Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Hard_Configurator Tools
Hard_Configurator - Windows Hardening Configurator
Message
<blockquote data-quote="ForgottenSeer 98186" data-source="post: 1032430"><p>I am more or less in agreement with you except on the "dangers" of blocking LOLBins or creating block process policies generally.</p><p></p><p>My argument is that, Windows as Microsoft ships it, is completely unsuitable for unmanaged home users. A fully configured SRP along with other hardening will prevent users from doing all the stuff that gets them into trouble. That statement is conceptual and time-proven. However, it is all undone by the dinosaur thinking that any user should be able to do what they want on a system. In that paradigm, locked devices is a non-starter.</p><p></p><p>LOLBin blocking for home user systems has been tested by both Microsoft and for thousands of enterprises that issue take-home laptops and in-office devices. Enterprises use a lot more obscure, old, niche software. I know from managing literally tens of thousands of devices that breakages are rare. I have never encountered a situation where the breakage could not be fixed within a matter of minutes.</p><p></p><p>If a home user is using old or niche software, then it is assumed that they have the wherewithal to read logs and create allow exceptions. If they cannot perform these basic functions, then they should not be using SRP.</p><p></p><p>The main reason Microsoft does not implement more strict protections for unmanaged home users is clear - it does not want to deal with "users that want to use stuff" who will only complain when the protection Microsoft provides prevents them from doing what they want. It is very profitable for Microsoft to adopt this policy towards home users. Microsoft makes billions off of default allow because that is what most home users want.</p><p></p><p><span style="color: rgb(184, 49, 47)">For the vast majority of home users, simply blocking the execution of commonly downloaded file types (e.g. .exe and .msi, scripts, and known abused file types by malware campaigns) greatly increases their security) There is no absolute need to block LOLBins - however, blocking the most commonly abused LOLBins (top 5 or 10) is not going to create excessive problems.</span> Blocking LOLBins is only to protect a post-exploit environment. What sense does it make to block PowerShell.exe if PowerShell scripts are blocked by policy? - It only matters if the system is exploited. What sense does it make to create a block firewall rule for PowerShell? - It matters if the system is exploited.</p><p></p><p>If a user downloads an undetected ransomware sample that is either, for example, an .exe or a .vbs file, what does it matter if LOLBins are blocked whenever the user cannot execute either the .exe or the .vbs file? The system is protected by simple targeted blocking of common malware file types or downloaders. Again, LOLBins blocking matters mostly in a post-exploit system.</p><p></p><p>The whole point of SRP is to prevent users from downloading and executing stuff - that includes installs. If the user does not understand, embrace and practice that protection model, then they should not be using SRP. SRP serves no purpose for a home user if they understand BLOCK\ALLOW but they disable SRP to allow installs as they desire. The protection model requires the user to assess the risks and apply appropriate decision making.</p><p></p><p><strong><span style="color: rgb(65, 168, 95)">Most home users with a general understanding of Windows security ("I know I need to install AV."), should stay away from default deny or system hardening and instead use a quality antivirus or internet security suite. A certain temperament, motivation, perseverance, knowledge, experience and </span></strong><span style="color: #41a85f">expectations</span><strong><span style="color: rgb(65, 168, 95)"> are required for a user to be OK with default deny. So, in short, default deny requires some work on the part of the user. The amount of work varies with the type of default deny.</span></strong></p><p><strong><span style="color: rgb(65, 168, 95)"></span></strong></p><p><strong><span style="color: rgb(65, 168, 95)"><span style="color: rgb(44, 130, 201)">Microsoft should not be giving a generic OS image intended for enterprise from day 1 to unmanaged home users. In fact, for those users who do not need Windows, they should be using a Chromebook.</span></span></strong></p><p></p><p><span style="color: #000000"><strong>Full Transparency: I do not use SRP of any kind. I do not mess with WDAC. SAC is set to OFF. I do block wscript\cscript with the registry tweak intended by Microsoft. I allow PowerShell scripts (both local and remote) to execute. I do not harden my systems. I use Office without macros. Currently I use F-Secure and WIndows Defender. I set Windows to block installs from non-Microsoft Store sources. I am not paranoid and do not have doubts that some unknown, hidden </strong>nefarious<strong> things are happening on my system. I do not worry about protecting localhost. I don't worry that a file I downloaded is FUD ransomware or infostealer. Instead my efforts are directed to protecting my financial assets on the service provider side. Protecting authentication and authorization in various ways in another priority.</strong></span></p></blockquote><p></p>
[QUOTE="ForgottenSeer 98186, post: 1032430"] I am more or less in agreement with you except on the "dangers" of blocking LOLBins or creating block process policies generally. My argument is that, Windows as Microsoft ships it, is completely unsuitable for unmanaged home users. A fully configured SRP along with other hardening will prevent users from doing all the stuff that gets them into trouble. That statement is conceptual and time-proven. However, it is all undone by the dinosaur thinking that any user should be able to do what they want on a system. In that paradigm, locked devices is a non-starter. LOLBin blocking for home user systems has been tested by both Microsoft and for thousands of enterprises that issue take-home laptops and in-office devices. Enterprises use a lot more obscure, old, niche software. I know from managing literally tens of thousands of devices that breakages are rare. I have never encountered a situation where the breakage could not be fixed within a matter of minutes. If a home user is using old or niche software, then it is assumed that they have the wherewithal to read logs and create allow exceptions. If they cannot perform these basic functions, then they should not be using SRP. The main reason Microsoft does not implement more strict protections for unmanaged home users is clear - it does not want to deal with "users that want to use stuff" who will only complain when the protection Microsoft provides prevents them from doing what they want. It is very profitable for Microsoft to adopt this policy towards home users. Microsoft makes billions off of default allow because that is what most home users want. [COLOR=rgb(184, 49, 47)]For the vast majority of home users, simply blocking the execution of commonly downloaded file types (e.g. .exe and .msi, scripts, and known abused file types by malware campaigns) greatly increases their security) There is no absolute need to block LOLBins - however, blocking the most commonly abused LOLBins (top 5 or 10) is not going to create excessive problems.[/COLOR] Blocking LOLBins is only to protect a post-exploit environment. What sense does it make to block PowerShell.exe if PowerShell scripts are blocked by policy? - It only matters if the system is exploited. What sense does it make to create a block firewall rule for PowerShell? - It matters if the system is exploited. If a user downloads an undetected ransomware sample that is either, for example, an .exe or a .vbs file, what does it matter if LOLBins are blocked whenever the user cannot execute either the .exe or the .vbs file? The system is protected by simple targeted blocking of common malware file types or downloaders. Again, LOLBins blocking matters mostly in a post-exploit system. The whole point of SRP is to prevent users from downloading and executing stuff - that includes installs. If the user does not understand, embrace and practice that protection model, then they should not be using SRP. SRP serves no purpose for a home user if they understand BLOCK\ALLOW but they disable SRP to allow installs as they desire. The protection model requires the user to assess the risks and apply appropriate decision making. [B][COLOR=rgb(65, 168, 95)]Most home users with a general understanding of Windows security ("I know I need to install AV."), should stay away from default deny or system hardening and instead use a quality antivirus or internet security suite. A certain temperament, motivation, perseverance, knowledge, experience and [/COLOR][/B][COLOR=#41a85f]expectations[/COLOR][B][COLOR=rgb(65, 168, 95)] are required for a user to be OK with default deny. So, in short, default deny requires some work on the part of the user. The amount of work varies with the type of default deny. [COLOR=rgb(44, 130, 201)]Microsoft should not be giving a generic OS image intended for enterprise from day 1 to unmanaged home users. In fact, for those users who do not need Windows, they should be using a Chromebook.[/COLOR][/COLOR][/B] [COLOR=#000000][B]Full Transparency: I do not use SRP of any kind. I do not mess with WDAC. SAC is set to OFF. I do block wscript\cscript with the registry tweak intended by Microsoft. I allow PowerShell scripts (both local and remote) to execute. I do not harden my systems. I use Office without macros. Currently I use F-Secure and WIndows Defender. I set Windows to block installs from non-Microsoft Store sources. I am not paranoid and do not have doubts that some unknown, hidden [/B]nefarious[B] things are happening on my system. I do not worry about protecting localhost. I don't worry that a file I downloaded is FUD ransomware or infostealer. Instead my efforts are directed to protecting my financial assets on the service provider side. Protecting authentication and authorization in various ways in another priority.[/B][/COLOR] [/QUOTE]
Insert quotes…
Verification
Post reply
Top
