@Bot what is the practical use for average PC user? What is the first action an average home user should do after reading all posts of this thread?
- Status
F
ForgottenSeer 114717
Thread author
At the end of the day, User versus Kernel Mode does not matter. Since in the vast majority of cases the unraveling of User Mode would require execution of malicious code in the first place.
What I see routinely amongst enterprise and government clients is that they do not want nor do they use WDAC; they use SRP. To the clients, there is no "superiority" of WDAC. WDAC is viewed as a manageability problem. For one it does not offer the required granularity necessary to meet the covering statutes and regulations (e.g. NIST SP 800-171R3) that govern the system security requirements. Heavily regulated clients using Windows 11 25H2 and the various Server (2024/2025) Editions invariably use SRP.
For air gapped systems WDAC, ISG, these are pointless, whereas SRP remains operationally viable. Some choose to use only AppLocker. Then there are the STIGS the must be applied. If the LAN is a classified one, and users can switch between a higher security domain to a lower one, then that is a major beast. $5,000+ KVMs and an even larger full-time staff are required for the SCIF.
The other aspect is that these clients do not use blacklisting. They use 100% absolute whitelisting which means they have a full-time dedicated staff that reviews, submits for authorization and approval, every single file that runs on a system. There is no policy of "Everything that is signed by Microsoft or runs from C;/Windows is allowed." Everything must be vetted regardless of where it comes from. Locally created mobile code (e.g. scripts, PDFs, browser code, etc) that must all be reviewed and vetted as well. Everything goes through a Change Approval Board (CAB) process. It is a full-time occupation requiring a small army of full-time employees, or more often than not, the organization subcontracts it out.
Right away someone is going to say this is all military and intelligence community "stuff" and does not apply to home users. Oh, but it does. At least the bones of the security architecture do as well as hygiene.
There are techniques that can be deployed in SRP User Mode that prevent ANY attacker who gains SYSTEM from over-riding SRP. The single crticial exception is if there is a kernel vulnerability that is exploited. In that case, then all bets are off. The other all bets are off situation is an adversary that obtains access to baselines, configurations, the playbook (which should always be stored offline/air gapped). The second one is worse because it gives the adversary the entire set of knowledge needed to unravel and pivot a network, virtually with impunity without EDR, SIEM, etc and constant monitoring.
As far as home users, selling them on User versus Kernel Mode protections is a moot point. The superiority or inferiority potentials of one over the other are meaningless if:
1. The protections are not available to the home user; or
2. They home user does not use either one.
One cannot hit the security lottery if one does not use some form or combination of default deny. But in this day and age, SRP remains King. It is good to be King, but heavy hangs the crown.
Yes, you are right. For users' security, it would have been much better if Microsoft had listened to your advice 30 years ago instead of letting users do anything they want. But then there would be no Microsoft today, and we could complain about the security of Apple and Linux computers.
It is true that people are, in a sense, victims of their own inventions. This was true with gunpowder, nuclear energy, fast cars, computers, and many others.
This is also true with Windows and AI. The chances that home users or Microsoft can apply Zero Trust security at home are similar to the chances that drivers or car manufacturers will reduce the car speed to 40 km/h (25 miles/h) - such a speed reduction could save approximately half a million lives a year.
This is also true with Windows and AI. The chances that home users or Microsoft can apply Zero Trust security at home are similar to the chances that drivers or car manufacturers will reduce the car speed to 40 km/h (25 miles/h) - such a speed reduction could save approximately half a million lives a year.
Last edited:
The art of cyber-security during the early medieval era and its influence on poetry .It is not a thread about cooking but about the philosophy of cooking.
I’ll give you the instructions, get handy with a pen and a paper so you can write them down, very important instructions coming ahead.
1. You go onto the Hiren Boot CD website, download the image file.
2. Use Rufus to create bootable flash drive. Should you run in a situation where you don’t have a flash drive because you’ve lost it or it’s gone through a wash cycle with Ariel/Tide pods, head to the local supermarket and purchase one.
3. Check your device manufacturer for your device’s boot key. It could be anything from F2 to F12 or a combination of keys.
4. Booting your instance of Hiren, use a disk management utility to actively kill the C:\ drive where all LOLBins reside.
5. After the job is done, immediately turn off your device and disconnect the drive, as Hiren is rich on LOLBins as well and I doubt they’ve applied default-deny and Zero Trust.
6. Pop the kettle and enjoy a cup of tea. Your LOLBin worries—now solved.
1. You go onto the Hiren Boot CD website, download the image file.
2. Use Rufus to create bootable flash drive. Should you run in a situation where you don’t have a flash drive because you’ve lost it or it’s gone through a wash cycle with Ariel/Tide pods, head to the local supermarket and purchase one.
3. Check your device manufacturer for your device’s boot key. It could be anything from F2 to F12 or a combination of keys.
4. Booting your instance of Hiren, use a disk management utility to actively kill the C:\ drive where all LOLBins reside.
5. After the job is done, immediately turn off your device and disconnect the drive, as Hiren is rich on LOLBins as well and I doubt they’ve applied default-deny and Zero Trust.
6. Pop the kettle and enjoy a cup of tea. Your LOLBin worries—now solved.
I am just getting ready, will present them in due time.I would take both with pleasure if you could present the award in person.
Last edited by a moderator:
F
ForgottenSeer 123960
Thread author
The argument that "User versus Kernel Mode does not matter" is a dangerous oversimplification of the Windows security model. While Software Restriction Policies (SRP) served as a functional stopgap in the past, they are architecturally inferior to modern Kernel-mode enforcement and have been officially deprecated. The claim that these protections are unavailable to Home users is factually incorrect in the context of Windows 11.
While SRP remains a functional tool for basic operational hygiene, the assertion that it offers security parity with Windows Defender Application Control (WDAC) is architecturally incorrect. SRP operates in User Mode (Ring 3), meaning its enforcement logic runs at the same privilege level as a local Administrator or typical malware. This creates a fundamental weakness, an adversary who gains SYSTEM privileges has full control over the HKLM Registry hive where SRP policies are defined. Without an external anchor, such as a UEFI lock, a SYSTEM-level actor can trivially disable SRP by modifying these keys or unloading the enforcement DLLs. Conversely, WDAC operates at the Kernel level (Ring 0). When combined with Signed Policies and UEFI locking, even a threat actor with full SYSTEM access cannot disable the control without a physical reboot and cryptographic authorization. This "Tamper Resistance" is the defining advantage of modern security architecture.
From a compliance and lifecycle perspective, reliance on SRP is increasingly risky. SRP has been officially deprecated since Windows 10 version 1803. For government or high-security environments adhering to standards like NIST 800-53 or 800-171, relying on deprecated, User-Mode legacy code for critical enforcement introduces significant technical debt and long-term risk compared to the kernel-supported standard of WDAC. Modern STIGs (Security Technical Implementation Guides) have already shifted focus toward AppLocker and WDAC precisely because they offer robust protection against the "Admin-to-SYSTEM" escalation paths that render SRP ineffective.
The argument that these protections are a "moot point" for Home users is outdated. While it is true that Home users lack the Group Policy tools to manually configure complex rules, the underlying Kernel-mode protection is now available via Smart App Control (SAC) in Windows 11. SAC is effectively a managed implementation of WDAC that brings "default deny" whitelisting to the Home edition without the management complexity. Coupled with Tamper Protection, which locks security settings at the Kernel level to prevent malware from disabling them, Home users absolutely have access to the superior architecture described above. The distinction between User and Kernel mode matters just as much for a home user banking online as it does for an enterprise, the delivery mechanism has simply evolved.
Last edited by a moderator:
I think that everybody knows the solution to the problem from this thread.
The users' inclination for free and happy events mainly pushes safety into the background.
We have a closed loop. Microsoft pretends that people can be safe, free, and satisfied with Windows.
The users complain a little, but still use Windows Home/Pro instead of using Windows in S mode (much closer to Zero Trust at home).
The users' inclination for free and happy events mainly pushes safety into the background.
We have a closed loop. Microsoft pretends that people can be safe, free, and satisfied with Windows.
The users complain a little, but still use Windows Home/Pro instead of using Windows in S mode (much closer to Zero Trust at home).
Last edited:
F
ForgottenSeer 123960
Thread author
You have accurately described the 'Security vs. Usability' trade-off that plagued earlier versions of Windows, but the conclusion that 'Safety requires S Mode' is outdated.
S Mode failed because it conflated Safety with Source. It didn't just block malware, it blocked legitimate tools like Steam or Adobe simply because they weren't in the Microsoft Store. Users didn't reject the safety, they rejected the lack of utility.
Microsoft's answer to this 'Closed Loop' is Smart App Control (SAC) in Windows 11. Instead of restricting where you get your apps (Freedom), it verifies the reputation of the app itself (Safety). This allows a user to install Win32 apps from the open web (preserving Freedom) while the system blocks unsigned or unknown code (preserving Safety).
Zero Trust is being applied to the OS substrate rather than the user interface. With mandatory TPM 2.0, Virtualization-Based Security (VBS), and Identity protections, the OS is becoming inherently hostile to attackers even on Home editions, without forcing the user back into the restrictions of S Mode.
If Microsoft was to popularise the Store architecture, the store would quickly fill up with all sorts of malicious, fake and inefficient apps, including but not limited to infostealers, fake antivirus and optimisers and so on.
Microsoft and Google use merely static heuristics to scan the manifests and so on.
Apps that are ticking bombs will happily fill up the store and security will once again be compromised.
The only solution for the problem is not to restrict the users and render their systems painful and unusable.
The only solution and path to digital freedom is heavy governmental and developers restriction.
You wanna register a site? No problem, read the chip of your biometric passport and send your proof of address.
You wanna publish an app?
Upload your information and get your free digital signature.
You launched phishing and malware—now pay a heavy fee or minimum €50 k and go scrub the jail floors for 6 months to a year.
Next time you will publish the most useful and innocent code and sites only, and you won’t even think of asking ChatGPT how to read Chrome credentials “for a university assignment”.
I did not say this.
It is true, but this does not falsify my statement. Instead of Steam they can buy PlayStation, or play on TV via streaming services.
Most people do not need to use Adobe products and could use apps from Microsoft Store.
For productivity, you can also buy an Apple computer.
You can say, wait a minute this would be to expensive. Yes, it would if you want to be safer, productive, and stisfied.
So far, it is more an illusion than an answer. Most people do not use it. Furthermore, it is far from Zero Trust idea.
Tell this to all infected users on Windows 11 Home.
F
ForgottenSeer 123960
Thread author
I respect the "Iron Triangle" of Security, Usability, and Cost you are highlighting, particularly regarding the friction of adoption. However, suggesting that users "buy a Mac" or "use a PlayStation" is a platform migration strategy, not a solution for the Windows ecosystem. We have to solve security for the platform that 1.4 billion people actually own and use for work, pointing out the economic barrier to switching ecosystems validates the problem but doesn't engineer a solution for the Windows Home user.I did not say this.
It is true, but this does not falsify my statement. Instead of Steam they can buy PlayStation, or play on TV via streaming services.
Most people do not need to use Adobe products and could use apps from Microsoft Store.
For productivity, you can also buy an Apple computer.
You can say, wait a minute this would be to expensive. Yes, it would if you want to be safer, productive, and stisfied.
So far, it is more an illusion than an answer. Most people do not use it. Furthermore, it is far from Zero Trust idea.
Tell this to all infected users on Windows 11 Home.
Regarding Smart App Control (SAC) being an "illusion," I agree that Microsoft has created a massive statistical barrier by requiring a fresh install for adoption. In that sense, its market presence is an illusion. However, its technical capability is not. For the user who actually enables it, SAC successfully enforces the exact "Zero Trust" binary verification we are discussing, blocking unsigned or low-reputation code at the kernel level without requiring the user to manually curate a whitelist. The technology to close the loop exists natively now; it is the delivery mechanism that is broken.
Regarding the "infected users on Windows 11 Home", this is where we must distinguish between OS Integrity and User Execution. You are absolutely right that a user with TPM 2.0, VBS, and Secure Boot can still socially engineer themselves into an infection. That happens because those features are designed to protect the Operating System from the Malware (preventing bootkits, rootkits, and kernel tampering), not to protect the User from their own choices. The "infected user" exists because the OS layer held the line, but the Application Control layer was absent. This reinforces my point, the future of Windows security isn't just a harder kernel, which we now have, but an intelligent gatekeeper (like SAC) that saves the user from that final "Yes" click.
It is true because so far, the users' security is not a priority for Microsoft. Microsoft is a money-making corporation.
It gives people what they want and only cares that they do not complain too much. Of course, Microsoft must follow some standards due to the competition among companies, which is beneficial for the users.
You may be right. However, the cyber-criminal industry is so well developed that even such solutions may be insufficient.
It seems that the only working solution is applying much more security layers above average. This almost always ends with more inconveniency above average.
We already did it. However, most people do not accept it.
Yes, it can be half Zero Trust.
It is well developed now because Euro-parliament leftists push for anonymity and “freedom” on the web.
They don’t realise that the only way to freedom is discipline. Otherwise my freedom starts to interfere with your freedom and at the end, no one is free.
Until everyone is allowed to be whoever they want to be on web stores, on the web, on dating apps and so on (dating apps now require copies of ID and verification as well), all these problems will exist.
They are too much to handle for default-allow and default-deny is merely a patch (like fixing your broken electrical outlet with chewing gum to the wall). It is a whack-a-mole solving one bunch of problems to introduce another bunch.
Many of the Windows restrictions (not all) have powerful user mode APIs anyone can invoke through an inferior .net or c++ project, and most of the restrictions implemented by the admin can be undone by another admin in the cases where the device is not managed (which home user machines always are).
Once the user clicks on the UAC prompt, many restrictions are gone.
There is a handful of third-party projects that solve the issue, some of them are not even available for a home user.
So bottom line conclusion is that my wife is relatively safe (100% can't be achieved) on her Windows 11 laptop running as standard user with SAC enabled plus SRP blocking scripts and LoLbins for standard users accomplished by Defender running in zero tolerance (max) mode?
SIde note where is @Bot when we need him?
SIde note where is @Bot when we need him?
Last edited:
Most of the people are safe.
We just have this saying in the development community which not sure, you may have heard, you can’t protect the admin from themselves.
We are here to block unauthorised access, not authorised bad decisions.
F
ForgottenSeer 123960
Thread author
You hit the nail on the head with the statement, "most people do not accept it." In security engineering (specifically Saltzer & Schroeder’s principles), this is the principle of Psychological Acceptability. You are absolutely right that strict "Default Deny" has technically solved the problem for years, but if the user experience is too abrasive, the user rejects the solution. A security control that users disable because it's annoying is, in practice, a failed control.We already did it. However, most people do not accept it.
Yes, it can be half Zero Trust.
This is precisely why I argue that Smart App Control (SAC) is the necessary evolution for the general public. It attempts to bridge that "Acceptance Gap." By offloading the verification decision to Microsoft's cloud intelligence rather than forcing the user to be the admin/judge for every execution, it maintains the "Default Deny" posture without the friction that causes users to "not accept it." It solves the psychological problem, not just the kernel problem.
As for it being "half Zero Trust", I will take that "half" every day of the week.
You are correct that it isn't pure Zero Trust (which would require explicit local verification of everything), but rather Reputation-Based Trust. However, for a home user, moving from "Trust Everything by Default" to "Trust only what is Known and Signed" is a monumental leap in resilience. "Half Zero Trust" effectively neutralizes 99% of the commodity malware landscape, which is a victory in itself.
She uses an outlook email only for her Windows laptop (so Microsoft I guess).
- Status
You may also like...
-
Microsoft Tells Business to Uninstall Copilot, Remap the Copilot Key- Started by Gandalf_The_Grey
- Replies: 4
-
If you wanted total visibility over high-risk individuals, you’d build a mobile virtual network operator called Cape- Started by oldschool
- Replies: 24
-
SNew Microsoft guidance for the DoD Zero Trust Strategy
- Started by Steve Faehl
- Replies: 1
-
Data Collection Core Principles (Security Software)- Started by Trident
- Replies: 7
-
Deep Research: McAfee GTI, JTI, Artemis and Other Technologies Explained
- Started by Trident
- Replies: 2