Do you use security reg tweaks?

[Andy Ful]

Do you use security reg tweaks?

This is a self-help guide. Use at your own risk.
​

There are many security reg tweaks to harden Windows OS, but does anyone use them?

Tweaks details:

Only elevate executables that are signed and validated:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ValidateAdminCodeSignatures"=dword:00000001

Disable command prompt:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]
"DisableCMD"=dword:00000001

Disable Windows Script Host:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000

Disable PowerShell script execution:
[HKEY_LOCAL_MACHINE \Software\Policies\Microsoft\Windows\PowerShell]
"EnableScripts"=dword:00000000

Prevent programs from loading untrusted fonts (only Windows 10):
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions]
"MitigationOptions_FontBocking"="1000000000000"

Disable remote assistance:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnsolicited"=dword:00000000
"fAllowToGetHelp"=dword:00000000
"fDenyTSConnections"=dword:00000001

Disable execution from Removable Disks:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
"Deny_Execute"=dword:00000001

Enable Windows Defender PUP protection (Windows 8+)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001

 

[Wave]

This is a self-help guide. Use at your own risk.
​

Not a security reg tweak like the ones mentioned already however you can double check AppInit_DLLs which can be abused by malicious software, just don't touch it unless you know what you're doing. If you add an x86 DLL to the list then it'll be injected into any x86 programs started up which import User32.dll and the same applies for x64 DLLs with x64 processes.

User32.dll is a Windows DLL (system), it includes functions such as MessageBoxA/W; Win32 GUI programs will use this DLL. When the DLL is loaded into the program it will cause the AppInit_DLLs to take effect. Therefore, if a program does not import User32.dll, then the injection for that specific program will never actually occur.

You can find the AppInit_DLLs key on x86 systems or for an x64 DLL on a x64 system at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

You can find the AppInit_DLLs key on x64 systems for an x86 DLL at:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

At this registry key you will be interested in: LoadAppInit_DLLs; AppInit_DLLs; and RequireSignedAppInit_DLLs. You can read more information here: AppInit_DLLs in Windows 7 and Windows Server 2008 R2 (Windows)

This method used to be quite popularly abused by malicious software however based on my own malware analysis I have seen a decrease in the abuse of this feature; most likely because malware is evolving and performing the injection manually more common than not these days (e.g. manual mapping injection into the target processes as opposed to relying on these features to inject their DLLs).

In terms of malicious software, since it's more common than not to find unsigned malware (code signing), the malware author may require to tamper with the RequireSignedAppInit_DLLs key (change the DWORD value to 0x0 but 0 will be fine also); this allows them to abuse the feature to have unsigned DLLs injected into the running programs when they are started.

If you understand how it works and have the time and patience to do research on DLLs which are auto-injected using this feature then you should be good to go; if you do not understand what you are doing and do not have experience with this sort of stuff, stay away from the key and don't attempt to handle it yourself, you will most often than not just mess something up and screw yourself over - if you do decide to make tweaks, make sure to backup your registry beforehand.

Hope this helped.

 

[DJ Panda]

Wait so does this Windows Defender PUP also apply for Windows 10? Could someone share with me the regfile that can do this for me. I'm scared that I will mess the registry up.

 

[Wave]

Wait so does this Windows Defender PUP also apply for Windows 10? Could someone share with me the regfile that can do this for me. I'm scared that I will mess the registry up.

Make a backup of your registry in case you make a mistake and need to revert back to before you made the manual tweaks; then attempt to follow this guide, it's very simple to follow, I doubt you will go wrong if you pay close attention and focus: How to Make Windows Defender Scan for Potentially Unwanted Programs

If you do happen to make a mistake, then simply revert back using the registry backup and try again. Practise makes perfect.

 

[Evjl's Rain]

Disable Windows Script Host:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings]
"Enabled"=dword:00000000

Disable remote assistance:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services]
"fAllowUnsolicited"=dword:00000000
"fAllowToGetHelp"=dword:00000000
"fDenyTSConnections"=dword:00000001

Enable Windows Defender PUP protection (Windows 8+)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
"MpEnablePus"=dword:00000001

these are worth using, especially the first one, we can prevent a lot of ransomware types + terminate wscript.exe + disable autorun
the rest I doubt they may break some functions of windows

 

[Wave]

The problems with some of the tweaks suggested in the original post is that there will be many genuine software that utilises command prompt and other things similar built-into Windows; instead of just completely blocking it, we can pay attention and apply good safety rules when using a computer to stay secure against the latest threats (or old ones) - much better approach in my opinion, and far more effective.

We don't need to be paranoid on disabling features within Windows, we need to be paranoid on what websites we visit without knowing they are trusted prior to visiting, we need to be paranoid on what e-mails we receive to prevent falling for attacks such as spear phishing, we need to be paranoid on what programs we download and allow to run without making sure they are trusted and doing our research first.

If we pay attention, focus and do our research then tomorrow will be better for us. We need to stop living in a false sense of security and face the truth of how things are. Disabling some Windows features may protect you from some specific threats; tomorrow there will be new and evolved malware which will still infect you nonetheless. Making all these system tweaks is just a waste of your time, it's time people address the real problems and address what we need to start doing, as opposed to finding place-holders.

 

[_CyberGhosT_]

Wait so does this Windows Defender PUP also apply for Windows 10? Could someone share with me the regfile that can do this for me. I'm scared that I will mess the registry up.

I have a vast library of Regtweaks on a thumb, I don't share them because of the dangers. I used to share them, but
too many don't apply them properly then expect you to fix their PC. I stopped sharing them pretty quickly.
They are not hard to find though, good luck brother.

 

[Andy Ful]

The problems with some of the tweaks suggested in the original post is that there will be many genuine software that utilises command prompt and other things similar built-into Windows; instead of just completely blocking it, we can pay attention and apply good safety rules when using a computer to stay secure against the latest threats (or old ones) - much better approach in my opinion, and far more effective.

We don't need to be paranoid on disabling features within Windows, we need to be paranoid on what websites we visit without knowing they are trusted prior to visiting, we need to be paranoid on what e-mails we receive to prevent falling for attacks such as spear phishing, we need to be paranoid on what programs we download and allow to run without making sure they are trusted and doing our research first.

If we pay attention, focus and do our research then tomorrow will be better for us. We need to stop living in a false sense of security and face the truth of how things are. Disabling some Windows features may protect you from some specific threats; tomorrow there will be new and evolved malware which will still infect you nonetheless. Making all these system tweaks is just a waste of your time, it's time people address the real problems and address what we need to start doing, as opposed to finding place-holders.

Yes, you are right. But sadly, many inexperienced users do not want to learn good safety rules.
The average user may have issues with those reg tweaks:
1. Only elevate executables that are signed and validated (UAC)
2. Disable command prompt.

There are many programs & games that are not digitally signed, so will not install with the first reg tweak.
I also noticed problems with loading igfx tray module (Intel HD Graphics) and deleting the sandbox (Sandboxie) when command prompt is disabled.
There are also a few programs that rely on Windows Script Host.
Last year, I adopted all above reg tweaks on 4 computers belonging to my family and my friend (windows 10 Home). They do not install many new programs, and mostly use Windows Store Apps and some not digitally signed software (no elevation after install). All mentioned computers work well without any system issues.
I think, that with Windows 8+, many users can adjust installed software to this restricted configuration, but with the help of experienced user. This is pretty good security for free, If someone can live with it.

 

[Andy Ful]

I have a vast library of Regtweaks on a thumb, I don't share them because of the dangers. I used to share them, but
too many don't apply them properly then expect you to fix their PC. I stopped sharing them pretty quickly.
They are not hard to find though, good luck brother.

That is the problem. I am thinking seriously of some GUI utility to safely adopt the reg tweaks.

 

[Wave]

@Andy Ful I think that in schools instead of the students being educated on how to use Microsoft Office products (which they most likely can already use very well) and the similar, they should crack down on educating people more about cyber-security and how they can keep themselves safe when using a computer altogether - at least educate them on some basic good security practises, such as making sure to use an ad-blocker to reduce the chances of them being a victim of malvertising, validating digital signatures, scanning new downloads on services like VirusTotal (you'd be surprised - many people won't even know of these services or now how to use them/understand the results), working with sandboxing/virtualisation and reverting with snapshots, etc.

As an addition to this, I think that workplace companies should start enforcing their employees (who have access to the systems) to take a custom cyber security/computing education course within the company itself which will be more advanced and focused on making the employees general knowledge on cyber-security much tougher, but also focusing on other topics such as social engineering.

I remember when I was still at school last year finishing my GCSEs and in computer science we were forced to study a bunch of rubbish; instead of wasting time and testing us on things which don't matter that much, they could have started educating people on important topics such as cyber-security. Since if you get a job at a company and do not know what you are doing, all it takes is the attacker to send one e-mail and if the user opens this e-mail he/she then becomes vulnerable to the social engineering and can potentially end up compromising the systems by handling one of the e-mail attachments (just added this part as a base example). Whereas, if they were trained properly and were stronger in cyber-security, they may have either not opened the e-mail at all (or deleted it), or opened it and then reported it for spam/untrusted purposes and left the attachments alone, not resulting in the systems becoming compromised.

Sorry for going a bit off-topic.

 

[Andy Ful]

@Andy Ful I think that in schools instead of the students being educated on how to use Microsoft Office products (which they most likely can already use very well) and the similar, they should crack down on educating people more about cyber-security and how they can keep themselves safe when using a computer altogether - at least educate them on some basic good security practises, such as making sure to use an ad-blocker to reduce the chances of them being a victim of malvertising, validating digital signatures, scanning new downloads on services like VirusTotal (you'd be surprised - many people won't even know of these services or now how to use them/understand the results), working with sandboxing/virtualisation and reverting with snapshots, etc.

As an addition to this, I think that workplace companies should start enforcing their employees (who have access to the systems) to take a custom cyber security/computing education course within the company itself which will be more advanced and focused on making the employees general knowledge on cyber-security much tougher, but also focusing on other topics such as social engineering.

I remember when I was still at school last year finishing my GCSEs and in computer science we were forced to study a bunch of rubbish; instead of wasting time and testing us on things which don't matter that much, they could have started educating people on important topics such as cyber-security. Since if you get a job at a company and do not know what you are doing, all it takes is the attacker to send one e-mail and if the user opens this e-mail he/she then becomes vulnerable to the social engineering and can potentially end up compromising the systems by handling one of the e-mail attachments (just added this part as a base example). Whereas, if they were trained properly and were stronger in cyber-security, they may have either not opened the e-mail at all (or deleted it), or opened it and then reported it for spam/untrusted purposes and left the attachments alone, not resulting in the systems becoming compromised.

Sorry for going a bit off-topic.

This is a terrible reality, I think. Thanks for your post, many of MalwareTips members will fully agree with you.

 

[Aura]

I never used security reg tweaks.

Nope. Never did because I never felt the need to.

 

[jamescv7]

Well I'm not using any security tweaks since it can possess certain issues rather improvements.

Sometimes registry tweaks will be available on the program instead, once they release a new version.

 

[koko]

I didn't even knew they existed

 

[Andy Ful]

I didn't even knew they existed

If you are happy, it means that maybe you do not need them.

 

[koko]

If you are happy, it means that maybe you do not need them.

Indeed , but it is good to know they exist, for less advanced users. Or I could use those to better protect my grandpa's computer.

 

[tim one]

I've enabled PUP detection on WD via Powershell but as regards any registry tweaks it is necessary to have a copy of the registry or a working OS image backup.

 

[Andy Ful]

I never used security reg tweaks.

Nope. Never did because I never felt the need to.

I like Emsisoft too, so I understand your point quite well.

 

[Andy Ful]

Indeed , but it is good to know they exist, for less advanced users. Or I could use those to better protect my grandpa's computer.

From my experience, the hardest thing to teach grandpa may be not ignoring SmartScreen alerts.

 

[Wave]

I've enabled PUP detection on WD via Powershell but as regards any registry tweaks it is necessary to have a copy of the registry or a working OS image backup.

That was a great choice IMO, and I fully agree with you!