- Mar 29, 2018
- 7,600
This for me would be a PITA. Your "Recommended" settings are more restrictive when using some W10 features from SUA, e.g Control Panel, but are simply easier overall.
Using Hard_Configurator in HARDENEDmode with ConfigureDefender in HIGHEST protection on Windows10
- Thread starter Windows_Security
- Start date
This for me would be a PITA. Your "Recommended" settings are more restrictive when using some W10 features from SUA, e.g Control Panel, but are simply easier overall.
- Jul 3, 2015
- 8,153
If you can find the things you need in the new Settings app, it seems to be less restricted then when trying to do the same thing in Control panel.
- Dec 23, 2014
- 8,497
With H_C Windows_Security profile + UAC setting 'Only elevate executables that are signed and validated', the user on admin account can install/run/update applications as usual if the applications are:
- digitally signed;
- unsigned but do not require elevation.
Except for EXE files, this profile uses similar settings as H_C Recommended profile (default deny).
The only problem can occur with installing/running/updating unsigned applications which require elevation. They will be blocked even when whitelisted in SRP.
Edit.
MSI installers usually require elevation, so can be run (if digitally signed) by using "Run as administrator" from Explorer context menu.
Last edited:
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
Andy
First, thanks for the work around. Second; why not start a crowd funding initiative, to get H_C signed?
I will participate with 10 euro's
First, thanks for the work around. Second; why not start a crowd funding initiative, to get H_C signed?
I will participate with 10 euro's
- Dec 23, 2014
- 8,497
I am still thinking.
I did not take money from other people in my life.
Edit.
H_C project uses many executables made by me (16 for now). I am not sure how much money will be required for signing all these executables.
There is also another problem. H_C is not intended for organizations and enterprises, and I do not want to make it paid. So, the two main reasons for signing the application are out.
Last edited:
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
we
you could ask, IMO security software should be signed, for average users it is a sign of trust.I am still thinking.
- Dec 23, 2014
- 8,497
Although H_C will not be installed by average users, you are probably right, that many users would trust more the signed application. That is why I am still thinking ...
H_C is default-deny configurator, so it will never be popular among average users. I made it a few years ago to show the idea of joining SRP with forced SmartScreen which can safely bypass SRP restrictions. I have never thought to make it popular.
I think that even a better idea would be signing ConfigureDefender.
Last edited:
- Dec 23, 2014
- 8,497
There is only one open question. H_C (and ConfigureDefender) enables in Windows Home some features which were intentionally hidden by Microsoft in Windows Home. Also, the forced SmartScreen has some impact on SmartScreen reputation servers. I am not sure if Microsoft will like the signing idea.
Last edited:
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
when you don't try you will never know.
- Jul 3, 2015
- 8,153
So try first with ConfigureDefender. It is easy enough and needed enough to become relatively popular, and it would be entirely acceptable according to Internet ethics to discreetly ask for a modest donation, to defray the costs of signing and website maintenance.
Like @Windows_Security said, if you never try, you will never know.
- Apr 24, 2016
- 7,235
I would donate, love @Andy Ful and his tools
- Dec 23, 2014
- 8,497
Thanks, guys.
I am often very cautious until I feel that I have to do the right thing.
So, I decided to sign ConfigureDefender with my own money for a year.
I am often very cautious until I feel that I have to do the right thing.
So, I decided to sign ConfigureDefender with my own money for a year.
- Jul 3, 2015
- 8,153
Will you accept partners in defraying the expense?Thanks, guys.
I am often very cautious until I feel that I have to do the right thing.
So, I decided to sign ConfigureDefender with my own money for a year.
- Dec 23, 2014
- 8,497
After paying for the first year, I plan to start a crowdfunding initiative. So, I will be grateful If you will support this project.
- Mar 29, 2018
- 7,600
After paying for the first year, I plan to start a crowdfunding initiative....
Excellent approach. I will also support it in my own small way.
- Nov 15, 2017
- 1,083
Hello, I'm currently using this security settings, a question is Defalut Deny the profile settings you attach in this topic? Sorry if the question has already been answered, but I'm a newbie! Thank you very much. Best regards.
- Dec 23, 2014
- 8,497
If you use Windows_Security profile, then it is not typical Default Deny, but SRP with allowed EXE files + Windows Hardening.
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
The Software restriction Policy does block all sorts of risky file extensions to execute but allows executable programs to run. That is where Windows Defender in highest settings comes in, WD will block known malware, but also unknown programs. Only programs seen by Microsoft earlier and classified as good ware are allowed.
- May 26, 2014
- 1,130
I also will be glad to support your crowdfunding initiative when started,Excellent approach. I will also support it in my own small way.
Windows_Security
Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Mar 13, 2016
- 1,298
Just a short addition to prevent confusion
- My Windows_Security profile on MalwareTips
This is the security setting i use personally on my own PC. This is a default deny policy. In the past I used to promote this as Windows_Security because I only used Windows internal mechanisms (through GPO, ACL and registry tweaks). Because it is so much easier to use H_C, I don't bother to do set this manually anymore.
- The Windows_Security profile in Hard_Configurator
This is the setup I use for family members (since 2007). It originally was a basic user setup with a ' hole' in it. It allows the most common executables used to install and update software, so it ALLOWS the file exetensions EXE, MSI, MSU and TMP. Combined with Avast (in aggressive mode), Comodo Cloud (blocking untrusted) or Windows Defender (in HIGHEST mode) it is a perfect way to protect security unaware average home users because it uses the extensive cloud whitelist of the antivirus***.
Andy added some improvements, in the setup, so it is possible to use a default deny default level without the usability drawbacks of the default deny. Again I don't bother to painfully implement all those tweaks by hand, but simple use H_C. Because WD can be strengthened using ConfigureDefender from H_C and WD has become a tier-1 antivirus and I like to use Windows build in features, WD is now my choice of AV to accompany this H_C setup.
In 12 years time, I had zero assistance calls and zero infections using the H_C Windows_Security profile for family members with either AVAST (aggresive), Comodo Cloud (block untrusted) or Windows_Defender(highest). The only manual registry tweak I always added was UAC to deny elevation of unsigned. With H_C and D_C becoming signed in the furture, I hope this tweak will also become available withing H_C.
*** just lookup the video Cruel Sister did on Avast in Aggressive mode. It scored a 100% against plain executables, but CC knew to evade this using trickier executable file formats. This is where the hardening of this H_C profile will help protect you against sneaky/hidden code in other file formats.
Last edited:
Similar threads
