Advice Request Maximum Anti-Exploit protection settings for your program

[ForgottenSeer 85179]

Which particular settings do you have in mind?

The ones from Lenny_Fox post above. Or from my post.
Just asking in general.

Also, what's your opinion about that?

@anupritaisno1:
UserShadowStack="true" UserShadowStackStrictMode="true"
this concerns me btw

needs more research

from what i know the shadowstack implementation on x86 is racy

and causes security vulnerabilities

me:
okay? then i wonder why they provide the option

@anupritaisno1:
probably for testing

it's not a ui option for sure

needs research

maybe it is the ROP mitigation

dunno

 

[Andy Ful]

Using mitigations for Windows Explorer or Script Interpreters/ LOLBins would need a lot of research and testing.
It is much easier to do it for a particular user application. I do not think that restricting LOLBins in this way is a good idea (although it may work in some cases). It is better to block them completely. If LOLBins cannot be blocked (like cmd.exe, rundll.exe) then there are some well known methods that help prevent abusing LOLBins, for example:

1. Command-line whitelisting.
2. Command-line blacklisting.
3. Restricting access to command-lines by blocking/whitelisting shortcuts, scripts, and files with active content (SRP).

 

[eonline]

Releases · zodiacon/GflagsX

Enhanced version of the GFlags tool. Contribute to zodiacon/GflagsX development by creating an account on GitHub.

github.com

 

[ForgottenSeer 85179]

Releases · zodiacon/GflagsX

Enhanced version of the GFlags tool. Contribute to zodiacon/GflagsX development by creating an account on GitHub.

github.com

last update: 12 Apr 2019
you shouldn't use such outdated programs for security. Also that tool isn't the topic here.

 

[eonline]

last update: 12 Apr 2019
you shouldn't use such outdated programs for security. Also that tool isn't the topic here.

It is outdated, yes, but it can serve the purpose of the theme created and is an easy-to-use tool for creating mitigations in programs.

 

[ForgottenSeer 85179]

This Powershell command activate "Force Random Arrangement for Images(mandatory ASLR)":

Set-ProcessMitigation -System -Enable ForceRelocateImages

Run Powershell as Admin and reboot after running this command.

Info: It may break some programs but should be activated for security reasons.


The same can also be archived in GUI:

• Windows Security -> App & Browser control -> Exploit-Protection -> Enable Random Arrangement for Images (Mandatory ASLR) enabled

 

[eonline]

My new configuration, I am open to suggestions to improve.

 

[eonline]

My new configuration, with the help of LOLBAS. Let me know if I missed any.

LOLBAS

lolbas-project.github.io

 

[Andy Ful]

My new configuration, with the help of LOLBAS. Let me know if I missed any.

The problem with such restrictions is that the results can be unpredictable. They can work for a few months and then crash something important.

The mmc.exe should not be blocked in this way. Some important features will not work, like Event viewer, Task scheduler, Computer management, Disk management, and several others.
It is possible to block MMC for standard processes via SRP and run it from the elevated shell, like "Windows PowerShell (Admin)".

Edit.
When applying restrictions it is always recommended to create/keep a profile that can easily restore the default Windows settings.

 

[eonline]

It must be by coincidence, but I notice less blocking activity in Windows 10 Firewall Control, after applying these restrictions.