversion.

Deleting anything in CFA protected folders from the Explorer should not be related to any H_C setting profile (also yours). But anyway, other processes can be involved, when the deletion is made by MS Office applications. You can check it by loading All_OFF.hdc profile - it will remove all H_C settings, except ConfigureDefender and FirewallHardening.(y)
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
I needed utilities such as Command Prompt to be run as admin in order to make scripts be able to work (obviously), but I didnt want to turn off the SRP or enable Run As Admin in the context menu.

You probably chose to hide this entry when applying Recommended Settings.

RSalert.png


RSalert1.png


You can still use the Recommended Settings with <Hide 'Run As Administrator'> = OFF.
Then you can use the standard Windows method to run elevated CMD and PowerShell.

You can also use <Hide 'Run As Administrator'> = ON and <More SRP ...><Update Mode> = OFF, to use "Install By SmartScreen" instead.

The first method is more convenient for installing/updating applications.
 

Attachments

  • RSalert.png
    RSalert.png
    24.5 KB · Views: 174
Last edited:

EndangeredPootis

Level 10
Verified
Well-known
Sep 8, 2019
461
You can use the Recommended Settings when keeping "Run as administrator visible". You probably chose to hide this entry when applying Recommended Settings.

View attachment 243260

View attachment 243261

You can still use the Recommended Settings with <Hide 'Run As Administrator'> = OFF.
Then you can use the standard Windows method to run elevated CMD and PowerShell.

You can also use <Hide 'Run As Administrator'> = ON and <More SRP ...><Update Mode> = OFF, to use "Install By SmartScreen" instead.

The first method is more convenient for installing/updating applications.
I was fully aware of that, but I didnt want Run As Admin and Run By Smartscreen to both be in the context menu.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Simple Windows Hardening (simplified version of Hard_Configurator):
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Hi, Andy maybe it's worth adding "bitsadmin.exe" into recommended firewall hardening also?
1.PNG

Also, bitsadmin is deprecated since Windows 7 so shouldn't cause any issue.
BITSADMIN is deprecated in Windows 7 and 2008 R2, it is superceeded by the new PowerShell BITS cmdlets
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Hi, Andy maybe it's worth adding "bitsadmin.exe" into recommended firewall hardening also?
View attachment 243859
Also, bitsadmin is deprecated since Windows 7 so shouldn't cause any issue.
No. The executable bitsadmin.exe uses BITS for downloading, so the firewall only sees svchost.exe connecting to the Internet. In the same way, you cannot block PowerShell when it uses BITSTransfer cmdlet (other PowerShell methods can be blocked).
You have to block the execution of bitsadmin.exe by SRP or other methods.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
No. The executable bitsadmin.exe uses BITS for downloading, so the firewall only sees svchost.exe connecting to the Internet. In the same way, you cannot block PowerShell when it uses BITSTransfer cmdlet (other PowerShell methods can be blocked).
You have to block the execution of bitsadmin.exe by SRP or other methods.
Ok I see. Btw, I see that there's two bitsadmin in HC block sponsor section. bitsadmin * and bitsadmin.exe. What is the first one?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Ok I see. Btw, I see that there's two bitsadmin in HC block sponsor section. bitsadmin * and bitsadmin.exe. What is the first one?
The list of blocked sponsors was initially taken from the Bouncer blacklist. I never researched the bitsadmin* entry, but it may be related to bitsadmin.exe.mui or something else that uses BITS.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Thanks for this software, been having a play with it this morning, much appreciated. My youngest daughter getting married in six days so need a distraction as running away at this point isn't an option? :confused::confused::confused:
It would not be the first time of running away, but usually, this happens to the bride.:)
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Andy Ful: out of curiosity, does Firewall Hardening effectively block any outbound calls from Microsoft Store? I looked at the Outbound rules section of Windows Firewall and the Store is allowed. But I'm not sure what this "Allow" rule entitles the Store to do exactly.

I'd like to block the Store from doing anything but then I'm concerned that I can't update any apps there--which is the preference to do so manually and not have it run in the background.

Yes, there was someone at another forum expressing concern about Skype installing itself without the owner's knowledge/permission. So this prompted my question. 😬
 

South Park

Level 9
Verified
Well-known
Jun 23, 2018
431
Andy Ful: out of curiosity, does Firewall Hardening effectively block any outbound calls from Microsoft Store? I looked at the Outbound rules section of Windows Firewall and the Store is allowed. But I'm not sure what this "Allow" rule entitles the Store to do exactly.

I'd like to block the Store from doing anything but then I'm concerned that I can't update any apps there--which is the preference to do so manually and not have it run in the background.

Yes, there was someone at another forum expressing concern about Skype installing itself without the owner's knowledge/permission. So this prompted my question. 😬
Oddly enough, after I added the .reg file to prevent unexpected app installs, I manually went to update my Store apps. It seemed to hiccup on the installation but eventually completed. Probably a coincidence, but with Microsoft, who knows?
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Andy Ful: out of curiosity, does Firewall Hardening effectively block any outbound calls from Microsoft Store? I looked at the Outbound rules section of Windows Firewall and the Store is allowed. But I'm not sure what this "Allow" rule entitles the Store to do exactly.
...
Probably not.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Short info about legacy SRP.

Some important Hard_Configurator features rely for now on Windows build-in SRP and this will be so until it will be useful. The SRP is now a legacy Windows feature - it means that Microsoft will not add the new features to it. The legacy features related to security are usually supported by Microsoft for a long time. I have seen many good 3rd party software dying in the meanwhile. It is possible that SRP dies with Windows 10 after several years. If there will be any problem with SRP, then I will make changes in Hard_Configurator several months before. It is also probable that I will drop SRP earlier for another Windows feature, like WD Application Control (WDAC). I could do it now, but WDAC is not so convenient yet as compared to SRP and the WDAC setup on Windows Home would be too restrictive for many home users (whitelisting problem). We will see how WDAC will evolve.

So, until Hard_Configurator development is actively supported by me (with SRP or without), there is no need to worry. :)(y)
 
Last edited:

brigantes

Level 1
Jun 22, 2020
40
Hi, Andy maybe it's worth adding "bitsadmin.exe" into recommended firewall hardening also?
View attachment 243859
Also, bitsadmin is deprecated since Windows 7 so shouldn't cause any issue.

Bitsadmin does not do the actual downloading. The process that does it is SYSTEM, so creating a firewall rule for Bitsadmin will block nothing.
 

brigantes

Level 1
Jun 22, 2020
40
Short info about legacy SRP.

Some important Hard_Configurator features rely for now on Windows build-in SRP and this will be so until it will be useful. The SRP is now a legacy Windows feature - it means that Microsoft will not add the new features to it. The legacy features related to security are usually supported by Microsoft for a long time. I have seen many good 3rd party software dying in the meanwhile. It is possible that SRP dies with Windows 10 after several years. If there will be any problem with SRP, then I will make changes in Hard_Configurator several months before. It is also probable that I will drop SRP earlier for another Windows feature, like WD Application Control (WDAC). I could do it now, but WDAC is not so convenient yet as compared to SRP and the WDAC setup on Windows Home would be too restrictive for many home users (whitelisting problem). We will see how WDAC will evolve.

So, until Hard_Configurator development is actively supported by me (with SRP or without), there is no need to worry. :)(y)

SRP shall not be going anywhere anytime soon. Microsoft has no intention of getting rid of AppLocker, which completely incorporates the older SRP. Given the fact that enterprises spend millions upon millions of dollars for InTune management and have become extremely dependent upon distributing GPO via an Active Directory Domain Controller, SRP/AppLocker will not be phased out in this decade.

Now we can sit here and debate this to death, but the lines between "SRP" and "WDAC" are blurred. There are many places to look online to compare SRP, AppLocker and WDAC. There is no need to cover that long topic here.

As is usual, Microsoft piles in a bunch of overly complex and questionable features in WDAC.
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Andy, other than you needing to program everything differently would there be any difference in HC protections levels using SRP over WDAC?
In the home environment on Windows 10 with well updated system / software and good AV, the practical difference between SRP and WDAC is not important. The attack area is not big (as compared to enterprises) and SRP is more suitable to make it smaller without breaking something - it is simply more useful for home users.

In enterprises, there is a big difference between SRP and WDAC protection. The attack area is much bigger as compared to the home environment. Generally speaking, WDAC is much more resistant to the malware on already infected computers, and when the attack is performed from the enterprise network.

Edit.
By the way (in relation to another thread), I do not use a piss-back defense, but rather piss-reflect or hedgehog (more efficient). The attacker must face only his own product. :unsure:
Like any hedgehog, I do not keep negative emotions too long and do not have many enemies.:) (y)
 
Last edited:

brigantes

Level 1
Jun 22, 2020
40
The admin author gives Microsoft's very reason for implementing SRP back in 2002. SRP is soooo amazing that it is the most robust protection to this very day on Windows with Microsoft working on new iterations.


" Right now is usually when I get the most push back on the strategy. You see, vendors of security software have for years positioned their products as “Smart Enough” to catch this behavior. Don’t worry which ones either—they are all guilty of it. Email Anti-Spam, Anti-Virus, Firewalls, you name it. Put “Next-Gen” in front of the name and they’ll go on about how many times their solution stopped such behaviors. They conveniently leave out that no matter who they are or the technique they use they don’t work 100% of the time. So, let’s talk about the times they don’t: because that’s when the software restriction policy is going to save you. "
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top