Hard_Configurator - Windows Hardening Configurator

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Hi, wouldn't it be a good idea to block exe's and derivatives from running in powershell or cmd?

Edit: Or at least have that option for those who want to activate it.
It is only possible to block CMD or PowerShell, so they cannot be used to run anything.
 
  • Like
Reactions: eonline

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,083
Then you could, if you think it necessary, put an option to block powershell and cmd then. Thank you very much.
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,083
It's not so blocked after all. Another question can you make an option, if you don't have one, that you prevent the execution of cscript.exe, runas.exe and derivatives that execute sometimes malicious things? Thank you very much.

Sin título.jpg
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
It's not so blocked after all. Another question can you make an option, if you don't have one, that you prevent the execution of cscript.exe, runas.exe and derivatives that execute sometimes malicious things? Thank you very much.

View attachment 268628

Please read the help for <Block Sponsors> to understand what happened.:)
If you want to use SRP to block programs with Admin rights then you should read the section "Enforcement for ‘All users’ (experimental feature)" in the H_C manual.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
One of the H_C testers reported that SRP does not work properly on the current builds of Windows 11 22H2 (Windows Insider). I confirmed this issue and reported it to Microsoft. I suspect that this issue can be caused by Smart App Control which is in the early stage and can cause conflicts.
 
F

ForgottenSeer 95367

Smart App Control which is in the early stage and can cause conflicts.
While Windows Defender Application Control (WDAC) development appears to have stalled. Microsoft was talking about WDAC a lot years ago, but now it rarely mentions it. New release notes pertaining to WDAC are non-existent now. Defensive PowerShell pros at GIAC\SANS say WDAC is a dead horse and have removed it from their course materials (WDAC was removed 5 years ago; SANS stopped teaching it).
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
While Windows Defender Application Control (WDAC) development appears to have stalled. Microsoft was talking about WDAC a lot years ago, but now it rarely mentions it. New release notes pertaining to WDAC are non-existent now. Defensive PowerShell pros at GIAC\SANS say WDAC is a dead horse and have removed it from their course materials (WDAC was removed 5 years ago; SANS stopped teaching it).
MDAC (WDAC) is hidden in Smart App Control. I noticed a few MDAC policies added and they seem to use new undocumented features. The MDAC policies are uneasy to manage for Administrators and did not achieve popularity, so far.
 
F

ForgottenSeer 95367

MDAC (WDAC) is hidden in Smart App Control. I noticed a few MDAC policies added and they seem to use new undocumented features. The MDAC policies are uneasy to manage for Administrators and did not achieve popularity, so far.
All evidence points to MDAC (WDAC) being dead as far as future development. SANS professionals have very close working relationships with Microsoft and if they decided to stop teaching WDAC, it must be a dead horse.
 

WhiteMouse

Level 5
Verified
Well-known
Apr 19, 2017
249
All evidence points to MDAC (WDAC) being dead as far as future development. SANS professionals have very close working relationships with Microsoft and if they decided to stop teaching WDAC, it must be a dead horse.
I haven't heard anything about this. I'm currently using MDAC to protect my PC, too bad if Microsoft is going to stop develop this feature without anything to replace it.
 
  • Like
Reactions: Andy Ful
F

ForgottenSeer 95367

I haven't heard anything about this. I'm currently using MDAC to protect my PC, too bad if Microsoft is going to stop develop this feature without anything to replace it.
Microsoft more often than not slows or ceases development and then makes no comment. For example, does anyone remember PowerShell Desired State Configuration (DSC)? For a couple of years Microsoft promoted it hard. Then after a few years Microsoft just stopped talking about DSC. Now DSC resides in the realm of projects Microsoft started, but has not finished. Oh Microsoft has online documentation for DSC, and it lists that it is "still in development," but when you start to dig around and ask Microsoft questions about the current state of DSC and its future there is nothing but silence. This sort of behavior from Microsoft has been a part of all things PowerShell since 1.0 and it is just not limited to PoSh. The same Microsoft behavior applies to AppLocker, SRP, MDAC (WDAC), and others. Lots of things Microsoft brings to market ultimately just "fade away." AppLocker is a good example. Microsoft still ships it with Windows images, but there is no work being done on AppLocker.

MS works on these kinds of features in small teams. Sometimes key personnel will leave Microsoft and then the project will stagnate for a long time - sometimes years. Other times, these small teams do not coordinate among themselves very well. The result is very slow progress. It is a good bet that the slow progress of WDAC is due to such internal issues or logistics.

You can search for MDAC release notes, but you will not find much of anything (that is significant) within the past 5 years. Microsoft certainly has not made WDAC a top priority to refine in order to make it a serious, user-friendly, practical replacement for SRP, AppLocker, Configurable Code Integrity (CCI - the forerunner of WDAC), and so on.

If the good folks at SANS have dropped teaching MDAC (WDAC), it is a pretty good indication that it is a stagnant Windows feature. They have deep contacts within Microsoft and are in a position to know I asked Jason Flossen at SANS why he no longer taught WDAC, and his reply was basically "WDAC is a dead duck."
 
Last edited by a moderator:
F

ForgottenSeer 77194

Feature Request: Add more hardening policies options similar to Syshardener.
syshardener-2.png


For example, LSA Protection is an important one.
 

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Feature Request: Add more hardening policies options similar to Syshardener.
View attachment 269268

For example, LSA Protection is an important one.
All required and useful restrictions are already added. The H_C is very different from Syshardener and far more restrictive. So, the options that can improve the Syshardener security, are not required in the H_C.
Enabling LSA protection is not needed in the home environment, especially with H_C settings. Protecting LSA is required to prevent lateral movement in the enterprise environment. Anyway, If one wants to harden LSA then it is possible via Configuredefender which is integrated with H_C.
 
Last edited:

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
Andy asking this (& running and ducking for cover) now running win10, & win11 does not like my hardware. I did use H_C in the past, but stepped away from MT for several months++, and I H_C is not installed or not running best I can tell, right now I am running Voodooshield. Trying to keep it simple on win10. Any point in running H_C with VS, or do they compliment one another? I saw your posts re SAC for win11, and got the urge to ask. (PS I do not recall if I ran H_C & VS together in the past, my bad)
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
Trying to keep it simple on win10. Any point in running H_C with VS, or do they compliment one another?
Running them both is possible, but not recommended. Such a setup would be too complex. Some people use VS with Simple Windows Hardening. Anyway, I did not test VS for a long time, so I do not know if SWH is really needed. You can ask @danb. (y)
 
F

ForgottenSeer 77194

Andy asking this (& running and ducking for cover) now running win10, & win11 does not like my hardware. I did use H_C in the past, but stepped away from MT for several months++, and I H_C is not installed or not running best I can tell, right now I am running Voodooshield. Trying to keep it simple on win10. Any point in running H_C with VS, or do they compliment one another? I saw your posts re SAC for win11, and got the urge to ask. (PS I do not recall if I ran H_C & VS together in the past, my bad)
Something you could do is use Voodooshield as the default deny module and use SWH for the hardening part (No SRP).
 
  • Like
Reactions: simmerskool
F

ForgottenSeer 95367

Do I understand correctly installing 22h2 update on win11makes H_C obsolete? I am using Avast_hardened_mode_aggressive profile that comes with the program...
On W11 22H2, the status of H_C is not yet clear; more testing and observations need to be done.
 
  • Like
Reactions: wat0114

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top