Software
Hard_Configurator (get it on GitHub https://github.com/AndyFul/Hard_Configurator)
Installation
5.00 star(s)
Installation Feedback
1. Save the attached Windows_Security_hardening.TXT file and rename it Windows_Security_hardening.HDC
2. Install Hard_Configurator
3. Click the LOAD PROFILE button and navigate to the Windows10_Harden.HDC file and select
4. Click Apply Changes
5. Click ConfigureDefender button (Configure Defender tool will pop up)
6. Click the button Defender High Settings and click REFRESH button
7. Close Configure defender and Close Hard Configurator
Interface (UI)
4.00 star(s)
Interface Feedback
Color scheme of the buttons is .... well ....colorful like Andy Ful
Usability
5.00 star(s)
Usability Feedback
SRP only on shady formats, not the normal Executable formats, so you can run and install programs just like you used to do
Performance and System Impact
5.00 star(s)
Performance and System Impact Feedback
Look at the specs of my ASUS Transformer, they are humble.
Protection
5.00 star(s)
Protection Feedback
Windows Defender in default settings scored a 100% protection at AV-Comparatives in latest Real-World Protection tests (https://www.av-comparatives.org/tests/real-world-protection-test-february-march-2019-factsheet/) and a 6 out of 6 score in latest AV-TEST (https://www.av-test.org/en/antivirus/home-windows/windows-10/february-2019/microsoft-windows-defender-4.18-190516/), so how well will this hardened setup with highest protection perform? My bet: better than any top tier Antivirus solutions!
Pros
It's a free software
Low impact on system resources
Easy to use
Simple and non-intrusive
Strong and reliable protection
Blocks even brand new malware
Excellent scores in independent tests
Features you can't get elsewhere for free
Multiple layers of protection
Cons
Clumsy or awkward interface (UI)
Software installed on computer
More than 1 year
Computer Specifications
Asus Transformer with Intel Atom Z3740 @ 1,33 Ghz 2 GB RAM memory, 32 GB SSD and 64 GB SD-card
Recommended for
All types of users
Device is shared by family members
Banking or other financial activity
Low specs device
Overall Rating
5.00 star(s)
Disclaimer

Any views or opinions expressed are that of the member giving the information and may be subjective.
This software may behave differently on your device.

We encourage you to compare these opinions with others and take informed decisions on what security products to use.
Before buying a product you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Andy Ful

Level 46
Verified
Trusted
Content Creator
I prepared the profile "Windows_10_MT_Windows_Security_hardening.hdc" which uses the new option <Validate Admin Code Signatures>.

216312


It can be used both on SUA or Admin account (no difference with restrictions). When loading the profile to H_C, the below info will be displayed:

************************************************************
Harden Windows 10 while maintaining maximum functionality and compatibility (proposed on Malwaretips forum by @Windows_Security).

Please note: this profile allows the user to run EXE files, except unsigned files which require Administrative rights. MSI installation packages are more restricted - they can be run only via the "Run as administrator" option in the Explorer context menu and only digitally signed packages will be allowed.

It is recommended to use this profile with ConfigureDefender High Protection Level and "Recommended H_C" firewall outbound block rules (see <FirewallHardening> option).

The profile works best when the user installs digitally signed applications (EXE / MSI), or unsigned EXE applications which do not require Administrative rights.

When the unsigned EXE file is blocked, then the Error message is displayed, which ends with:
"... A referral was returned from the server".
**************************************************************

Any suggestions to improve the above info text?
 

Gandalf_The_Grey

Level 20
Verified
While loving and admiring all the hard work done by @Andy Ful and @Windows_Security to get a great native windows security configuration I get a bit confused with all the options and possibilities...
I maintain 5 computers, 1 for me and my wife, 2 for my kids, 1 for my mother in law and 1 for my mother.
What would be the strongest HC profile with the least support needed?
The one of the first post by @Windows_Security or the last one by @Andy Ful or just use the recommended settings of Hard_Configurator?
 

oldschool

Level 34
Verified
While loving and admiring all the hard work done by @Andy Ful and @Windows_Security to get a great native windows security configuration I get a bit confused with all the options and possibilities...
I maintain 5 computers, 1 for me and my wife, 2 for my kids, 1 for my mother in law and 1 for my mother.
What would be the strongest HC profile with the least support needed?
The one of the first post by @Windows_Security or the last one by @Andy Ful or just use the recommended settings of Hard_Configurator?
If these computers use SUA then @Andy Ful's "Recommended" settings = True default-deny

@Windows_Security profile is for AA and is not default-deny. Discuss - Hard_Configurator - Windows Hardening Configurator Uses WD whitelist, etc.
 

Gandalf_The_Grey

Level 20
Verified

Andy Ful

Level 46
Verified
Trusted
Content Creator
While loving and admiring all the hard work done by @Andy Ful and @Windows_Security to get a great native windows security configuration I get a bit confused with all the options and possibilities...
I maintain 5 computers, 1 for me and my wife, 2 for my kids, 1 for my mother in law and 1 for my mother.
What would be the strongest HC profile with the least support needed?
The one of the first post by @Windows_Security or the last one by @Andy Ful or just use the recommended settings of Hard_Configurator?
There is no such thing as the strongest security setup with the least support needed. The stronger a setup, the more support will be needed.

Let's suppose that you live in the unsafe quarter. The H_C Recommended settings are like four locks in the hardened front door and the hidden camera connected with the base of known good people. This allows you to choose who can enter. Also, the windows are behind solid bars. This setup can give you very strong protection if you can live with it. It has a perfect balance between security and usability. You do not need more security, except when using the vulnerable system.

If you cannot live with it, because it requires too much fatigue, then you may try 'Allow EXE' setup, like that with Avast Hardened Aggressive mode or that proposed by @Windows_Security.:giggle:(y)
The 'Allow EXE' setup is also appropriate for semi-advanced users.
The Recommended setup is well suited to casual users who can be supported by advanced users.

SECURITY:
Recommended settings + WD HIGH ~ 'Allow EXE' + Avast Hardened Aggressive > Windows_Security + WD HIGH

USABILITY:
Windows_Security + WD HIGH > 'Allow EXE' + Avast Hardened Aggressive ~ Recommended settings + WD HIGH
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Gandalf_The_Grey

The most secure plus less maintenance would be Windows_Security profile for H_C and Configure defender set to MAX and protected folders enabled.

I always install Chrome (average users don't care about privacy, they don't mind providing personal data). On Chrome I install uBlock Origin and only enable Peter Low and MVPS Hosts plus add ONE My Filter rule (
HTTP://*^$third-party,~stylesheet,~image) besides uBlockOrigin I also add Bitdefender's Traffic Light extension because it does well in phishing protection also and people like to see a green okay mark (irrational and emotional benefit of BD TL).

In the Netherlands most people use Ziggo. Ziggo checks mail with F-protect (at least they did in 2016 when I talked to a technical support guy), so you don't need their rebranded F-protect antivirus for mail protection.

EDIT
Forget to mention that I also enable this chrome flag:#disallow-unsafe-http-downloads (to prevent shoot in the foot and drive-by downloads from HTTP:// websites) and block javascript (with an allow exception rule for HTTPS://*). Since all serious websites are on HTTPS (with IV or EV certificates***). I also install the extension certificate info and tell them to don't provide banking info or other sensative data to HTTPS websites with only a DV certificate, Together with BD TL this works well until now (nobody lost money doing business online).

***
My rules of thumb which I explain to family members:
EV certificates should be safe
only trust IV certificates when they are from a well known brand (e.g. amazon or google)
DV certificates are okay to surf and socialize but not to do business with

216330
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
Although in theory, the Windows_Security profile with enabled Validate Admin Code Signatures looks good, most semi-advanced users will complain about blocking installations/updates of unsigned applications. Personally, I think that more convenient for them will be skipping this setting and simply use RunBySmartScreen for new EXE files.
Such setup is stronger and more configurable than SysHardener restrictions.(y)
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Andy Ful said:
Most semi-advanced users will complain about blocking installations/updates of unsigned applications
Gandalf asked what was best for family members. My family members are certainly not (semi) advanced users. They are at best average PC-users. What unsigned software would an average PC user need to install? Name one example. Maybe it differs per region, but in Netherlands I don't know of any program what average users would use which is not signed. Most mainstream software is signed.
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
What unsigned software would an average PC user need to install? Name one example.
ConfigureDefender?:giggle:
Anyway, I agree that installing only signed applications is a good idea. If I did not, you would not see <Validate Admin Code Signatures> in the new version of H_C.:emoji_thinking:

They are all on AA, so then @Windows_Security profile should be better? I have now enabled it on my main laptop and will see how it works for me.
It would be probably OK for you. Use RunBySmartScreen from the Explorer context menu for new files. If you do not need to use unsigned applications which require elevation, wait a few weeks and use the new H_C with <Validate Admin Code Signatures>.
 
Last edited:

Andy Ful

Level 46
Verified
Trusted
Content Creator
Windows_Security,
I know that you like the UAC setting ValidateAdminCodeSignatures. It can be very useful, but it is not a security boundary on Admin account (like any UAC setting). It has to be supported by something that can prevent UAC bypasses (like H_C).

It is true that most malware (probably over 80%) require elevation, but it is also true that most of them use UAC bypasses. There are some malware samples which will ask gently the user to enter the admin password (fake applications), but this is rather an exception, especially when we are dealing with exploits.
Fortunately, many exploits (but not all) use LOLBins for UAC bypasses, so can be mitigated also by H_C, set via Windows_Security profile. It can be hardened by adding more LOLBins via H_C's <Block Sponsors> option. Even better protection is available on SUA which is generally stronger against exploits as compared to Admin account.
The H_C Windows_Security profile allows EXE files, so in theory, it is more vulnerable to malware/exploits and UAC bypasses than H_C Recommended setup. But, I cannot say if this difference can be so important in real life.

The H_C Windows_Security profile (even without ValidateAdminCodeSignatures) + FirewallHardening + any good AV is a very good security setup.
It is stronger as compared to SysHardener, which is also a proven good AV addition.

The ValidateAdminCodeSignatures setting will be more appropriate for casual users guided to install only signed applications which require elevation to install/update.
RunBySmartSreen will be more appropriate for cautious users who will remember to open the new files via "Run By SmartScreen" from the Explorer context menu.
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
@Andy Ful

Let me confess a serious and unforgivable sin: on my relatives PC's (besides setting UAC to deny elevation of unsigned) I also set UAC to elevate silently :eek: Reason for doing so is that I found out that helpful friends use to DISABLE UAC to prevent getting UAC prompts.

The reason I am so certain about UAC validate admin signatures does not provide problems in real world conditions of average PC users is that I also add an extra admin account and REMOVE the rights to change UAC settings of the regular (admin) user :cool:

So now I will go undercover and hide in the lurker legion for at least a week to prevent being tarred and feathered and put publicly on display as a warning to others. logging out now . . . :emoji_innocent: