If you use SUA that was not a mistake. Although, restoring the system was unnecessary. See my edited post:
https://malwaretips.com/threads/usi...est-protection-on-windows10.92678/post-816173
will this disable also apps such as TeamViewer and AnyDesk?
Yes.
Same here with the app of Teamviewer from the Microsoft Store and remote access blocked.
I think that AnyDesk uses Remote Desktop but I test it and we will see.
I was wrong. AnyDesk installs its own version of Remote Desktop service named: 'AnyDesk Service'. So it should work with disabled Windows built-in remote features.
The attachment is identical to the one in the first post from @Windows_Security was it updated? I do not see any difference..Thanks for a nice review.
Although I have to add some corrections.
[...]
The closest to @Windows_Security proposition with allowed EXE files, would be the profile in attachment, which I named: Windows_Security_hardening.hdc.txt (download - delete .txt - load to H_C - enjoy).
You must have Samurai roots for sure.I used same settings which I figured out when Vista was introduced. @Andy Ful was so nice to develop a program with GUI so people did not have to hack the registry. These made the free Windows OS security features accessible to many more security enthousiast. This knowledge rewards him the master title san.
Andy-San also researched and updated the software policies for all/current Windows OS versions AND added Windows Defender and Rich Document (containing scripts/macros) protection (and Windows Firewall to follow). These enduring efforts granted him the other master title Sensei.
Obviously I copied the corrections of Andy Sensei San in my post.
C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x64).exeC:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x86).exeThanks for the great idea!Here is a simple method to use H_C with UAC setting 'Only elevate executables that are signed and validated'.
Normally with this setting, the user cannot run H_C executable because it is not digitally signed and will be blocked while trying to elevate.
But, it can be done by running first the elevated command prompt with a command line to start H_C. Simply create the shortcut on the Desktop with the below command line:
For Windows 64-bit:
Code:C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x64).exe
For Windows 32-bit:
Code:C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\Hard_Configurator(x86).exe
Now the shortcut should be executed by using the usual "Run as administrator" option from the Explorer context menu, and this will also run H_C.
Please note, that Windows_Security profile is for the Admin account, and Standard User Account is additionally restricted to disable elevation of all user programs, so command prompt will not be allowed to elevate (and H_C will not be executed anyway).
If someone wants to use these shortcuts on SUA, then the below option must be set:
<More ...> <Disable Elevation on SUA> = OFF
C:\Windows\System32\cmd.exe /c start c:\Windows\Hard_Configurator\FirewallHardening(x64).exeYes, when using the H_C Recommended settings, you can run only signed executables in this way (via Run As SmartScreen from Explorer context menu). That is why the UAC setting 'Only elevate executables that are signed and validated', was not implemented in H_C. This would block the execution of unsigned application installers, which is unnecessary because they are elevated only after SmartScreen check. I do not think this UAC setting useful with H_C Recommended settings.
Yeah, I see what you mean. It is not an absolute block (it can be easily bypassed by elevated command prompt), and we have Run As SmartScreen, which is pretty reliable for unsigned files, so this UAC setting is probably more trouble than it's worth, with H_C Recommended settings.
