Software
Hard_Configurator (get it on GitHub https://github.com/AndyFul/Hard_Configurator)
Installation
5.00 star(s)
Installation Feedback
1. Save the attached Windows_Security_hardening.TXT file and rename it Windows_Security_hardening.HDC
2. Install Hard_Configurator
3. Click the LOAD PROFILE button and navigate to the Windows10_Harden.HDC file and select
4. Click Apply Changes
5. Click ConfigureDefender button (Configure Defender tool will pop up)
6. Click the button Defender High Settings and click REFRESH button
7. Close Configure defender and Close Hard Configurator
Interface (UI)
4.00 star(s)
Interface Feedback
Color scheme of the buttons is .... well ....colorful like Andy Ful
Usability
5.00 star(s)
Usability Feedback
SRP only on shady formats, not the normal Executable formats, so you can run and install programs just like you used to do
Performance and System Impact
5.00 star(s)
Performance and System Impact Feedback
Look at the specs of my ASUS Transformer, they are humble.
Protection
5.00 star(s)
Protection Feedback
Windows Defender in default settings scored a 100% protection at AV-Comparatives in latest Real-World Protection tests (https://www.av-comparatives.org/tests/real-world-protection-test-february-march-2019-factsheet/) and a 6 out of 6 score in latest AV-TEST (https://www.av-test.org/en/antivirus/home-windows/windows-10/february-2019/microsoft-windows-defender-4.18-190516/), so how well will this hardened setup with highest protection perform? My bet: better than any top tier Antivirus solutions!
Pros
It's a free software
Low impact on system resources
Easy to use
Simple and non-intrusive
Strong and reliable protection
Blocks even brand new malware
Excellent scores in independent tests
Features you can't get elsewhere for free
Multiple layers of protection
Cons
Clumsy or awkward interface (UI)
Software installed on computer
More than 1 year
Computer Specifications
Asus Transformer with Intel Atom Z3740 @ 1,33 Ghz 2 GB RAM memory, 32 GB SSD and 64 GB SD-card
Recommended for
All types of users
Device is shared by family members
Banking or other financial activity
Low specs device
Overall Rating
5.00 star(s)
Disclaimer

Any views or opinions expressed are that of the member giving the information and may be subjective.
This software may behave differently on your device.

We encourage you to compare these opinions with others and take informed decisions on what security products to use.
Before buying a product you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

oldschool

Level 32
Verified

camo7782

Level 4
Thanks for a nice review.:giggle:
Although I have to add some corrections.

[...]

The closest to @Windows_Security proposition with allowed EXE files, would be the profile in attachment, which I named: Windows_Security_hardening.hdc.txt (download - delete .txt - load to H_C - enjoy).:giggle:
The attachment is identical to the one in the first post from @Windows_Security was it updated? I do not see any difference..
 
  • Like
Reactions: Andy Ful and shmu26

Windows_Security

Level 23
Verified
Trusted
Content Creator
I used same settings which I figured out when Vista was introduced. @Andy Ful was so nice to develop a program with GUI so people did not have to hack the registry. These made the free Windows OS security features accessible to many more security enthousiast. This knowledge rewards him the master title san.

Andy-San also researched and updated the software policies for all/current Windows OS versions AND added Windows Defender and Rich Document (containing scripts/macros) protection (and Windows Firewall to follow). These enduring efforts granted him the other master title Sensei.

Obviously I copied the corrections of Andy Sensei San in my post. :)
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
I used same settings which I figured out when Vista was introduced. @Andy Ful was so nice to develop a program with GUI so people did not have to hack the registry. These made the free Windows OS security features accessible to many more security enthousiast. This knowledge rewards him the master title san.

Andy-San also researched and updated the software policies for all/current Windows OS versions AND added Windows Defender and Rich Document (containing scripts/macros) protection (and Windows Firewall to follow). These enduring efforts granted him the other master title Sensei.

Obviously I copied the corrections of Andy Sensei San in my post. :)
You must have Samurai roots for sure. :giggle:
I like sensei:
214705
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
Here is a simple method to use H_C with UAC setting 'Only elevate executables that are signed and validated'.
Normally with this setting, the user cannot run H_C executable because it is not digitally signed and will be blocked while trying to elevate.
But, it can be done by running first the elevated command prompt with a command line to start H_C. Simply create the shortcut on the Desktop with the below command line:

For Windows 64-bit:
Code:
C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x64).exe
For Windows 32-bit:
Code:
C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x86).exe
Now the shortcut should be executed by using the usual "Run as administrator" option from the Explorer context menu, and this will also run H_C.:giggle: (y)

Please note, that Windows_Security profile is for the Admin account, and Standard User Account is additionally restricted to disable elevation of all user programs, so command prompt will not be allowed to elevate (and H_C will not be executed anyway).
If someone wants to use these shortcuts on SUA, then the below option must be set:
<More ...> <Disable Elevation on SUA> = OFF
 
Last edited:

shmu26

Level 82
Verified
Trusted
Content Creator
Here is a simple method to use H_C with UAC setting 'Only elevate executables that are signed and validated'.
Normally with this setting, the user cannot run H_C executable because it is not digitally signed and will be blocked while trying to elevate.
But, it can be done by running first the elevated command prompt with a command line to start H_C. Simply create the shortcut on the Desktop with the below command line:

For Windows 64-bit:
Code:
C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x64).exe
For Windows 32-bit:
Code:
C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x86).exe
Now the shortcut should be executed by using the usual "Run as administrator" option from the Explorer context menu, and this will also run H_C.:giggle: (y)

Please note, that Windows_Security profile is for the Admin account, and Standard User Account is additionally restricted to disable elevation of all user programs, so command prompt will not be allowed to elevate (and H_C will not be executed anyway).
If someone wants to use these shortcuts on SUA, then the below option must be set:
<More ...> <Disable Elevation on SUA> = OFF
Thanks for the great idea!
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
Wait a minute... if I enable 'Only elevate executables that are signed and validated' then I can't right-click a file and use Run As Smartscreen, correct?
Okay, my bad. I tried it on a file that is not signed. It still seems to work on signed files.
Yes, when using the H_C Recommended settings, you can run only signed executables in this way (via Run As SmartScreen from Explorer context menu). That is why the UAC setting 'Only elevate executables that are signed and validated', was not implemented in H_C. This would block the execution of unsigned application installers, which is unnecessary because they are elevated only after SmartScreen check. I do not think this UAC setting useful with H_C Recommended settings.

With H_C Windows_Security profile, you can run additionally the unsigned executables if they do not need to elevate. This profile does not require whitelisting applications in UserSpace, so it is easier to manage.
It is worth to remember that the UAC setting 'Only elevate executables that are signed and validated', will block application updates if the updater is not digitally signed and requires admin rights.
 
Last edited:

shmu26

Level 82
Verified
Trusted
Content Creator
I do not think this UAC setting useful with H_C Recommended settings.
Yeah, I see what you mean. It is not an absolute block (it can be easily bypassed by elevated command prompt), and we have Run As SmartScreen, which is pretty reliable for unsigned files, so this UAC setting is probably more trouble than it's worth, with H_C Recommended settings.