Hard_Configurator - Windows Hardening Configurator

[Andy Ful]

He is still having issues

Hard_Configurator - GUI to Manage Software Restriction Policies and harden Windows Home OS

Started using this and recommended settings is probably safe to use? I also added recommended H_C in firewall hardening.

www.wilderssecurity.com

I updated the post. Renaming the shortcut worked for me (I tested it after installing 8GadgetPack / Sidebar on my testing computer). We are in email contact with Krusty. After renaming the shortcut the Sidebar thinks that it does not have to start with Windows, but the renamed shortcut starts it anyway.

The Sidebar issue showed the limitation of the combined Disalowed/Unrestricted rules with wildcards.
In the H_C Recommended settings the SRP makes several actions for files in the user Startup folder :

1. Disallowed Default Security Level (blocks files by default).
2. Unrestricted rules for EXE and MSI files in user AppData subfolders.
3. Disallowed rule for files (blocks also EXE and MSI) in the user Startup folder (it is a subfolder of AppData).
4. Unresctricted rule for a shortcut file.

All four SRP actions are done at the same time for files located in the startup folder. The two last rules work differently for paths with wildcards. Without wildcards the last take precedence over the second last. For paths with wildcards in the filename, the opposite is true.

Edit.
The rule from point 3 is unnecessarily restrictive it should block only EXE and MSI files instead of all files - other files are already blocked by point 1. I could solve the issue by making it less restrictive. This would require removing 20 rules and adding 40 new rules. There is also a possibility to extend whitelisting by hash to include shortcuts - this would be probably the best solution for shortcuts with randomly changing file names in the user Startup folder.

 

[Andy Ful]

Hi Andy,

sorry if this has been answered already elsewhere and I couldn't find the answer in the documentation, but why is it possible, at least in my case, to launch an executable file under:

C:\Users\myname\AppData\Local\Temp

I have SRP enabled with Default Security Level at "Disallowed", Enforcement: Skip DLL's

I have not added any paths to the default ones included. Using Windows 10 v21H1, 19043.1202

In the H_C Recommended Settings, two hidden folders are whitelisted for EXE and MSI files: user Appdata and Program Data (other files are still forbidden). This is controlled by SmartScreen and H_C settings:
<Update Mode> = ON
<Harden Archivers> = ON
<Harden Email Clients> = ON

So, all software auto-updates can be made without issues via EXE or MSI updaters, and "Install By SmartScreen" can work without forcing high privileges. Also, there will be no problems with applications that install in UserSpace (most such installations are made by default in user AppData or ProgramData subfolders).

Users normally do not see these folders (they are hidden in the default Explorer settings). Some web browsers can drop & execute files from user AppData, but this is controlled by SmartScreen (block alert prompts after executing unsafe files). The archive applications and email clients can also do it, but this will be blocked by H_C (<Harden Archivers> and <Harden Email Clients>). Other H_C settings prevent malware files and CmdLines, so there is no direct attack vector that could drop into & run EXE or MSI files from user Appdata and Program Data.

These settings can hardly be bypassed in the home environment except if something is exploited. But even in such a case, the attack will be usually prevented because exploits often use scripting methods that are still blocked.

The Recommended Settings on Windows 10, <Update Mode>, <Harden Archivers>, and <Harden Email Clients> are explained in the help files and H_C manual.
If the user wants to update applications manually, then Strict_Recommended_Settings can be used instead of Recommended_Settings. In Strict_Recommended_Settings all protected files (also EXE and MSI) are blocked also in the user Appdata and Program Data folders. Most software auto-updates will be blocked (except for updates made via scheduled tasks with high privileges) and all applications installed in %UserProfile% will require additional whitelisting.

 

[Andy Ful]

Post edited.

It is worth remembering that whitelisting EXE and MSI files in user AppData and ProgramData folders can be done safely in H_C settings (in the home environment), but not when using a similar setup via Applocker or Defender Application Control (WDAC/MDAC). Both Applocker and Application Control cannot block shortcuts and many unsafe file extensions (like CHM, HTA, etc.), so one has to block many LOLBins (Sponsors) instead. WDAC/MDAC cannot also block BAT and CMD extensions (Applocker can do it). This can be very inconvenient because blocking unsafe files by LOLBins does not allow whitelisting.

For example, when using SRP, one usually blocks by default BAT and CMD scripts and can whitelist some of them in selected locations. The user can still run cmd.exe and use CMD commands from the CMD console. Also, the hacker could use this, but this would require using remote features (blocked by H_C), or CmdLine access (blocked by H_C), or sophisticated exploit (no scripting, hardly possible in the home environment on Windows 10).

When blocking LOLBins via WDAC/MDAC the scripting LOLBin cmd.exe must be blocked for BAT or CMD scripts, and then all BAT and CMD scripts will be blocked (cannot be selectively whitelisted). Furthermore, the CMD console will be blocked too. Such strict restrictions follow from the fact that in an Enterprise environment the remote features are enabled and one has to assume that some parts of the local network can be possibly compromised by hackers. Generally, the Enterprise environment has far more attack vectors so it requires different protection layers compared to the home environment.

 

[wat0114]

Thank you @Andy Ful for your detailed explanation. it was very helpful and makes sense. Of course as you mentioned, scripts are blocked within these user space directories.

 

[wat0114]

Yeah, exactly. The worries of a bypass here are blown way out of proportion or more often than not just due baseless fear.

We’ll in my case neither of those assertions you make. It was my misunderstanding and Andy explained it clearly. I’m sure the similar reason from the person from another forum.

 

[Andy Ful]

Windows 11 is coming, so would like to recall how to transfer the H_C settings and Whitelist from older OS to fresh installed one.
First, it is necessary to save the actual config:

1. Save the current settings profile into the default settings folder:
   
   
   
   
   
   
   
   
   
   
   As an example I saved the settings as MyCurrentSettings.
2. Save the current Whitelist profile:
   
   
   
   
   
   
   
   
   
   As an example, I saved the current Whitelist as MyCurrentWhitelist. This Whitelist is saved in the Windows Registry (for privacy reasons).

Now is the time to make a backup of all saved setting profiles and all saved Whitelists (Whitelist profiles)).

I saved all setting profiles and all Whitelists into one backup file MyCurrentBackup.hbp
That is all. This file can be used to restore settings and Whitelists in the future.

To restore the saved setting profiles and Whitelist profiles from the backup, the <Import Profiles> button has to be used ( <Tools> ---> <Manage Profiles BACKUP> ---> <Import Profiles> ).

After restoring the setting profiles will be placed into Hard_Configurator\Configuration folder and Whitelist will be imported to Windows Registry.
One can use the <Load Profile> button to apply the MyCurrentSettings and use <Save Load> button to apply MyCurrentWhitelist.

The details about saving/loading Whitelists also included in my old video clip:

Hard_Configurator/version 3.0.1.0 - Part2.mp4 at master · AndyFul/Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

Time 0-5min ---> saving/loading Whitelists.

 

[vaccineboy]

Hi @Andy Ful , v6 is still in beta right?
If so, I'm not pushing, just curious, when do you plan to release the final version?
Thanks.

 

[Andy Ful]

Hi @Andy Ful , v6 is still in beta right?
If so, I'm not pushing, just curious, when do you plan to release the final version?
Thanks.

That will depend on the potential bugs and improvements reported by users. So far the beta version looks good. Probably in November, I will publish the stable version.

 

[NewbyUser]

That will depend on the potential bugs and improvements reported by users. So far the beta version looks good. Probably in November, I will publish the stable version.

No problems with it here.

 

[RoboMan]

How to become a beta tester?

 

[oldschool]

How to become a beta tester?

GitHub - AndyFul/Hard_Configurator: GUI to Manage Software Restriction Policies and harden Windows Home OS

GUI to Manage Software Restriction Policies and harden Windows Home OS - AndyFul/Hard_Configurator

github.com

 

[Andy Ful]

How to become a beta tester?

Install the last beta. Report bugs or anything you dislike in it.

https://github.com/AndyFul/Hard_Configurator/raw/master/H_C_6_beta1.exe

 

[wat0114]

No problems with it here.

Yeah, same on my end. I'm a happy camper with this version

 

[Andy Ful]

Hard_Configurator ver. 6.0.0.0 (stable):

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_6.0.0.0.exe

Changelog (changes from ver. 5.1.1.2):

1. Introduced two color-changing buttons. When the restrictions are OFF, the buttons <Switch OFF/ON SRP> and <Switch OFF/ON Restrictions> change the background color from green to blue.
2. Fixed some minor bugs.
3. Added finger.exe to blocked sponsors and also to the H_C Enhanced profiles.
4. Added some EXE files to FirewallHardening LOLBin Blocklist: csc, cvtres, CasPol, finger, ilasm, jsc, Microsoft.Workflow.Compiler, mscorsvw, ngen, ngentask, vbc.
5. Added SLK and ELF file extensions to the default protected extensions in SRP and RunBySmartscreen.
6. Added a switch -p to run H_C and SwitchDefaultDeny with SRP enforcement to block all users (including Administrators) - it can be used especially on the older Windows versions to improve post-exploitation protection on default Admin account. This switch should be used only by very experienced users.
7. New version of ConfigureDefender:
   - Added some useful information to the Help and manual.
   - Added "Send All" setting to Automatic Sample Submission.
   - Updated ASR rules (1 new rule added).
   - Added the Warn mode to ASR rules.
   - Added INTERACTIVE Protection Level which uses ASR rules set to Warn.
   - Added the <Info> button next to the Protection Levels buttons. It displays information about which
   settings are enabled in DEFAULT, HIGH, INTERACTIVE, and MAX Protection Levels.
   - Redesigned slightly the layout of the Exploit Guard section.
   - Added support for event Id=1120.
   - Added CFA setting BDMO = Block Disk Modifications Only - folders will not be protected, but some
   important disk sectors will be still protected (Id = 1127).
8. Added support for Windows 11.

 

[plat]

Prob. a silly question but since Firewall Hardening was updated in this version, I installed this 6.0.0.0. Now then, does one need to manually re-do the Rules? I did just to be safe but does the act of simply installing the new H_C do this automatically?

I consider this an important part of my security setup and don't want to leave anything out.

 

[Andy Ful]

Prob. a silly question but since Firewall Hardening was updated in this version, I installed this 6.0.0.0. Now then, does one need to manually re-do the Rules? I did just to be safe but does the act of simply installing the new H_C do this automatically?

I consider this an important part of my security setup and don't want to leave anything out.

If these rules were already done manually (with the older version), then they will be accepted in the new version. If not, then the new FirewallHardening rules must be re-done.
Recommended H_C rules will automatically add: csc.exe, finger.exe, jsc.exe, vbc.exe (most important LOLBins).

 

[Reldel1]

Hard_Configurator ver. 6.0.0.0 (stable):

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_6.0.0.0.exe

Changelog (changes from ver. 5.1.1.2):

1. Added support for Windows 11.

Will you be adding a profile for Windows 11?

 

[South Park]

I updated to the new version, updated settings and firewall rules, and restarted. Similarly to when I installed the beta, the system crashed within one minute, with this error message:



I clean reinstalled 5.1.1.2, which I will probably use indefinitely, since my laptop seems to not get along with a setting in the newer versions.

 

[South Park]

Adding to my above post, I think the culprit is again an outdated driver, in this case an OEM graphics driver from 2018 that I can't readily update. (I'd have to rip it out and hope that a new but generic Intel driver would suffice.) I didn't change any settings in C_D during the H_C update, so I don't think the drivers ASR rule was a factor.

 

[Andy Ful]

Will you be adding a profile for Windows 11?

There is no need for that. Windows 11 does not introduce important differences that could be used for a new setting profile.