ENFORCEMENT FOR "ALL USERS" (experimental feature) - it will be introduced in the new H_C beta version.
This enforcement can cause problems because it can have an impact on Windows administrative processes.
The enforcement for "All users" means that also users from the Administrator group (using high privileges) will be prevented from bypassing SRP restrictions. Normally, the Hard_Configurator settings allow the users from the Administrator group to bypass SRP to avoid problems with blocking administrative tasks in UserSpace.
The enforcement for "All users" is sometimes used in Enterprises to prevent the malware introduced by elevated processes. For example, this can happen via exploit with privilege escalation or a worm spreading in the local network with high privileges.
In the Home environment, such vectors of attack are usually negligible. Furthermore, one can use the Standard User Account (SUA) to prevent privilege escalation. This is usually a more comprehensive solution as compared to enforcement for "All users".
This enforcement is not fully compatible with Strict_Recommended_Settings on Windows 8, 8.1, 10 or Recommended_Settings on Windows 7 (Vista). These setting profiles block execution in the whole UserSpace, so some actions related to software installation or Administrative tasks with high privileges can be blocked in ProgramData or User AppData folders. For example, the Windows built-in Disk Cleanup tool (cleanmgr.exe) will not work properly to clean system files - it uses dismhost.exe, which will be blocked in the Appdata\Local\Temp folder. Similar problems can happen sometimes for other Administrative tasks, depending on users' settings and installed software.
In the Home environment on Admin account, the expert users can apply the enforcement for "All users" (including Administrators) in some situations:
1. Extreme hardening (computer LockDown).
2. Support for older Windows versions.
3. Support for the H_C default-allow setup with some blocked Sponsors (LOLBins).
When using SUA, the enforcement for "All users" is not necessary (even for points 1, 2, and 3).
How to apply the enforcement for "All users".
It can be applied by running Hard_Configurator (SwitchDefaultDeny) with the switch -p, for example:
Hard_Configurator(x64).exe -p
When using Hard_Configurator with -p switch it is necessary to also run SwitchDefaultDeny with this switch. The most convenient way is to edit the commands in the shortcuts by adding -p switch.
When executing Hard_Configurator (SwitchDefaultDeny) without this switch, the default enforcement "All users except local Administrators" will be configured (Windows restart is required).
The enforcement for "All users" can be used with SRP default-allow setup or with some default-deny setting profiles, like:
Basic_Recommended_Settings,
Recommended_Settings (on Windows 8, 8.1, 10)
MT_Windows_Security_hardening,
Avast_Hardened_Mode_Aggressive.
When applying these setting profiles, the "Install By SmartScreen" ("Run By SmartScreen") can be used in most cases to install applications without switching OFF the SRP protection.
It is not recommended to apply enforcement for "All users" when using other setting profiles or custom settings. The common issue will be related to the "Install By SmartScreen" feature, which cannot work properly with default-deny setup, when <Update Mode> = OFF. Furthermore, due to blocking processes with high privileges, SRP restrictions cannot be bypassed in UserSpace when using the system "Run as administrator" feature.
