Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="Andy Ful" data-source="post: 943609" data-attributes="member: 32260"><p><strong>ENFORCEMENT FOR "ALL USERS" (experimental feature) - it will be introduced in the new H_C beta version.</strong></p><p><strong></strong></p><p><strong><span style="color: rgb(184, 49, 47)">This enforcement can cause problems because it can have an impact on Windows administrative processes.</span></strong></p><p><strong></strong></p><p><strong>The enforcement for "All users" means that also users from the Administrator group (using high privileges) will be prevented from bypassing SRP restrictions. </strong>Normally, the Hard_Configurator settings allow the users from the Administrator group to bypass SRP to avoid problems with blocking administrative tasks in UserSpace.</p><p></p><p>The enforcement for "All users" is sometimes used in Enterprises to prevent the malware introduced by elevated processes. For example, this can happen via exploit with privilege escalation or a worm spreading in the local network with high privileges.</p><p></p><p>In the Home environment, such vectors of attack are usually negligible. Furthermore, one can use the Standard User Account (SUA) to prevent privilege escalation. This is usually a more comprehensive solution as compared to enforcement for <strong>"</strong>All users<strong>"</strong>.</p><p></p><p>This enforcement is not fully compatible with Strict_Recommended_Settings on Windows 8, 8.1, 10 or Recommended_Settings on Windows 7 (Vista). These setting profiles block execution in the whole UserSpace, so some actions related to software installation or Administrative tasks with high privileges can be blocked in ProgramData or User AppData folders. For example, the Windows built-in <strong>Disk Cleanup tool</strong> (cleanmgr.exe) will not work properly to clean system files - it uses dismhost.exe, which will be blocked in the Appdata\Local\Temp folder. Similar problems can happen sometimes for other Administrative tasks, depending on users' settings and installed software.</p><p></p><p><strong>In the Home environment on Admin account</strong>, the expert users can apply the enforcement for <strong>"</strong>All users<strong>"</strong> (including Administrators) in some situations:</p><p>1. Extreme hardening (computer LockDown).</p><p>2. Support for older Windows versions.</p><p>3. Support for the H_C default-allow setup with some blocked Sponsors (LOLBins).</p><p></p><p><span style="color: rgb(0, 168, 133)"><strong>When using SUA, the enforcement for "All users" is not necessary (even for points 1, 2, and 3).</strong></span></p><p></p><p></p><p><strong>How to apply the enforcement for "All users".</strong></p><p></p><p>It can be applied by running Hard_Configurator (SwitchDefaultDeny) with the switch -p, for example:</p><p><strong>Hard_Configurator(x64).exe -p</strong></p><p>When using Hard_Configurator with -p switch it is necessary to also run SwitchDefaultDeny with this switch. The most convenient way is to edit the commands in the shortcuts by adding -p switch.</p><p><strong>When executing Hard_Configurator (SwitchDefaultDeny) without this switch, the default enforcement "All users except local Administrators" will be configured (Windows restart is required).</strong></p><p></p><p>The enforcement for "All users" can be used with SRP default-allow setup or with some default-deny setting profiles, like:</p><p><strong><span style="color: rgb(0, 168, 133)">Basic_Recommended_Settings,</span></strong></p><p><span style="color: rgb(0, 168, 133)"><strong>Recommended_Settings </strong>(on Windows 8, 8.1, 10) </span></p><p><span style="color: rgb(0, 168, 133)"><strong>MT_Windows_Security_hardening, </strong></span></p><p><strong><span style="color: rgb(0, 168, 133)">Avast_Hardened_Mode_Aggressive.</span></strong></p><p></p><p>When applying these setting profiles, the "Install By SmartScreen" ("Run By SmartScreen") can be used in most cases to install applications without switching OFF the SRP protection.</p><p><strong><span style="color: rgb(184, 49, 47)">It is not recommended to apply enforcement for "All users" when using other setting profiles or custom settings</span></strong><span style="color: rgb(184, 49, 47)">.</span> The common issue will be related to the <strong>"Install By SmartScreen"</strong> feature, which cannot work properly with default-deny setup, when <Update Mode> = OFF. Furthermore, due to blocking processes with high privileges, SRP restrictions cannot be bypassed in UserSpace when using the system <strong>"Run as administrator" </strong>feature.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 943609, member: 32260"] [B]ENFORCEMENT FOR "ALL USERS" (experimental feature) - it will be introduced in the new H_C beta version. [COLOR=rgb(184, 49, 47)]This enforcement can cause problems because it can have an impact on Windows administrative processes.[/COLOR] The enforcement for "All users" means that also users from the Administrator group (using high privileges) will be prevented from bypassing SRP restrictions. [/B]Normally, the Hard_Configurator settings allow the users from the Administrator group to bypass SRP to avoid problems with blocking administrative tasks in UserSpace. The enforcement for "All users" is sometimes used in Enterprises to prevent the malware introduced by elevated processes. For example, this can happen via exploit with privilege escalation or a worm spreading in the local network with high privileges. In the Home environment, such vectors of attack are usually negligible. Furthermore, one can use the Standard User Account (SUA) to prevent privilege escalation. This is usually a more comprehensive solution as compared to enforcement for [B]"[/B]All users[B]"[/B]. This enforcement is not fully compatible with Strict_Recommended_Settings on Windows 8, 8.1, 10 or Recommended_Settings on Windows 7 (Vista). These setting profiles block execution in the whole UserSpace, so some actions related to software installation or Administrative tasks with high privileges can be blocked in ProgramData or User AppData folders. For example, the Windows built-in [B]Disk Cleanup tool[/B] (cleanmgr.exe) will not work properly to clean system files - it uses dismhost.exe, which will be blocked in the Appdata\Local\Temp folder. Similar problems can happen sometimes for other Administrative tasks, depending on users' settings and installed software. [B]In the Home environment on Admin account[/B], the expert users can apply the enforcement for [B]"[/B]All users[B]"[/B] (including Administrators) in some situations: 1. Extreme hardening (computer LockDown). 2. Support for older Windows versions. 3. Support for the H_C default-allow setup with some blocked Sponsors (LOLBins). [COLOR=rgb(0, 168, 133)][B]When using SUA, the enforcement for "All users" is not necessary (even for points 1, 2, and 3).[/B][/COLOR] [B]How to apply the enforcement for "All users".[/B] It can be applied by running Hard_Configurator (SwitchDefaultDeny) with the switch -p, for example: [B]Hard_Configurator(x64).exe -p[/B] When using Hard_Configurator with -p switch it is necessary to also run SwitchDefaultDeny with this switch. The most convenient way is to edit the commands in the shortcuts by adding -p switch. [B]When executing Hard_Configurator (SwitchDefaultDeny) without this switch, the default enforcement "All users except local Administrators" will be configured (Windows restart is required).[/B] The enforcement for "All users" can be used with SRP default-allow setup or with some default-deny setting profiles, like: [B][COLOR=rgb(0, 168, 133)]Basic_Recommended_Settings,[/COLOR][/B] [COLOR=rgb(0, 168, 133)][B]Recommended_Settings [/B](on Windows 8, 8.1, 10) [B]MT_Windows_Security_hardening, [/B][/COLOR] [B][COLOR=rgb(0, 168, 133)]Avast_Hardened_Mode_Aggressive.[/COLOR][/B] When applying these setting profiles, the "Install By SmartScreen" ("Run By SmartScreen") can be used in most cases to install applications without switching OFF the SRP protection. [B][COLOR=rgb(184, 49, 47)]It is not recommended to apply enforcement for "All users" when using other setting profiles or custom settings[/COLOR][/B][COLOR=rgb(184, 49, 47)].[/COLOR] The common issue will be related to the [B]"Install By SmartScreen"[/B] feature, which cannot work properly with default-deny setup, when <Update Mode> = OFF. Furthermore, due to blocking processes with high privileges, SRP restrictions cannot be bypassed in UserSpace when using the system [B]"Run as administrator" [/B]feature. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
