Andy Ful

Level 62
Verified
Trusted
Content Creator
Tried LTSC ver. 1809.
SRP did not work, both via GPO or H_C. The LTSC is not a complete Windows Enterprise edition.
SRP works well on Windows Home, Pro, Enterprise.
I installed the same Windows LTSC (ver. 1809) in another VM and can confirm that SRP works well. So, I have two LTSC VMs - one with working SRP and one with not-working SRP.:):unsure:
This strongly suggests that the "incompleteness" of LTSC does not have an impact on SRP.
In my case, the issue is probably related to my tests on the Child account (over a year ago) which is known to be incompatible with SRP.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
I noticed several times, that H_C users can have a problem with running PowerShell.

If one uses PowerShell scripts frequently, then it is better to change the H_C settings permanently by using <Block PowerShell Scripts> = OFF and block PowerShell Sponsors (powershell.exe and powershell_ise.exe) via <Block Sponsors>.
This will block PowerShell, except when using it with Admin privileges ( running via elevated PowerShell console or elevated file explorer).

My favorite method is using elevated file explorer Q-Dir (or Total Commander, etc.) for admin tasks like running/viewing/editing trusted scripts (BAT, CMD, JS, JSE, PS1, WSF, WSH), because it will work like SRP has been turned off. Other activities can be done normally via Windows Explorer which is still restricted by SRP, because it is not elevated.

Running the elevated Q-Dir can be done via shortcut with ticked "Run as administrator" (shortcut Properties >> Advanced) or by running the application executable when using "Run as administrator" from the right-click Explorer context menu.
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
Why H_C blocks shortcuts in UserSpace?

From the article about Microsoft Threat Protection:

" Attack sprawl illustrated

The level of sophistication of today’s threats, including nation-state level attacks and human operated ransomware, highlight why coordinated defense is critical in ensuring that organizations are protected.

To illustrate how Microsoft Threat Protection protects against such sophisticated attacks, we asked our security research team to simulate an end-to-end attack chain across multiple domains, based on techniques we observed in actual investigations.

Their attack starts with a spear-phishing email targeting a specific user. The email contains a link that, when clicked, leads to the download of a malicious .lnk file that stages the Meterpreter payload."

Microsoft team created a sophisticated malware, based on techniques observed in actual investigations, to show how it could be fought by Microsoft Threat Protection. Here is the full infection chain (correlated attack on 3 computers):

attack-chain.png


As can be seen, if the spear-phishing email to Polly will succeed by downloading the archive, then the infection chain on his/her computer is started by running the malicious shortcut (*.LNK file). If the shortcut will be blocked, then nothing will happen to her.
The attack on Mike's computer is improbable in the home environment, because the attacker has to know the credentials before infecting the computer (but is typical in enterprises). Anyway, it can be stopped by FirewallHardening (mshta.exe connections are disabled). Furthermore, the Windows remote features in the H_C settings are also blocked.
The attack on Marco's computer will fail because the malicious document cannot use VBA interpreter in the H_C settings (macros, etc.) to run the backdoor embedded in the MS Office document.

So, similar sophisticated attacks can be easily blocked with H_C settings in the home environment. But in enterprises, the H_C settings are not practical so the shortcuts will be allowed, the VBA interpreter will be allowed, and the remote features will be allowed. That is why something like Microsoft Threat Protection is required in enterprises and something like H_C will be useless there (but still very efficient in the home environment).(y)
 
Last edited:

SearchLight

Level 11
Verified
Because I am not a tech guru, I decided to use Andy Ful's Simple Windows Hardening for my purposes but I downloaded his H_C to use the Firewall Hardening Feature which I cannot find as a separate download. All went well.

However, after installing H_C, an icon appeared on my desktop called Default/Deny. What does this feature do upon activation? Will it causes complications within my Windows 10 v2004 system. Enlightenment is appreciated. Thanks.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator

Andy Ful

Level 62
Verified
Trusted
Content Creator
The H_C project has established its final form, and this is probably the best I could get from the Windows built-in security in the home environment on the base of smart-default-deny + whitelisting.

Now, I am focused on adapting the newest security feature, eg. Windows Defender Application Guard Control (WDAC). It differs significantly from SRP in the H_C, because it blocks execution also on the level of administrative rights (Integrity Levels High+ ). Furthermore, there are some complications in adapting the whitelisting in the Windows Home edition protected by WDAC. So, I decided to start with BabySitter.

The idea of BabySitter is simple.
  1. Avoid starting applications, storing the files, opening the files, or playing media files directly from the system disk.
  2. Do it from the secondary disks that are protected by WDAC + ISG + SmartScreen. The WDAC protection is strong because it covers PE Executables (EXE, DLL, OCX, etc.), scripting (PowerShell, Windows Script Host), and MSI installers.
  3. Move the Windows User Folders (Desktop, Documents, Downloads, Music, Pictures, Videos) to the secondary disk and they will be protected by WDAC + ISG + SmartScreen.
  4. Allow already installed applications to use the system disk. It is whitelisted for PE Executables so there will be no issues.
  5. Do not bother with whitelisting, use the BabySitter predefined whitelisting (the system disk is whitelisted).
This idea follows from some facts:
  1. The system processes are started from the system disk.
  2. The computer factory firmware is started from the system disk.
  3. Most of the already installed applications are started from the system disk.
  4. The software updates use system disk even when they are started from another disk.
  5. Most people hate manual whitelisting that can follow from points 1-4, and this can be avoided by whitelisting the whole system disk for PE Executables.
  6. Average users store the files in the Windows User Folders (Desktop, Documents, Downloads, Music, Pictures, Videos). Many of them use only Desktop and Downloads folders.
  7. More and more people use a small SSD as a system disk and secondary HDD for storing the files.
  8. In the home environment (well updated Windows 10 with well updated software), it is very hard to exploit anything (with some known exceptions like MS Office, Adobe Acrobat Reader, etc.).

Storing the files or installing some applications (several gigabytes games) on the secondary disk is reasonable:
  1. The SSD system disk is usually not big.
  2. The system disk is most vulnerable to corruption.
  3. Such setup is much more convenient for restoring from the disk image (fast restore, small disk image).
  4. After installing the fresh system, there is much less work with restoring the files (documents, media, games, installers, etc.).

Some more details are available here:

I am testing this setup on my computer and this will be continued for some months.

Post slightly edited.
 
Last edited:

ErzCrz

Level 6
Verified
The H_C project has established its final form, and this is probably the best I could get from the Windows built-in security in the home environment on the base of smart-default-deny + whitelisting.

Now, I am focused on adapting the newest security feature, eg. Windows Defender Application Guard (WDAC). It differs significantly from SRP in the H_C, because it blocks execution also on the level of administrative rights (high+ Integrity Levels). Furthermore, there are some complications in adapting the whitelisting in the Windows Home edition protected by WDAC. So, I decided to start with BabySitter.

The idea of BabySitter is simple.
1. Avoid starting applications, storing the files, opening the files, or playing media files directly from the system disk.
2. Do it from the secondary disks that are protected by WDAC + ISG + SmartScreen.
3. Move the Windows User Folders (Desktop, Documents, Downloads, Music, Pictures, Videos) to the secondary disk.
4. Allow already installed applications to use the system disk.
5. Do not bother with whitelisting, use the BabySitter predefined whitelisting.

This idea follows from some facts:
1. The system processes are started from the system disk.
2. The computer factory firmware is started from the system disk.
3. Most of the already installed applications are started from the system disk.
4. The software updates use system disk even when they are started from another disk.
5. Most people hate manual whitelisting which can follow from points 1-4.
6. Average users store the files in the Windows User Folders (Desktop, Documents, Downloads, Music, Pictures, Videos).
Many people use only Desktop and Downloads folders.
7. More and more people use a small SSD as a system disk and secondary HDD for storing the files.
8. In the home environment (well updated Windows 10 with well updated software), it is very hard to exploit anything (with some known exceptions like MS Office, Adobe Acrobat Reader, etc.).

Storing the files or installing some applications (several gigabytes games) on the secondary disk is reasonable:
1. The SSD system disk is usually not big.
2. The system disk is most vulnerable to corruption.
3. Much more convenient restoring from the disk image (fast restore, small disk image).
4. After installing the fresh system, there is much less work with restoring the files (documents, media, games, installers, etc.).

Some more details are available here:

I am testing this setup on my computer and this will be continued for some months.
This sounds like an amazing project. Looking forward to watching this space. I have just two partitions on my one drive in my older laptop. Just a thought, but maybe the creation of a protected partition for those with just a large single drive might be an idea.
 

security123

Level 24
Verified
For reference, this is just my drive setup as an example and it's a standard HDD.

E

View attachment 245006
Using partitions on one drive doesn't provide advantages but disadvantages.
- You got better file management but if the drive corrupt, your data partition is affected too.
- using partitions on same drive split the space and increase fragmentation. Specially on a HDD this is a performance problem after time.

On most (or all?) Netbooks/ Laptops you can remove the DVD drive and replace it with a HDD or SSD. Also even older ones has a "m." Or "m.2" slot for SSDs which are directly connected to your Mainboard.
I highly recommend checking that out
 

ErzCrz

Level 6
Verified
Using partitions on one drive doesn't provide advantages but disadvantages.
- You got better file management but if the drive corrupt, your data partition is affected too.
- using partitions on same drive split the space and increase fragmentation. Specially on a HDD this is a performance problem after time.

On most (or all?) Netbooks/ Laptops you can remove the DVD drive and replace it with a HDD or SSD. Also even older ones has a "m." Or "m.2" slot for SSDs which are directly connected to your Mainboard.
I highly recommend checking that out
Thanks for the info! I think this thing will eventually be upgraded but I'll look into what you suggest ;)
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
Although having SSD + HDD is better, also splitting one HHD into two or more partitions is better than using only one partition (including the Windows system).
  1. The system partition uses many temporary files that generate disk fragmentation and can have an impact on performance. When using two partitions, this fragmentation is limited to the small system disk, so it is easy to defragment.
  2. If the system is corrupted (not HDD) it is much easier to recover, especially from disk image.
  3. A similar advantage happens when performing a fresh Windows installations.
  4. If the disk is corrupted, then usually the bad sectors will happen on the system partition. The data from the second partition can be recovered even when the partitioning is spoiled.
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
My wife uses Intel NUC mini-PC with 240GB SSD and an external 2TB USB drive. The Downloads folder is moved to the USB drive. She does not download/install new applications, but usually films and video-clips.
In such configuration, she could be well protected with WD + restricting scripts and applying WD ASR rules including the rule: "Block untrusted and unsigned processes that run from USB".
 
Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
@Andy Ful Does this work on Home/Pro editions?

Windows Powershell (Administrator):
Set-MpPreference -DisableScanningNetworkFiles 0
Link - You can enable network file scanning with Microsoft Defender, here's how.
The restrictions related to Windows editions can be usually seen via Gpedit (on Windows Pro). For example, when you will look at Microsoft Defender Application Guard, you can see that it is fully supported only on Windows 10 Enterprise and Education editions. But, for the "Scan Network Files" policy, we have only information that it should work on Windows Server 2012, Windows 8, or Windows RT (or newer versions). So, it should work on Windows 8+ (all editions, also Windows Home). I never saw any information, that this feature could not work on Windows Home/Pro.

Edit.
Microsoft recommends to not scan network files. This feature can be probably somewhat useful only if one uses network disks.
 
Last edited:
Top