Lenny_Fox

Level 13
Verified
Hi,

The company my girlfriend is working for had a ransomware attack in one of their regional offices in another country. As a result the company is changing from a BringYourOwn policy with an annual allowance to purchase your own hardware to a ChooseYourOwn policy in combination with a "walled garden" data security approach. In short employees can choose an Apple smartphone and a Windows tablet, 2-in-1 or laptop and they are not supposed to use these devices privately (deviced will be monitored). These company devices will only save documents to the company cloud and refuse to open documents from disk and usb et cetera.

To prepare and support the employees to this change, all employees got a day of IT-security awareness training. Before that day, they were informed that they would have to sign a company policy addendum in which they confirmed that they were aware of the new policy, understood the new policy and promised to comply to this new policy. The impact of non-compliance were "a yellow card" (official reprimande) when a breach was detected and the employee could convince that it was not caused by employees lack of applying rules of "well mannered netiquettes and good parent ship of company data. A red card (employee would be fired) when such a breach was caused by irresponsible digital behavior or such an event would happen for the second time.

To prevent employees from breaching the new company while converting from BYO to CYO, they could (voluntary) handover the PC the used for mixed work/private (BYO) situation. Their PC would be scanned for documents containing meta data with company tag words. This check would be supervised by a member of the Employees Council. This check produced an automated list. In the afternoon the employees could mark which documents (or folders) were related to company documents. After explicit okay from the employee these documents were removed from the BYO PC and moved to a sandbox where they were checked (on malware). This procedure should prevent company IT-personal peeking into private data (that is why a member of Employee Council was present and only files which had the company tags were listed, not read). The program looking for company tags in the meta data of Office documents was a portable program ran from an USB stick.It was obvious HR and IT had thought carefully about the process to take both privacy and security into consideration.

As a bonus the guys from the IT-department would perform a PC health and virus check on the BYO PC and would install Libre Office and a good free AntiVirus (the company uses Kaspersky, probably reason why they installed Kaspersky Free). Employees could indicate that they had a paid Office license and or paid antivirus subscription (to prevent loosing privately owned licenses with Libre Office and Kaspersky Free)

I had installed a digital Office 2016 Pro and had kept Windows Defender (set on on MAX and with a Hard_Configurator profile allowing EXe and TMP to execute). I added this profile to this post. When my girlfriend informed me about the new policy, I kept the PC as is and told her we had a valid Office 2016 license (to prevent installing libre office).

I did not remove H_C on purpose and did not remove WD Exploit Protection setting for Office and Edge (the Code integrity Guard normally blocks DLL's of third--party AV's), just to see what happened. For comparison when I would install Avast free, the WD exploit Protection setting Code Integrity guard would block a DLL of the behavior blocker which wanted to hook into Office programs and Edge browser.

The surprise was not that Kaspersky Cloud FREE worked well with Hard_Configurator, but with the Windows Defender Exploit Protection settings I have enabled for the Office programs and Edge-Chromium. Most third-party AntiVirus solutions don't handle these exploit protection settings well (especially enabling the Code Integrity Guard), but Kaspersky Free did not give a beep.

Windows Defender Exploit Protection Settings for Micro Office programs and Edge browser (important: don't enable Code Integrity Guard for non-Microsoft programs, it will break that program, Code Integrity Guard only works with Microsoft signed programs).


Word - Excel - PowerPoint
- block low integrity images
- block remote images
- block untrusted fonts
- enable Code Integrity Guard
- disable extension points
- enable "do not allow child processes"
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"

Outlook
- block low integrity images
- block remote images
- block untrusted fonts
- enable Code Integrity Guard
- disable extension points
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"

Edge-chromium
- block low integrity images
- block remote images
- enable Code Integrity Guard
- disable extension points
- enable "force randomization for images (Mandatory ASLR)"
- enable "validate image dependency integrity"


To use this Restrict Dangereous File extensions profile with Hard_Configurator rename the attached text file " from Kaspersky_FREE_Cloud_Companion.txt to Kaspersky_FREE_Cloud_Companion.hdc.
 

Attachments

Last edited:

Andy Ful

Level 62
Verified
Trusted
Content Creator
...

I did not remove H_C on purpose and did not remove WD Exploit Protection setting for Office and Edge (the Code integrity Guard normally blocks DLL's of third--party AV's), just to see what happened. For comparison when I would install Avast free, the WD exploit Protection setting Code Integrity guard would block a DLL of the behavior blocker which wanted to hook into Office programs and Edge browser.

The surprise was not that Kaspersky Cloud FREE worked well with Hard_Configurator, but with the Windows Defender Exploit Protection settings I have enabled for the Office programs and Edge-Chromium. Most third-party AntiVirus solutions don't handle these exploit protection settings well (especially enabling the Code Integrity Guard), but Kaspersky Free did not give a beep.

Windows Defender Exploit Protection Settings for Micro Office programs and Edge browser (important: don't enable Code Integrity Guard for non-Microsoft programs, it will break that program, Code Integrity Guard only works with Microsoft signed programs).


Word - Excel - PowerPoint
...
- enable "do not allow child processes"
...
Interesting setup.(y):)

Some minor remarks:
  1. Enabling "do not allow child processes" mitigation can be a problematic setting sometimes. For example, it will prevent opening Excel spreadsheets from Word. Can you print documents without problems?
  2. The info about profile has one error:
    "Allows MSI, EXE and TMP to execute in user folders"
    MSI files are not allowed, but can be run via "Run As SmartScreen" with admin rights.
  3. When using MS Office, keeping WD has an advantage over other AVs because of ASR rules.
    When using another AV, you should also apply DocumentsAntiExploit tool (from SwitchDefaultDeny) and set ON2 restrictions for MS Office applications.
I think that using Libre Office for document editing and Word - Excel - PowerPoint Mobile for document viewing would be even safer. :unsure:
 

Lenny_Fox

Level 13
Verified
@Andy Ful

No problem printing. Thanks I thought I had removed MSI from file types. I will also add Document Anti Exploit.

My girlfriend knows how MS Office works, as the title of my new setup is called "happy wife, happy life" I am not going to change that. I doubt whether Libre Office is safer with python scripts et cetera.

She does not work with nested documents. The last decade most Dutch companies have killed semi professional/half amateur Office based end-user-computing stuff, because they don't comply with security and compliance standards. The company where I work part-time even has a policy to use pictures of spreadsheets, because people messed up (e.g. included cost calculation and pricing tables in proposals by accident). Blocking embedded office links is a functional restriction, but not one felt in daily work (considered bad practice).

Thanks for the feedback
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
@Andy Ful

Thanks I thought I had removed MSI from file types.
SRP will block the execution of MSI files in UserSpace even when you remove the MSI extension from the protected file types (like it is set in H_C). In rare cases, it can be a problem when the application auto-updates via MSI updater.
Of course, one can manually whitelist MSI files, by using <Whitelist By Path><Add Path*Wildcards> to add:
*.msi
entry to the Whitelist.
 

Lenny_Fox

Level 13
Verified
SRP will block the execution of MSI files in UserSpace even when you remove the MSI extension from the protected file types (like it is set in H_C). In rare cases, it can be a problem when the application auto-updates via MSI updater.
Of course, one can manually whitelist MSI files, by using <Whitelist By Path><Add Path*Wildcards> to add:
*.msi
entry to the Whitelist.
Thank, will include that (do I need to add similar allow rule for Microsoft Standalone Update packages?).

Added DocumentsExploit (SECURE: Complete - Happy wife happy life setup).
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
@Andy Ful
...
My girlfriend knows how MS Office works, as the title of my new setup is called "happy wife, happy life" I am not going to change that. I doubt whether Libre Office is safer with python scripts et cetera.
...
You can install the Universal Windows Platform app based on Libre Office, like Neat Office (harden security settings and VBA settings). UWP applications are hardly exploitable by malc0ders. The python in Neat Office is not installed in the system.
 
Last edited:
Top