Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="ForgottenSeer 98186" data-source="post: 1032286"><p>SRP is particularly beneficial in a home with adults and children who do not practice safe digital behaviors.</p><p></p><p></p><p>The maximum protection possible via hardening (includes SRP) is a proactive effort to prevent initial compromise at the user level and also to thwart further compromise and network pivoting (laterally [to other workstations] or vertically [to servers]).</p><p></p><p>I do not want to debate the following protection strategies as there are corner cases and exceptions where they would not be suitable. I only mention them generally.</p><p></p><p>The single most effective way to keep users safe (both home and enterprise) is to prevent them from downloading and executing files from the internet. Just blocking the downloaded.exe file type instantaneously provides an exponential increase in security. Home users can accomplish this on Windows 10\11 very simply by setting Windows to only permit installs from the Microsoft Store.</p><p></p><p>For "users that want to use stuff" the simple act of disabling the most commonly abused sponsors (top 10 or 15), again, instantaneously provides an exponential increase in user security. This protection model probabilistically breaks the kill-chain at the system level. This is as true for the home user as it is for the enterprise user.</p><p></p><p>When it comes to native Microsoft security there is one extremely important point that is almost never discussed - that it provides flexibility to conform to virtually ANY home use or enterprise use case. No other security provides as much flexibility and adaptability as Microsoft native security. Even the home user who is inclined to do so, can find a Microsoft security configuration that is suitable for their "digital personality" - their wants, needs, expectations, tolerances, temperament, habits, etc. These traits affect security more than anything else.</p><p></p><p>Security enthusiasts who lean towards the maximum protection end of the spectrum do it more "just because they can" or, in their mind, "if it is possible, then it should be defended against." They understand the differences between "What Ifs" and what is statistically likely to happen. I've seen this protection strategy work very well for users without any complaints about it causing a usability burden. This will not be the case most users who have a different level of understanding, and therefore, expectations.</p><p></p><p></p><p>On the enterprise side SRP will definitely not be removed. SRP is too enmeshed into enterprise protection. Microsoft will likely keep SRP around for a lot longer than PowerShell version 2.0. Another factor against Microsoft removing or somehow permanently disabling it is the fact that Microsoft is not good at offering transition solutions. So if it gets rid of SRP, it is up to the client to figure out how to make the transition. Anybody that has worked in enterprise knows that just about any kind of transition is tough.</p><p></p><p>WDAC is effective security. There is no denying it. But WDAC adoption in the greater enterprise space has been a mixed-bag. Adoption by SMBs is even less. This is because WDAC development has been a serpentine and circuitous journey beginning almost 7+ years ago starting with Device Guard. For many years Microsoft was trying to figure out what its latest-and-greatest default-deny protections were going to be. WDAC evolved from Application Guard, which itself evolved from Device Guard, but the development has been inconsistent over those years. Only recently has Microsoft made a definitive commitment to WDAC. All of this has affected adoption for the time being.</p><p></p><p>[URL unfurl="true"]https://www.microsoft.com/en-us/security/blog/2017/10/23/introducing-windows-defender-application-control/#:~:text=Since%20the%20initial%20release%20of%20Windows%2010%2C%20the,name%20of%20its%20own%3A%20Windows%20Defender%20Application%20Control.[/URL]</p><p></p><p>Microsoft also has its own competing overarching agenda - which is to get as many enterprises and SMBs to adopt Azure. With Azure Microsoft can offer the latest-and-greatest security trend with is "adaptive security." "Adaptive Application Control" does not use WDAC. Not only that, Azure really is the "complete package" where commercial and government can pick-and-choose from antivirus to EDR to SIEM to network security to compliance. WDAC is possible within this infrastructure, but Microsoft does not market it in its cloud and adaptive security solutions.</p><p></p><p>These facts only provide a partial explanation as to why native Microsoft security is the way it is for them.</p><p></p><p>[URL unfurl="true"]https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/security-control-apply-adaptive-application-control/ba-p/1954144[/URL]</p><p></p><p></p><p>This is a very good solution [USER=32260]@Andy Ful[/USER] .</p><p></p><p></p><p>Users of this type will likely never be compromised, even if they run default Windows Home for decades.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 98186, post: 1032286"] SRP is particularly beneficial in a home with adults and children who do not practice safe digital behaviors. The maximum protection possible via hardening (includes SRP) is a proactive effort to prevent initial compromise at the user level and also to thwart further compromise and network pivoting (laterally [to other workstations] or vertically [to servers]). I do not want to debate the following protection strategies as there are corner cases and exceptions where they would not be suitable. I only mention them generally. The single most effective way to keep users safe (both home and enterprise) is to prevent them from downloading and executing files from the internet. Just blocking the downloaded.exe file type instantaneously provides an exponential increase in security. Home users can accomplish this on Windows 10\11 very simply by setting Windows to only permit installs from the Microsoft Store. For "users that want to use stuff" the simple act of disabling the most commonly abused sponsors (top 10 or 15), again, instantaneously provides an exponential increase in user security. This protection model probabilistically breaks the kill-chain at the system level. This is as true for the home user as it is for the enterprise user. When it comes to native Microsoft security there is one extremely important point that is almost never discussed - that it provides flexibility to conform to virtually ANY home use or enterprise use case. No other security provides as much flexibility and adaptability as Microsoft native security. Even the home user who is inclined to do so, can find a Microsoft security configuration that is suitable for their "digital personality" - their wants, needs, expectations, tolerances, temperament, habits, etc. These traits affect security more than anything else. Security enthusiasts who lean towards the maximum protection end of the spectrum do it more "just because they can" or, in their mind, "if it is possible, then it should be defended against." They understand the differences between "What Ifs" and what is statistically likely to happen. I've seen this protection strategy work very well for users without any complaints about it causing a usability burden. This will not be the case most users who have a different level of understanding, and therefore, expectations. On the enterprise side SRP will definitely not be removed. SRP is too enmeshed into enterprise protection. Microsoft will likely keep SRP around for a lot longer than PowerShell version 2.0. Another factor against Microsoft removing or somehow permanently disabling it is the fact that Microsoft is not good at offering transition solutions. So if it gets rid of SRP, it is up to the client to figure out how to make the transition. Anybody that has worked in enterprise knows that just about any kind of transition is tough. WDAC is effective security. There is no denying it. But WDAC adoption in the greater enterprise space has been a mixed-bag. Adoption by SMBs is even less. This is because WDAC development has been a serpentine and circuitous journey beginning almost 7+ years ago starting with Device Guard. For many years Microsoft was trying to figure out what its latest-and-greatest default-deny protections were going to be. WDAC evolved from Application Guard, which itself evolved from Device Guard, but the development has been inconsistent over those years. Only recently has Microsoft made a definitive commitment to WDAC. All of this has affected adoption for the time being. [URL unfurl="true"]https://www.microsoft.com/en-us/security/blog/2017/10/23/introducing-windows-defender-application-control/#:~:text=Since%20the%20initial%20release%20of%20Windows%2010%2C%20the,name%20of%20its%20own%3A%20Windows%20Defender%20Application%20Control.[/URL] Microsoft also has its own competing overarching agenda - which is to get as many enterprises and SMBs to adopt Azure. With Azure Microsoft can offer the latest-and-greatest security trend with is "adaptive security." "Adaptive Application Control" does not use WDAC. Not only that, Azure really is the "complete package" where commercial and government can pick-and-choose from antivirus to EDR to SIEM to network security to compliance. WDAC is possible within this infrastructure, but Microsoft does not market it in its cloud and adaptive security solutions. These facts only provide a partial explanation as to why native Microsoft security is the way it is for them. [URL unfurl="true"]https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/security-control-apply-adaptive-application-control/ba-p/1954144[/URL] This is a very good solution [USER=32260]@Andy Ful[/USER] . Users of this type will likely never be compromised, even if they run default Windows Home for decades. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
