Using Hard_Configurator in HARDENEDmode with ConfigureDefender in HIGHEST protection on Windows10

[Andy Ful]

I prepared the profile "Windows_10_MT_Windows_Security_hardening.hdc" which uses the new option <Validate Admin Code Signatures>.

It can be used both on SUA or Admin account (no difference with restrictions). When loading the profile to H_C, the below info will be displayed:

************************************************************
Harden Windows 10 while maintaining maximum functionality and compatibility (proposed on MalwareTips forum by @Windows_Security).

Please note: this profile allows the user to run EXE files, except unsigned files which require Administrative rights. MSI installation packages are more restricted - they can be run only via the "Run as administrator" option in the Explorer context menu and only digitally signed packages will be allowed.

It is recommended to use this profile with ConfigureDefender High Protection Level and "Recommended H_C" firewall outbound block rules (see <FirewallHardening> option).

The profile works best when the user installs digitally signed applications (EXE / MSI), or unsigned EXE applications which do not require Administrative rights.

When the unsigned EXE file is blocked, then the Error message is displayed, which ends with:
"... A referral was returned from the server".
**************************************************************

Any suggestions to improve the above info text?

 

[Gandalf_The_Grey]

While loving and admiring all the hard work done by @Andy Ful and @Windows_Security to get a great native windows security configuration I get a bit confused with all the options and possibilities...
I maintain 5 computers, 1 for me and my wife, 2 for my kids, 1 for my mother in law and 1 for my mother.
What would be the strongest HC profile with the least support needed?
The one of the first post by @Windows_Security or the last one by @Andy Ful or just use the recommended settings of Hard_Configurator?

 

[oldschool]

While loving and admiring all the hard work done by @Andy Ful and @Windows_Security to get a great native windows security configuration I get a bit confused with all the options and possibilities...
I maintain 5 computers, 1 for me and my wife, 2 for my kids, 1 for my mother in law and 1 for my mother.
What would be the strongest HC profile with the least support needed?
The one of the first post by @Windows_Security or the last one by @Andy Ful or just use the recommended settings of Hard_Configurator?

If these computers use SUA then @Andy Ful's "Recommended" settings = True default-deny

@Windows_Security profile is for AA and is not default-deny. Discuss - Hard_Configurator - Windows Hardening Configurator Uses WD whitelist, etc.

 

[Gandalf_The_Grey]

If these computers use SUA then @Andy Ful's "Recommended" settings = True default-deny

@Windows_Security profile is for AA and is not default-deny. Discuss - Hard_Configurator - Windows Hardening Configurator Uses WD whitelist, etc.

They are all on AA, so then @Windows_Security profile should be better? I have now enabled it on my main laptop and will see how it works for me.

 

[Andy Ful]

While loving and admiring all the hard work done by @Andy Ful and @Windows_Security to get a great native windows security configuration I get a bit confused with all the options and possibilities...
I maintain 5 computers, 1 for me and my wife, 2 for my kids, 1 for my mother in law and 1 for my mother.
What would be the strongest HC profile with the least support needed?
The one of the first post by @Windows_Security or the last one by @Andy Ful or just use the recommended settings of Hard_Configurator?

There is no such thing as the strongest security setup with the least support needed. The stronger a setup, the more support will be needed.

Let's suppose that you live in the unsafe quarter. The H_C Recommended settings are like four locks in the hardened front door and the hidden camera connected with the base of known good people. This allows you to choose who can enter. Also, the windows are behind solid bars. This setup can give you very strong protection if you can live with it. It has a perfect balance between security and usability. You do not need more security, except when using the vulnerable system.

If you cannot live with it, because it requires too much fatigue, then you may try 'Allow EXE' setup, like that with Avast Hardened Aggressive mode or that proposed by @Windows_Security.
The 'Allow EXE' setup is also appropriate for semi-advanced users.
The Recommended setup is well suited to casual users who can be supported by advanced users.

SECURITY:
Recommended settings + WD HIGH ~ 'Allow EXE' + Avast Hardened Aggressive > Windows_Security + WD HIGH

USABILITY:
Windows_Security + WD HIGH > 'Allow EXE' + Avast Hardened Aggressive ~ Recommended settings + WD HIGH

 

[oldschool]

They are all on AA, so then @Windows_Security profile should be better? I have now enabled it on my main laptop and will see how it works for me.

Better? That requires a value judgement. Easier - for users of all levels. It's the config he uses for the family PCs, and he's never had to intervene or make housecalls!

 

[Gandalf_The_Grey]

Better? That requires a value judgement. Easier - for users of all levels. It's the config he uses for the family PCs, and he's never had to intervene or make housecalls!

It's also for my mother in law, so that sounds good to me

 

[Windows_Security]

@Gandalf_The_Grey

The most secure plus less maintenance would be Windows_Security profile for H_C and Configure defender set to MAX and protected folders enabled.

I always install Chrome (average users don't care about privacy, they don't mind providing personal data). On Chrome I install uBlock Origin and only enable Peter Low and MVPS Hosts plus add ONE My Filter rule (
HTTP://*^$third-party,~stylesheet,~image) besides uBlockOrigin I also add Bitdefender's Traffic Light extension because it does well in phishing protection also and people like to see a green okay mark (irrational and emotional benefit of BD TL).

In the Netherlands most people use Ziggo. Ziggo checks mail with F-protect (at least they did in 2016 when I talked to a technical support guy), so you don't need their rebranded F-protect antivirus for mail protection.

EDIT
Forget to mention that I also enable this chrome flag:#disallow-unsafe-http-downloads (to prevent shoot in the foot and drive-by downloads from HTTP:// websites) and block javascript (with an allow exception rule for HTTPS://*). Since all serious websites are on HTTPS (with IV or EV certificates***). I also install the extension certificate info and tell them to don't provide banking info or other sensative data to HTTPS websites with only a DV certificate, Together with BD TL this works well until now (nobody lost money doing business online).

***
My rules of thumb which I explain to family members:
EV certificates should be safe
only trust IV certificates when they are from a well known brand (e.g. amazon or google)
DV certificates are okay to surf and socialize but not to do business with

 

[Andy Ful]

Although in theory, the Windows_Security profile with enabled Validate Admin Code Signatures looks good, most semi-advanced users will complain about blocking installations/updates of unsigned applications. Personally, I think that more convenient for them will be skipping this setting and simply use RunBySmartScreen for new EXE files.
Such setup is stronger and more configurable than SysHardener restrictions.

 

[Windows_Security]

Most semi-advanced users will complain about blocking installations/updates of unsigned applications

Gandalf asked what was best for family members. My family members are certainly not (semi) advanced users. They are at best average PC-users. What unsigned software would an average PC user need to install? Name one example. Maybe it differs per region, but in Netherlands I don't know of any program what average users would use which is not signed. Most mainstream software is signed.

 

[Andy Ful]

What unsigned software would an average PC user need to install? Name one example.

ConfigureDefender?
Anyway, I agree that installing only signed applications is a good idea. If I did not, you would not see <Validate Admin Code Signatures> in the new version of H_C.

They are all on AA, so then @Windows_Security profile should be better? I have now enabled it on my main laptop and will see how it works for me.

It would be probably OK for you. Use RunBySmartScreen from the Explorer context menu for new files. If you do not need to use unsigned applications which require elevation, wait a few weeks and use the new H_C with <Validate Admin Code Signatures>.

 

[Andy Ful]

Windows_Security,
I know that you like the UAC setting ValidateAdminCodeSignatures. It can be very useful, but it is not a security boundary on Admin account (like any UAC setting). It has to be supported by something that can prevent UAC bypasses (like H_C).

It is true that most malware (probably over 80%) require elevation, but it is also true that most of them use UAC bypasses. There are some malware samples which will ask gently the user to enter the admin password (fake applications), but this is rather an exception, especially when we are dealing with exploits.
Fortunately, many exploits (but not all) use LOLBins for UAC bypasses, so can be mitigated also by H_C, set via Windows_Security profile. It can be hardened by adding more LOLBins via H_C's <Block Sponsors> option. Even better protection is available on SUA which is generally stronger against exploits as compared to Admin account.
The H_C Windows_Security profile allows EXE files, so in theory, it is more vulnerable to malware/exploits and UAC bypasses than H_C Recommended setup. But, I cannot say if this difference can be so important in real life.

The H_C Windows_Security profile (even without ValidateAdminCodeSignatures) + FirewallHardening + any good AV is a very good security setup.
It is stronger as compared to SysHardener, which is also a proven good AV addition.

The ValidateAdminCodeSignatures setting will be more appropriate for casual users guided to install only signed applications which require elevation to install/update.
RunBySmartSreen will be more appropriate for cautious users who will remember to open the new files via "Run By SmartScreen" from the Explorer context menu.

 

[Windows_Security]

@Andy Ful

Let me confess a serious and unforgivable sin: on my relatives PC's (besides setting UAC to deny elevation of unsigned) I also set UAC to elevate silently Reason for doing so is that I found out that helpful friends use to DISABLE UAC to prevent getting UAC prompts.

The reason I am so certain about UAC validate admin signatures does not provide problems in real world conditions of average PC users is that I also add an extra admin account and REMOVE the rights to change UAC settings of the regular (admin) user

So now I will go undercover and hide in the lurker legion for at least a week to prevent being tarred and feathered and put publicly on display as a warning to others. logging out now . . . :emoji_innocent: