Software
Hard_Configurator (get it on GitHub https://github.com/AndyFul/Hard_Configurator)
Installation
5.00 star(s)
Installation Feedback
1. Save the attached Windows_Security_hardening.TXT file and rename it Windows_Security_hardening.HDC
2. Install Hard_Configurator
3. Click the LOAD PROFILE button and navigate to the Windows10_Harden.HDC file and select
4. Click Apply Changes
5. Click ConfigureDefender button (Configure Defender tool will pop up)
6. Click the button Defender High Settings and click REFRESH button
7. Close Configure defender and Close Hard Configurator
Interface (UI)
4.00 star(s)
Interface Feedback
Color scheme of the buttons is .... well ....colorful like Andy Ful
Usability
5.00 star(s)
Usability Feedback
SRP only on shady formats, not the normal Executable formats, so you can run and install programs just like you used to do
Performance and System Impact
5.00 star(s)
Performance and System Impact Feedback
Look at the specs of my ASUS Transformer, they are humble.
Protection
5.00 star(s)
Protection Feedback
Windows Defender in default settings scored a 100% protection at AV-Comparatives in latest Real-World Protection tests (https://www.av-comparatives.org/tests/real-world-protection-test-february-march-2019-factsheet/) and a 6 out of 6 score in latest AV-TEST (https://www.av-test.org/en/antivirus/home-windows/windows-10/february-2019/microsoft-windows-defender-4.18-190516/), so how well will this hardened setup with highest protection perform? My bet: better than any top tier Antivirus solutions!
Pros
It's a free software
Low impact on system resources
Easy to use
Simple and non-intrusive
Strong and reliable protection
Blocks even brand new malware
Excellent scores in independent tests
Features you can't get elsewhere for free
Multiple layers of protection
Cons
Clumsy or awkward interface (UI)
Software installed on computer
More than 1 year
Computer Specifications
Asus Transformer with Intel Atom Z3740 @ 1,33 Ghz 2 GB RAM memory, 32 GB SSD and 64 GB SD-card
Recommended for
All types of users
Device is shared by family members
Banking or other financial activity
Low specs device
Overall Rating
5.00 star(s)
Disclaimer

Any views or opinions expressed are that of the member giving the information and may be subjective.
This software may behave differently on your device.

We encourage you to compare these opinions with others and take informed decisions on what security products to use.
Before buying a product you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

oldschool

Level 32
Verified
I do not think this UAC setting useful with H_C Recommended settings.
This profile does not require whitelisting applications in UserSpace, so it is easier to manage.
It is worth to remember that the UAC setting 'Only elevate executables that are signed and validated', will block application updates if the updater is not digitally signed and requires admin rights.
This for me would be a PITA. Your "Recommended" settings are more restrictive when using some W10 features from SUA, e.g Control Panel, but are simply easier overall.
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
This for me would be a PITA. Your "Recommended" settings are more restrictive when using some W10 features from SUA, e.g Control Panel, but are simply easier overall.
With H_C Windows_Security profile + UAC setting 'Only elevate executables that are signed and validated', the user on admin account can install/run/update applications as usual if the applications are:
  • digitally signed;
  • unsigned but do not require elevation.
Furthermore, "Run By SmartScreen" from Explorer context menu can be used to safely open/play/execute files which does not require elevation or signed files which require elevation.
Except for EXE files, this profile uses similar settings as H_C Recommended profile (default deny).

The only problem can occur with installing/running/updating unsigned applications which require elevation. They will be blocked even when whitelisted in SRP.

Edit.
MSI installers usually require elevation, so can be run (if digitally signed) by using "Run as administrator" from Explorer context menu.
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
Andy

First, thanks for the work around. Second; why not start a crowd funding initiative, to get H_C signed?

I will participate with 10 euro's
I am still thinking.:emoji_thinking::giggle:
I did not take money from other people in my life.

Edit.
H_C project uses many executables made by me (16 for now). I am not sure how much money will be required for signing all these executables.
There is also another problem. H_C is not intended for organizations and enterprises, and I do not want to make it paid. So, the two main reasons for signing the application are out.
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
we

you could ask, IMO security software should be signed, for average users it is a sign of trust.
Although H_C will not be installed by average users, you are probably right, that many users would trust more the signed application. That is why I am still thinking ...
H_C is default-deny configurator, so it will never be popular among average users. I made it a few years ago to show the idea of joining SRP with forced SmartScreen which can safely bypass SRP restrictions. I have never thought to make it popular.
I think that even a better idea would be signing ConfigureDefender.
 
Last edited:

Andy Ful

Level 45
Verified
Trusted
Content Creator
There is only one open question. H_C (and ConfigureDefender) enables in Windows Home some features which were intentionally hidden by Microsoft in Windows Home. Also, the forced SmartScreen has some impact on SmartScreen reputation servers. I am not sure if Microsoft will like the signing idea.:emoji_thinking:
 
Last edited:

shmu26

Level 82
Verified
Trusted
Content Creator
I think that even a better idea would be signing ConfigureDefender.
So try first with ConfigureDefender. It is easy enough and needed enough to become relatively popular, and it would be entirely acceptable according to Internet ethics to discreetly ask for a modest donation, to defray the costs of signing and website maintenance.
Like @Windows_Security said, if you never try, you will never know.
 

Andy Ful

Level 45
Verified
Trusted
Content Creator
Hello, I'm currently using this security settings, a question is Defalut Deny the profile settings you attach in this topic? Sorry if the question has already been answered, but I'm a newbie! Thank you very much. Best regards.
If you use Windows_Security profile, then it is not typical Default Deny, but SRP with allowed EXE files + Windows Hardening.
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
The Software restriction Policy does block all sorts of risky file extensions to execute but allows executable programs to run. That is where Windows Defender in highest settings comes in, WD will block known malware, but also unknown programs. Only programs seen by Microsoft earlier and classified as good ware are allowed.

215621
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
If you use Windows_Security profile, then it is not typical Default Deny, but SRP with allowed EXE files + Windows Hardening.
Just a short addition to prevent confusion

  1. My Windows_Security profile on MalwareTips
    This is the security setting i use personally on my own PC. This is a default deny policy. In the past I used to promote this as Windows_Security because I only used Windows internal mechanisms (through GPO, ACL and registry tweaks). Because it is so much easier to use H_C, I don't bother to do set this manually anymore.

  2. The Windows_Security profile in Hard_Configurator
    This is the setup I use for family members (since 2007). It originally was a basic user setup with a ' hole' in it. It allows the most common executables used to install and update software, so it ALLOWS the file exetensions EXE, MSI, MSU and TMP. Combined with Avast (in aggressive mode), Comodo Cloud (blocking untrusted) or Windows Defender (in HIGHEST mode) it is a perfect way to protect security unaware average home users because it uses the extensive cloud whitelist of the antivirus***.

    Andy added some improvements, in the setup, so it is possible to use a default deny default level without the usability drawbacks of the default deny. Again I don't bother to painfully implement all those tweaks by hand, but simple use H_C. Because WD can be strengthened using ConfigureDefender from H_C and WD has become a tier-1 antivirus and I like to use Windows build in features, WD is now my choice of AV to accompany this H_C setup.

    In 12 years time, I had zero assistance calls and zero infections using the H_C Windows_Security profile for family members with either AVAST (aggresive), Comodo Cloud (block untrusted) or Windows_Defender(highest). The only manual registry tweak I always added was UAC to deny elevation of unsigned. With H_C and D_C becoming signed in the furture, I hope this tweak will also become available withing H_C.

    *** just lookup the video Cruel Sister did on Avast in Aggressive mode. It scored a 100% against plain executables, but CC knew to evade this using trickier executable file formats. This is where the hardening of this H_C profile will help protect you against sneaky/hidden code in other file formats.
 
Last edited: