Hard_Configurator - Windows Hardening Configurator

[wat0114]

Thanks Andy

 

[eonline]

this is my current H_C configuration, do you see any security holes in my configuration? I left cmd .exe as a matter of convenience. This all stems from Magniber's post against WD with CD MAX. I also use firewall hardening and CD without protected folders because I find it annoying. Thank you very much as always. Best regards.

 

[Andy Ful]

this is my current H_C configuration, ...

You have applied very strong protection. Now, your security will depend on the way you deal with blocked files. So, choose wisely when whitelisting the blocked files or when intentionally bypassing the protection layers.

 

[Andy Ful]

Hard_Configurator ver. 6.0.1.1

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_6.0.1.1.exe

The update can be made over the older version. After the update, some Infos are displayed in the notepad. The info about updating the configuration is included in the displayed Quick_Configuration.txt.


The changelog from the latest stable version 6.0.0.0

	Version 6.0.1.1
	1. Adjusted the default extensions in <Designated File Types> to those used in Simple Windows Hardening. So, some popular Excel extenions are not blocked in default setup: XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
	2. Updated the manual and some help files.
	3. Added new option in DocumentsAntiExploit tool to make the configuration of Adobe Acrobat more granular.
	4. Added the button <MORE ...><Remove Obsolete Restrictions>.
	5. Added a new digital certificate.
	Version 6.0.1.0 beta
	1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats:
	New default extensions
	ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM, XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
	New Paranoid extensions
	ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ
	Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not Windows built-in File Explorer).
	2. Added new versions of DocumentsAntiExploit, RunBySmartscreen and FirewallHardening tools.
	3. Improved policies for Adobe Acrobat Reader XI/DC.
	4. Corrected some minor bugs.
	5. Updated H_C manual and some help files.
	Version 6.0.0.1 beta
	1. Added <Block AppInstaller> option.
	2. New FirewallHardening version 2.0.1.1.
	- added the options to load/save the external BlockLists.
	- added new LOLBins: bitsadmin.exe (blocked via Exploit Protection), calc, certoc, certreq, cmd, desktopimgdownldr, dllhost, ExtExport, findstr, ieexec (new path), notepad, pktmon, Register-cimprovider, verclsid, wsl, wuauclt.exe, xwizard.

 

[Trooper]

Hard_Configurator ver. 6.0.1.1

https://github.com/AndyFul/Hard_Configurator/raw/master/Hard_Configurator_setup_6.0.1.1.exe

The update can be made over the older version. After the update, some Infos are displayed in the notepad. The info about updating the configuration is included in the displayed Quick_Configuration.txt.


The changelog from the latest stable version 6.0.0.0

	Version 6.0.1.1
	1. Adjusted the default extensions in <Designated File Types> to those used in Simple Windows Hardening. So, some popular Excel extenions are not blocked in default setup: XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
	2. Updated the manual and some help files.
	3. Added new option in DocumentsAntiExploit tool to make the configuration of Adobe Acrobat more granular.
	4. Added the button <MORE ...><Remove Obsolete Restrictions>.
	5. Added a new digital certificate.
	Version 6.0.1.0 beta
	1. Added several file extensions to the <Designated File Types>, mostly for MS Excel Add-ins, Query files, and some legacy file formats:
	New default extensions
	ACCDA, ACCDU, CSV, DQY, ECF, MDA, PA, PPA, PPAM, RTF, WLL, WWL, XLA, XLAM, XLL, XLM, XLS, XLSX, XLSB, XLSM, XLT, XLTM, XSL.
	New Paranoid extensions
	ACCDU, ARJ, BZIP, BZIP2, DOC, ECF, FAT, HWP, IMG, ISO, LHA, NTFS, MCL, PA, PPA, PPT, PPTX, REV, R00, R01, R02, R03, R04, R05, R06, R07, R08, R09, TBZ, TPZ, TXZ, TZ, VHD, VHDX, WLL, WWL, XAR, XIP, XLS, XLSX, XSL, XZ
	Disk image extensions: ISO, IMG, VHDX, can be blocked by SWH settings only if a 3-rd party application is set to open them (and not Windows built-in File Explorer).
	2. Added new versions of DocumentsAntiExploit, RunBySmartscreen and FirewallHardening tools.
	3. Improved policies for Adobe Acrobat Reader XI/DC.
	4. Corrected some minor bugs.
	5. Updated H_C manual and some help files.
	Version 6.0.0.1 beta
	1. Added <Block AppInstaller> option.
	2. New FirewallHardening version 2.0.1.1.
	- added the options to load/save the external BlockLists.
	- added new LOLBins: bitsadmin.exe (blocked via Exploit Protection), calc, certoc, certreq, cmd, desktopimgdownldr, dllhost, ExtExport, findstr, ieexec (new path), notepad, pktmon, Register-cimprovider, verclsid, wsl, wuauclt.exe, xwizard.

Thanks as always. Cheers!

 

[ForgottenSeer 95367]

Easy & untroublesome

 

[Andy Ful]

Easy & untroublesome

Only for some people (like my wife).
Such a setup requires manual software updates, except for Microsoft Store apps and applications which can auto-update via scheduled tasks with admin rights (like Edge, Chrome, etc.).
When using Paranoid Extensions, some popular file types are blocked (like Excel documents). So probably, some file extensions will require adjustments via <Designated File Types>.
The <Validate Admin C.S.> is ON, so there can be some problems with installing/updating the unsigned applications.


So the usability of this setup will depend much on the installed software. After some adjustments, it can work well on semi-locked systems.

 

[ForgottenSeer 95367]

Such a setup requires manual software updates

Update file paths are whitelisted, so no need to for me to manually update applications.

When using Paranoid Extensions, some popular file types are blocked (like Excel documents).

Just create an allow file path for *.xls; can run Excel only at this file path. Alternate, safer practice is to run Excel online.

The <Validate Admin C.S.> is ON, so there can be some problems with installing/updating the unsigned applications.

Turn off <Validate Admin C.S.> temporarily and install. Updates are infrequent so no problem for user.

ezpz_

Thank you.

 

[Andy Ful]

Update file paths are whitelisted, so no need to for me to manually update applications.

Most software updates use %LocalAppdata%\Temp . Did you whitelist it?

 

[ForgottenSeer 95367]

Most software updates use %LocalAppdata%\Temp . Did you whitelist it?

Do not whitelist %LocalAppdata%\Temp.

Only allow known good update and application processes to run from there. Manual application updates are not required.


So simple.

 

[Andy Ful]

Do not whitelist %LocalAppdata%\Temp.

Only allow known good update and application processes to run from there. Manual application updates are not required.

View attachment 267997
So simple.

Your whitelist includes several paths in UserSpace. These paths can cover the updating executables for applications. So, the auto-updates will probably start, but they usually create folders & files in the folder LocalAppdata%\Temp, and next try to run some executables from there. Most of them will be blocked with your setup. Anyway, you are not a newbie, so you will find a solution.

 

[ForgottenSeer 95367]

Your whitelist includes several paths in UserSpace. These paths can cover the updating executables for applications. So, the auto-updates will probably start, but they usually create folders & files in the folder LocalAppdata%\Temp, and next try to run some executables from there. Most of them will be blocked with your setup. Anyway, you are not a newbie, so you will find a solution.

All my known good applications and their updates work perfectly via configuration of H_C at maximum possible protection settings. Thank you.

 

[Andy Ful]

View attachment 267997

The software updates work for you because your applications update via the Inno Setup installer. It uses the folder pattern ...\Temp\is-*.tmp\ which is whitelisted in your setup. Generally, your setup is powerful. Although some malware and adware can use Inno Setup too, such malicious installers will be prevented by the H_C Forced SmartScreen. Even if something is exploited, the malware after exploiting rarely uses the Inno Setup installer.

 

[ForgottenSeer 95367]

The software updates work for you because your applications update via the Inno Setup installer.

The Inno Setup is used to update VS Code IIRC. The other programs running and updating from AppData require their own specific allow rules. Creating the allow exception rules is easy.

 

[pxxb1]

@Andy Ful
Hi Andy
Would it be possible to build in a translation tool in this product, or maybe all of them? Not for the sake of sending them to you for implementation but for the users own sake. A handy tool for user convenience, for thoose who wish to have it in their own language. One could translate it to ones own language and keep it, so to speak.

So for you it would a one time thing to do.

 

[Andy Ful]

Not for H_C. It would be possible for ConfigureDefender, SWH, and other tools. But, this would also require translating the manual and help files (included in PDF documents).

 

[pxxb1]

Not for H_C. It would be possible for ConfigureDefender, SWH, and other tools. But, this would also require translating the manual and help files (included in PDF documents).

As i said, the user translates whatever he wishes! The possibilty is there, that is it, and one does what, and how much one wants in the installed program.
Sordum has that for their programs, a basic simple tool. If i want to do just a bit, fine, if i want to do all and send it to them, that is also possible. A helpful tool for the individual user to use, if, he so wishes, and based on personal responsibility.

 

[ItsReallyMe]

What is validate admin C.S. and what it does?

 

[Andy Ful]

What is validate admin C.S. and what it does?

Did you read the help for this option? (press <help> button near the option).

 

[eonline]

Hi, wouldn't it be a good idea to block exe's and derivatives from running in powershell or cmd?

Edit: Or at least have that option for those who want to activate it.