Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Setup
PC Setup Configuration Help & Showcase
Lenny's Security Config 2024
Message
<blockquote data-quote="ForgottenSeer 107474" data-source="post: 1082158"><p>Decided to go back to running standard user after watching [USER=7463]@cruelsister[/USER] video on MBAM & UAC and [USER=32260]@Andy Ful[/USER] video's on antivirus challenges.</p><p></p><p>I returned to running standard user again because CS showed how trival it is to bypass UAC and Andy showed how easy it is to disable Defender protection with elevated privileges. I also reduced the SRP application level from all users to 'all except admin' and added block rules for the LoLbins mentioned in Github project. Reason for doing so is that all CS exploits in MBAM video would be blocked by SRP-SWH part of WHHL, except for one: the modified executable using NETSH to bypass MBAM. WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again.</p><p></p><p>Running standard user enforces a hard border between standard user and admin (as opposed to UAC only providing a soft-border). Additionally I am blocking LoLBins (like Netsh) system wide when started by standard user. I kept Andy's set of SRP rules to block risky file extension to run in user folders and block executables running in archives and prevent misuse of LNK and UAC holes. Although I can execute and install programs my setup is actually whitelist based. System wide Malware Defender's only allows programs to run which are whitelisted in the cloud and the user folders are additionally protected with WDAC-ISG small (hence more aggressive) local whitelist (in case internet connection fails).</p><p></p><p>I have ran this standard user with hardened SWH-SRP and MD on MAX as long as I have this laptop without problems, so I am not expecting any problems with this enhanced setup (with WDAC-ISG added). This probably also means that I will have less to post, because there is no need to change something when it is working perfectly.</p></blockquote><p></p>
[QUOTE="ForgottenSeer 107474, post: 1082158"] Decided to go back to running standard user after watching [USER=7463]@cruelsister[/USER] video on MBAM & UAC and [USER=32260]@Andy Ful[/USER] video's on antivirus challenges. I returned to running standard user again because CS showed how trival it is to bypass UAC and Andy showed how easy it is to disable Defender protection with elevated privileges. I also reduced the SRP application level from all users to 'all except admin' and added block rules for the LoLbins mentioned in Github project. Reason for doing so is that all CS exploits in MBAM video would be blocked by SRP-SWH part of WHHL, except for one: the modified executable using NETSH to bypass MBAM. WDAC-ISG would have probably blocked this executable when it would not be signed by trusted software developer/publisher. But the 'probably' settled in my mind and started to doubt my decision to run admin again. Running standard user enforces a hard border between standard user and admin (as opposed to UAC only providing a soft-border). Additionally I am blocking LoLBins (like Netsh) system wide when started by standard user. I kept Andy's set of SRP rules to block risky file extension to run in user folders and block executables running in archives and prevent misuse of LNK and UAC holes. Although I can execute and install programs my setup is actually whitelist based. System wide Malware Defender's only allows programs to run which are whitelisted in the cloud and the user folders are additionally protected with WDAC-ISG small (hence more aggressive) local whitelist (in case internet connection fails). I have ran this standard user with hardened SWH-SRP and MD on MAX as long as I have this laptop without problems, so I am not expecting any problems with this enhanced setup (with WDAC-ISG added). This probably also means that I will have less to post, because there is no need to change something when it is working perfectly. [/QUOTE]
Insert quotes…
Verification
Post reply
Top