Hard_Configurator - GUI to Manage Software Restriction Policies and harden Windows Home OS

Discussion in 'other anti-malware software' started by mood, Nov 20, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    22,814
    Hard_Configurator_#1.png Hard_Configurator_#4.png Hard_Configurator_#5.png Hard_Configurator_#2.png
    Hard_Configurator makes changes in Windows Registry to accomplish the tasks enumerated below:
    1. Enabling Software Restriction Policies in Windows Home editions.
    2. Changing SRP Security Levels, Enforcement options, and Designated File Types.
    3. Whitelisting files in SRP by path (also with wildcards) and by hash.
    4. Blocking vulnerable system executables via SRP (Bouncer black list).
    5. Protecting (deny execution) writable subfolders in "C:\Windows" folder (via SRP).
    6. Restricting shortcut execution to some folders only (via SRP).
    7. Enabling Windows Defender advanced settings, like PUA protection, ASR rules, Network Protection etc.
    8. Protecting against weaponized documents, when MS Office and Adobe Acrobat Reader XI/DC are used to open them.
    9. Enabling "Run as administrator" for MSI files.
    10. Disabling PowerShell script execution (Windows 7+).
    11. Securing PowerShell by Constrained Language mode (SRP, PowerShell 5.0+)
    12. Disabling execution of scripts managed by Windows Script Host.
    13. Removing "Run As Administrator" option from the Explorer right-click context menu.
    14. Forcing SmartScreen check for files without 'Mark Of The Web' (Windows 8+).
    15. Disabling Remote Desktop, Remote Assistance, Remote Shell, and Remote Registry.
    16. Disabling execution of 16-bit applications.
    17. Securing Shell Extensions.
    18. Disabling SMB protocols.
    19. Disabling program elevation on Standard User Account.
    20. Disabling Cached Logons.
    21. Forcing Secure Attention Sequence before User Account Control prompt.
    22. Filtering Windows Event Log for blocked file execution events (Nirsoft FullEventLogView).
    23. Filtering autoruns from the User Space, and script autoruns from anywhere (Sysinternals Autorunsc).
    24. Enabling&Filtering Advanced SRP logging.
    25. Turning ON/OFF all above restrictions.
    26. Restoring Windows Defaults.
    27. Making System Restore Point.
    28. Using predefined setting profiles for Windows 7, Windows 8, and Windows 10.
    29. Saving the chosen restrictions as a profile, and restoring when needed.
    30. Backup management for Profile Base (whitelist profiles and setting profiles).
    31. Changing GUI skin.
    32. Updating application.
    33. Uninstalling application (Windows defaults restored).
    Current version: Hard_Configurator ver. 4.0.0.2 (November 19, 2018)
    Website
    What's New
    Version 4.0.0.2
    1. Corrected the ability to whitelist OneDrive on SUA.
    2. Changed the way of using <Refresh Explorer> option to avoid problems on SUA.
    3. Added the warning before Hard_Configurator deinstallation, about using DocumentAntiExploit tool.
    4. Added the DocumentsAntiExploit tool to the SwitchDefaultDeny application, for managing different MS Office and Adobe Acrobat Reader
    XI/DC settings on different user accounts.
    5. In the 4.0.0.2 version the <Documents Anti-Exploit> option in Hard_Configurator can only change system-wide settings. Non-system-wide
    settings are now available only via DocumentsAntiExploit tool.
    6. Added IQY and SETTINGCONTENT-MS file extensions to the default list of Designated File Types and to the hardcoded dangerous
    extensions in RunBySmartScreen.
    7. Improved Shortcut protection.
    8. Improved the protection of MS Office and Adobe Acrobat Reader XI/DC applications, against the weaponized documents.
    9. Improved 'Run By SmartScreen' with over 250 blocked file extensions (SRP, Outlook Web Access, Gmail, and Adobe Acrobat Reader
    attachments blacklists). The extensions BAT, DLL, CMD, JSE, OCX, and VBE are now blocked with notification, instead of beeing checked
    by SmartScreen. Popular but vulnerable files (RTF, DOC, DOCX, XLS, XLSX, PUB, PPT, PPTX, ACCDB, PDF) related to MS Office and Adobe
    Reader, are opened with the warning instruction.
    10. Changed the names of some buttons in the TOOLS menu:
    <View Blocked Events> --> <Blocked Events / Security Logs>
    <Run Autoruns: Scripts/UserSpace> --> <Whitelist Autoruns / View Scripts>
    11. Changed 'Allow EXE' option in the <Whitelist by Path> to 'Allow EXE and TMP'. So, both EXE files and TMP files are whitelisted -
    this option is prepared to work with Avast Hardened Mode Aggressive as default-deny.
    12. Corrected the bug with <Update> button (did not work for the 64-bit version).
    13. Updated Hard_Configurator manual.
    Note: Hard_Configurator includes the tool ConfigureDefender (Utility for configuring Windows 10 built-in Defender antivirus settings)
     
    Last edited: Nov 20, 2018
  2. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,176
    Location:
    UK
    Are the defender settings for win10? I don't remember seeing them in win7 gui.
     
  3. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,055
  4. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    1,176
    Location:
    UK
    Thanks azure
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,444
    Location:
    U.S.A. (South)
    Appreciate this. Thanks
     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    22,814
    Hard_Configurator ver. 4.1.1.1 beta (July 29, 2019)
    Website
    What's New
    Version 4.1.1.1 beta
    1. Added "Paranoid Extensions" (259 potentially dangerous file type extensions).
    2. Added FirewallHardening tool, which blocks by Windows Firewall many LOLBins and allow the user to block any application.
    3. Removed explorer.exe paths from FirewallHardening LOLBins on Windows 8 and 8.1., for compatibility with SmartScreen.
    4. Two buttons <Recommended SRP> and <Recommended Restrictions> are replaced by one green button <Recommended Settings>.
    5. Reorganization of buttons: the violet buttons <Firewall Hardening> and <ConfigureDefender> are now located in the upper part of the
    main window. The button <No Removable Disks Exec.> was replaced by the new option button <Validate Admin Code Signatures> (see point 7).
    6. If Default Deny Protection is turned OFF by 'Switch Default Deny' tool, then "Run By SmartScreen" option is automatically enabled in
    Explorer context menu. It can be used for installing safely the applications both on Administrator and Standard User type of accounts.
    7. Added the option <Validate Admin Code Signatures> which changes the UAC settings to enforce cryptographic signatures on any interactive
    application that requests elevation of privilege. This setting will prevent the user to run from Explorer the applications which require
    Administrative rigts but are not digitally signed.
    8. Added the profile "Windows_10_MT_Windows_Security_hardening.hdc" which uses the new option <Validate Admin Code Signatures>.
    9. The option <Restore Windows Defaults> does restore also Windows Defender defaults and removes FirewallHardening Outbound block rules.
    10. All Hard-Configurator native executables are digitally signed by SHA256 certificate (Certum Code Signing CA SHA2).
     
  7. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    22,814
    Hard_Configurator ver. 5.0.0.0 Released (August 22, 2019)
    Website
    What's New
     
  8. Tyreman

    Tyreman Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    139
    Location:
    Cambridge Ontario,Canada
    Interesting app........... been playing with it for awhile
     
  9. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    I have installed version 5.
    Very interesting to harden WD Firewall.
     
  10. Bertazzone

    Bertazzone Registered Member

    Joined:
    Apr 13, 2018
    Posts:
    250
    Location:
    Wonderland
    It’s a pretty darn good all-in-one OS hardening package.
     
  11. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    :thumb:
    Correct.
    Some settings can also be changed manually without using the utility, but the speed of entering firewall rules is unbeatable, saving you a lot of time.
     
  12. Tyreman

    Tyreman Registered Member

    Joined:
    Feb 3, 2003
    Posts:
    139
    Location:
    Cambridge Ontario,Canada
    Been using this for a few weeks now works well
     
  13. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,400
    H_C also writes the firewall rules in a way that survives a major Windows update. If you just add custom rules on your own to Windows Firewall, you won't find them there anymore after you get a major feature update. But the H_C rules survive.
     
  14. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    563
    Location:
    US
    But, there is nothing that can't be done or added in HC that the user can do on their own through gpedit, powershell or the registry right?

    Robert
     
  15. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,400
    You can do it all on your own, if you have the time and patience and knowledge. It only activates native Windows security features.
     
  16. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    Wonderful.:thumb:
     
  17. Roberteyewhy

    Roberteyewhy Registered Member

    Joined:
    Mar 4, 2007
    Posts:
    563
    Location:
    US
    Thanks. Do not need it then IMO.

    Happy and safe Holidays to everyone on Wilders,
    Robert
     
  18. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy

    Unfortunately I noticed that in Configure Defender the setting "Run WD in sandbox mode" is missing.

    @shmu26

    You who are also registered on MT could you notify Andy Ful about this lack?
    I think it is easy to add the rule.
     
    Last edited: Nov 29, 2019
  19. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,400
    There are some convoluted issues with setting up SRP right, especially with regards to shortcut protection. Check out the dev's documentation, or his support thread on the other forum.
     
  20. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,400
  21. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,400
    Andy says he is planning on doing this when the feature gets out of the beta stage. He wants to avoid compatibility issues, so he is waiting on it.
     
  23. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
    I understand the doubts of the developer.;)
    But the utility itself has the purpose of performing a System hardening, so it is necessary to estimate possible incompatibilities.
    And the utility involves creating a restore point.
     
  24. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,400
    Andy does extensive testing before he adds new features to his tool, and there is something about Windows sandbox that makes him a little nervous. Not sure what it is. He has been asked a few times about this feature...
     
  25. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,598
    Location:
    Italy
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.