You can use SWH and FirewallHardening ("Recommended H_C" block rules).
This should work well with many AVs. I would also recommend for her the Edge Chromium web browser with enabled SmartScreen and PUA.
Hard_Configurator - Windows Hardening Configurator
- Thread starter Andy Ful
- Start date
This should work well with many AVs. I would also recommend for her the Edge Chromium web browser with enabled SmartScreen and PUA.
Thanks for your reply. I really appreciate it as I am new to using this. I just have a few questions. For my moms computer when I download hard_configuartor there is a separate folder called simple Simple Windows Hardening. That is where I enabled it. Then I saved the SWH folder under my doc incase in the future there is a conflict. Now to use the firewall settings I have to install hard config right? Once installed just click firewall hardening and add recommended HC. Then I can click close and apply at the main screen and she's done right?You can use SWH and FirewallHardening ("Recommended H_C" block rules).
This should work well with many AVs. I would also recommend for her the Edge Chromium web browser with enabled SmartScreen and PUA.
On my gaming PC should I use LOL Bins for Windows Firewall too? On SwitchDefaultDeny do I want Validate Adim Code Sigs?
Last edited:
You do not need to install H_C. There is a standalone portable version of FirewallHardening available:
ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
Utility for configuring Windows 10 built-in Defender antivirus settings. - ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
github.com
I would recommend you to stop the hardening for a while and use the current setup (SWH + FirewallHardening). This reduces the attack surface significantly without losing usability. If there will not be the issues, then after a month or two you can go further (this will require some learning).
Please remember, that custom hardening will require looking at the SWH and FirewallHardening Logs (from time to time) to see for the possible block events.
You can use in SWH the option <Elevation of unsigned executables> = Restricted, if you mostly use digitally signed applications. If not then some unsigned applications will be blocked by this setting.
Last edited:
Thanks a lot for breaking it down for me. I am pretty computer savvy. However, I am new to hardening. The setup you recommended sounds exactly like what I am after. Something to help out that does not get too crazy lol. I was not aware of the standalone firewallhardening. Thanks again and keep up the good work.You do not need to install H_C. There is a standalone portable version of FirewallHardening available:
You can download it and keep it together with SWH. Next, the "C:\Windows|Hard_Configurator" folder can be deleted to remove the H_C files. The SWH and H_C are not fully compatible, so run SWH again to see if everything is OK.
ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
Utility for configuring Windows 10 built-in Defender antivirus settings. - ConfigureDefender/H_C_HardeningTools.zip at master · AndyFul/ConfigureDefender
I would recommend you to stop the hardening for a while and use the current setup (SWH + FirewallHardening). This reduces the attack surface significantly without losing usability. If there will not be the issues, then after a month or two you can go further (this will require some learning).
Please remember, that custom hardening will require looking at the SWH and FirewallHardening Logs (from time to time) to see for the possible block events.
You can use in SWH the option <Elevation of unsigned executables> = Restricted, if you mostly use digitally signed applications. If not then some unsigned applications will be blocked by this setting.
Windows firewall has the concept of "what is not explicitly allowed is forbidden", or "if there is no explicit permission rule, then Internet access is prohibited", therefore the use of firewallhardening from H_C is optional and has more psychological effect than practical. But you can use firewallhardening to at least see how many rules it will create in Windows Firewall, or save the rules to a file.
You should also know that the fewer rules in the Windows Firewall, the faster it processes them.
You are wrong. Any predefined FirewallHardening rule blocks something that is allowed by default in Windows Firewall. Of course, one can block all outbound connections, but this would require much work to allow all needed processes and applications.
Correct firewall configuration starts with removing all pre-installed Windows firewall rules, outgoing and incoming. After that, the minimum required rules are created. After that, the FirewallHardening rules, if used, will be redundant, since there is no need to prohibit what is not allowed.
I am curious, why Microsoft insist to do it "incorrectly"? Are they stupid or mean? Who decided that your "correct" way is the correct one?
Of course. They are only useful when one uses the "incorrect" rules applied by Microsoft by default ( = most users in the world).
Last edited:
Desire to be able to control your computer, receive maximum telemetry as well.
Experience.
F
ForgottenSeer 85179
Realy? This isn't Reddit here.
I would also like that this thread comes back to it's original.
Just my two pence here. Most people aren't likely to go manually removing firewall rules after a program has been uninstalled and Firewall Hardening at least blocks the LOLBins that are often exploited which you would be unlikely to see a Windows Firewall alert for. It's the default deny approach which is what I love about H_C and FH.
How allowing LOLBins can be related to the above? They are not used by MS to control the computer and receive telemetry. Furthermore, MS guys could easily do it with disabled outbound connections in Windows Firewall (if they want).
Windows is also available for people who do not have your Experience.
I do not say that your way is wrong. Simply, using default-deny both for executing files and for outbound connections is too much for most users. Furthermore, when you use default-deny for executing files, the default-deny Firewall is not so useful anymore (except maybe in the enterprises).
F
ForgottenSeer 85179
Agree!
I even move from default-deny firewall with Simplewall, then TinyWall to Windows default without any external tool.
The default-deny for execution is enough for 99% malware. Other 1% isn't consumer related and needs specific attacks.
This is also thankfully to Microsoft as they do many great improvements in past so even the default Windows security is very good
This looks great. I will try it on my kids computer to protect them from themselves.Developer website:
GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS
GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator
The dedicated website (thanks to @askalan):
Hard Configurator
Hard_Configurator was created after a discussion on the below treads:
Secure Windows - Software restriction Policies to Windows Home
Windows Pro owner? Use Software Restriction Policies!
Poll - Do you use security reg tweaks?
Run by Smartscreen utility
What it can do?
This program can configure Windows built-in security to harden the system. When you close Hard_Configurator it closes all its processes. The real-time protection comes from the reconfigured Windows settings. Hard_Configurator can be seen as a Medium Integrity Level smart default-deny setup, which is based on SRP + Application Reputation Service (forced SmartScreen) + Windows hardening settings (restricting vulnerable features).
Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:
- Enabling Software Restriction Policies (SRP) in Windows Home editions.
- Changing SRP Security Levels, Enforcement options, and Designated File Types.
- Whitelisting files in SRP by path (also with wildcards) and by hash.
- Blocking the vulnerable system executables via SRP.
- Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
- Restricting shortcut execution to some folders only (via SRP).
- Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
- Blocking outbound connections of many LOLBins and user applications.
- Filtering Windows Event Log for blocked outbound connections.
- Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
- Disabling PowerShell script execution (Windows 7+).
- Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
- Disabling execution of scripts managed by Windows Script Host.
- Removing "Run as administrator" option from the Explorer right-click context menu.
- Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
- Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
- Disabling execution of 16-bit applications.
- Securing Shell Extensions.
- Disabling SMB protocols.
- Disabling program elevation on Standard User Account.
- Disabling Cached Logons.
- Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
- Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
- Turning ON/OFF all the above restrictions.
- Restoring Windows Defaults.
- Making System Restore Point.
- Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
- Saving the chosen restrictions as a profile, and restoring when needed.
- Backup management for Profile Base (whitelist profiles and setting profiles).
- Changing GUI skin.
- Updating application.
- Uninstalling application (Windows defaults restored).
Many of the above tasks can be made by using Windows RegEdit. Anyway, with Hard_Configurator, it can be done more quickly and safely.
This program was created for advanced users to secure inexperienced users.
If your kids use Windows 10 and like games then start first from the Windows_10_Basic_Recommended_Settings (use <Load Profile> button).
I would like to add Hard_Configurator to my system. However, I have a couple of questions for which it was difficult to find answers in this long thread.
I already use ReHIPS and Malwarebytes Windows Firewall Control and ideally I want to continue using these programs. I don't have an antivirus program installed and I let Windows Defender take care of this.
Is there anything in particular that I should do concerning Hard_Configurator in relation to the programs that I mentioned?
I already use ReHIPS and Malwarebytes Windows Firewall Control and ideally I want to continue using these programs. I don't have an antivirus program installed and I let Windows Defender take care of this.
Is there anything in particular that I should do concerning Hard_Configurator in relation to the programs that I mentioned?
Hard_Configurator has been made to simplify the security config. You will not simplify anything by adding H_C to this setup. I would recommend you to master the ReHIPS for more protection and maybe add ConfigureDefender (HIGH Protection Level).
Hard_Configurator can be used with your setup after some ReHIPS tweaking, but I do not think that it would be necessary for most users.
Thank you for the reply. At least it's comforting to learn that I don't have to do anything immediately, other than adding ConfigureDefender.
EDIT: For clarification, the ConfigureDefender information states that "If an administrator applied or changed Defender policies manually, he must first ensure that they are changed back to 'Not configured' before using the ConfigureDefender utility. Those settings can be found in Group Policy Management Console". I found all these except for any entry for Spynet.
EDIT: For clarification, the ConfigureDefender information states that "If an administrator applied or changed Defender policies manually, he must first ensure that they are changed back to 'Not configured' before using the ConfigureDefender utility. Those settings can be found in Group Policy Management Console". I found all these except for any entry for Spynet.
Last edited:
That is OK. Just check if the GPO settings are set to "Not configured".
Thank you. I used the Group Policy Editor as administrator in order to see the settings. I hope it's the same as what you say about the Group Policy Management Console. Anyway I'm the only user on my PC and in this regard I'm sure that I didn't deliberately change any default Windows Defender settings.
You may also like...
-
-
FAI Tells It Like It Is - Microsoft's Wonky Default Deny Roadmaps, Users as Guinea Pigs, "Dilemmas and Paradoxes," and Why SRP Remains King
- Started by ForgottenSeer 114717
- Replies: 44
-
Microsoft testing Windows 11 batch file security improvements- Started by Parkinsond
- Replies: 0
-
CrySome RAT : An Advanced Persistent .NET Remote Access Trojan- Started by Khushal
- Replies: 3
-
