Advice Request Anyone using AppLocker on Windows?

[Windows_Security]

On my desktop I a running Windows 7 Enterprise. Desktop just came with this OS. I had a Vista Busienss before, so kept using SRP for seven years, Since I am on MalwareTips I decided to use AppLocker. SRP gives less hassle when installing stuff, but AppLocker is more granular, since it allows rules for users and has better signature rules than SRP (with exceptions).

I run Firefox under a limited account (Safe_surfer) and made Safe_surfer a member of the GUEST's group also. Benefit of this is that I can set Access Contole Lists for NTFS volumes/folders/files for GUEST's without impacting other users. Simply set a deny execute and create/write/delete ACL for GUEST's on your Documents/Pictures/Music/Video folders/libraries and protect all you valueable data by putting that user in a ACL sandbox. Since your normal admin account runs with normal (limited) user of elevated (admin) rights, adding an extra restricting for Guests does not interfere with your other users.

But back to AppLocker. AppLocker can be used to maket it difficult for other processes to steal the credentials of that process. For instance for my Mozilla Firefox folder I have added some AppLocker rules to add some thresholds and obstacles for malware and exploits.

1. Add a DENY path rule for C:\Program Files\Mozilla\* and with exception for signature of Mozilla Corporation.
(this deny rule allows only Mozilla signed programs are allowed in Firefox installation folder)

2. Add a Deny pathrule for *\firefox.exe (program name with wildcard) with an exception for signature of Mozailla
(this deny rules allows only correctly signed Firefox to be executed, so makes process hijacking-hollowing more difficult). Funny thing is can run firefox as other user (with short cut: C:\Windows\System32\runas.exe /user:Secure_Surfer /savecred "C:\Program Files\Mozilla Firefox\firefox.exe"), but can't even log-in to Secure_surfer user anymore

With some imagination. e.g. set a deny all (path *) for Secure_Surfer (user which runs firefox) with exception rule Mozilla signed, sort of puts firefox in isolated container (sandbox) having no access to all build-in microsoft scripters (the achilles heel of any home user setup) like powershell. wscript, cmd etc (in home versions al of this stuff should be disabled IMO, since there is little to no use for average user for these shells and scripters). Moziall still updates fine because the main user (Admin/Limited) runs the firefox maintenance service (and secure surfer is allowed to start mozilla processes only).

Any one else using AppLocker and having tips by using odd combo's (e.g. a deny with an exception = allow only when ...)

N.B. I also made an account for ad hoc (syncack free) backups to an old laptop 2.5 disk which I use for quick backups of my documents. I did not even bother to put the old laptop HD in brackets in a bay, just stick it with some duck tape in my desktop . I made the Baclup_user member of the power users and only gave full ACL access rights to power users for that quick backup disk. This way ransom ware (often going for admin/system rights) can't touch that quick backup (neither can normal users or guests). Simply runing Syncback free as other user (Backup_user) keeps my data safe during the day .

Regards Kees

 

[509322]

SRP gives less hassle when installing stuff, but AppLocker is more granular, since it allows rules for users and has better signature rules than SRP (with exceptions).

Regards Kees

Do you find using SRP difficult ?

 

[oldschool]

Don't have it as I'm on W10 Home, but I enjoy reading your posts for your creativity with native Windows processes. I learn a little bit here and there even though most of the specifics re: processes are over my head.

 

[509322]

Don't have it as I'm on W10 Home, but I enjoy reading your posts for your creativity with native Windows processes. I learn a little bit here and there even though most of the specifics re: processes are over my head.

Read his posts carefully because they're more accurate and useful than any of Microsoft's documentation. People do not understand how many hours of researching and tinkering are behind his posts.

 

[oldschool]

Read his posts carefully because they're more accurate and useful than any of Microsoft's documentation. People do not understand how many hours of researching and tinkering are behind his posts.

Yes, I follow these types of technical discussions and keep plugging away at them as it's the only way I know to learn anything about Windows. I still go to any MS references mentioned and I see this is true.

 

[bribon77]

Yes, I follow these types of technical discussions and keep plugging away at them as it's the only way I know to learn anything about Windows. I still go to any MS references mentioned and I see this is true.

Same here.

 

[In2an3_PpG]

I still go to any MS references mentioned and I see this is true.

If its documented at all and if one can understand it

 

[bribon77]

I try to understand, but it's not easy. And sometimes the documentation that there is is more difficult.

 

[Deleted member 178]

If you have an Enterprise version of Windows, and you learn about its SRP and Applocker, you won't need much 3rd party tools.

 

[Deleted Member 3a5v73x]

I also have AppLocker on my Edu, but it would take days to set it up and since my job isn't computer related nor I have 10 hours each day to look and learn from Microsofts documentation, instead, using Andys Hard_Configurator, I find it very easy.

I think Microsoft is keeping most home people to stay stupid and easily controlable, it's easier for Microsoft and if they will ever make an easy "on/off" default-deny what they probably can, AV vendors will have problems to stay relevant. I think it's all planned out to keep cash rolling, because rats are connected.

 

[RejZoR]

It's clumsy as hell. I used to use Secure Folders app, but it's now gone and since it hasn't been updated for ages, it's a bit buggy.

I've used it to reinforce Firefox install folder as well as the profile in USERS folder, because those actually store cookies, bookmarks and even passwords. Allowing only Firefox.exe accessing profile files can do wonders. Unfortunately this Windows tool is clumsy and hard to understand unlike Secure Folders which was super easy to use. It's a shame because it was super powerful tool in the right hands and you could really increase security dramatically.

 

[shmu26]

If I want to play with AppLocker etc, what's the best upgrade from Win pro? Should I take Enterprise, or Education, or what?
Assuming I can find a decent-priced upgrade on eBay...

 

[Windows_Security]

Do you find using SRP difficult ?

Well No and Yes.

No it i is easy to use, I still use SRP on Windows 10 Home om my wife's laptop and my Asus transformer which I use for travel.

Yes it stil needs tinkering. Those two I run with SRP using Basic User as default level (applying rules exept for Admin). With right click "Run as Admin" you can easily install / update programs into UAC protected folders. To install MSI you need to manually add the Symantec regsitry tweak to add a right click menu option "Run MSI as admin".

Additional tinkering: Adding more file formats to SRP's protection via registry hack. Setting ACL deny execute and create on startup folder holes and HKCU run registry keys. Use SysHardener and Configure Defender for additionally hardening (espacially scriptors and Office). Disabling Powershell with exploit protection (just enable all the stuff and it won't run anymore). And finally denying unsiged programs to elevate with registry tweak.

I sometimes have to laugh on your rants about Microsoft, but above tweaking shows that Microsoft puts a lot of enterprise/corporate stuff into a consumer OS version without providing easy options to disable this.

Would have made more sense to disable this stuff on Windows Home versions and enable it on Pro/enterprise version, because these business user targeted OS-ses at least have group policy to control most of it (don't no why dont provide options to disable powershell by GPO, so therefor the ironic "most".)

 

[Ink]

Read his posts carefully because they're more accurate and useful than any of Microsoft's documentation. People do not understand how many hours of researching and tinkering are behind his posts.

Well @Windows_Security is Windows Security. Must be an advanced AI-form made to mimic humans.

 

[shmu26]

Well @Windows_Security is Windows Security. Must be an advanced AI-form made to mimic humans.

It is a very good mimic, because he even has humor

 

[509322]

I sometimes have to laugh on your rants about Microsoft, but above tweaking shows that Microsoft puts a lot of enterprise/corporate stuff into a consumer OS version without providing easy options to disable this.

The reason for my rants is quite simple. The people who need increased WIndows security the most don't get it because Microsoft makes Windows overly complicated. For one it deliberately holds back detailed documentation. It is done by intent. Secondly, all the hidden stuff, all the poorly designed interfaces, etc - it is such that almost no one uses them. And that's a shame.

Windows is meant for use at the high-end enterprise with IT Pros on staff which equals about 10 % of its user base, but then packaged as an afterthought for the user group that makes up 90 % of its user base = home users. Now what kind of sense does that make from a usability and security perspective ?

I agree with your focus on native Windows security, but what I don't agree with is how difficult Microsoft makes it for the masses. When I take a close look at Windows, I sometimes think it is designed for 1970s astronauts who sit in the capsule and have hundreds of uber-geeks backing them up, otherwise they wouldn't know which buttons to push.

Would have made more sense to disable this stuff on Windows Home versions and enable it on Pro/enterprise version, because these business user targeted OS-ses at least have group policy to control most of it (don't no why dont provide options to disable powershell by GPO, so therefor the ironic "most".)

It is because Microsoft wants Windows to be PowerShell-centric. It is by intent and, as we all know, a very unwise decision. However, Microsoft is going to continue to push PowerShell hard - despite it being a menace. It is a discussion that could easily take hundreds of pages.

WIndows is shipped in a default allow configuration meant for IT Pros. Which makes absolutely no sense.

 

[oldschool]

Well @Windows_Security is Windows Security. Must be an advanced AI-form made to mimic humans.

!