Microsoft Best Security Practices

mazskolnieces

Level 3
Jul 25, 2020
116
The first principle of Microsoft Security Division's best security practices has been the same for over 3 decades, and culminated in Windows 10 S (for consumers, education and enterprise) and Group Policy Object\AppLocker\Device Guard\Windows Defender Application Control templates (for education and enterprise). Microsoft's own Windows 10 S was developed with all of Microsoft's own research and experience protecting systems in many different environments going all the way back to the early 1990s. The foundation of all Microsoft security has always been attack surface reduction (ASR), which means disabling processes that are not needed in everyday baseline Windows environment.

Nowhere will anyone find Microsoft stating that "If it ships with Windows, then it should not be permanently disabled." That has never been Microsoft's official position. The exact opposite is true. Microsoft's position for the past 30 years has been "If you don't need it, then disable it permanently for your own good."

10 S is not a specialized version of Windows 10. It is marketed to education and enterprise and it is popular (just involved in a 17,500 endpoint deployment). For shrewd consumers, there is a method to activate 10 S mode. 10 S mode (no install of 3rd party programs) provides the best possible security per Microsoft's recommended best practices.

Microsoft has covered this numerous times across time in many different venues both online and in conferences - especially at its annual Microsoft Ignite galas. For the best security, Microsoft recommends disabling the following:

Capture.PNG


In addition to the above, Microsoft's Security Division recommends that the following be disabled if not needed:

MRBPII.PNG
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
959
Correct, a lot of the items on those lists are certainly okay to disable permanently... but I am not finding rundll32 and regsvr32 on either list! :ROFLMAO:


Permanently blocking rundll32 / regsvr32 and blocking bash (for example) are two VERY different things. One month later and that is the only evidence that he can find.
 

TairikuOkami

Level 31
Verified
Content Creator
May 13, 2017
2,046
Thanks, added to my list. It is not nearly as good as SRP, but it should prevent an elevation bypass.
Code:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "addinprocess.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "addinprocess32.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "addinutil.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "aspnet_compiler.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "bash.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "bginfo.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "bitsadmin.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "8" /t REG_SZ /d "cdb.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "9" /t REG_SZ /d "cipher.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "10" /t REG_SZ /d "cscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "11" /t REG_SZ /d "csi.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "12" /t REG_SZ /d "dbghost.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "13" /t REG_SZ /d "dnx.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "14" /t REG_SZ /d "dotnet.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "15" /t REG_SZ /d "fsi.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "16" /t REG_SZ /d "fsiAnyCpu.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "17" /t REG_SZ /d "infdefaultinstall.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "18" /t REG_SZ /d "hh.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "19" /t REG_SZ /d "kd.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "20" /t REG_SZ /d "kill.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "21" /t REG_SZ /d "lxrun.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "22" /t REG_SZ /d "msbuild.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "23" /t REG_SZ /d "mshta.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "24" /t REG_SZ /d "msra.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "25" /t REG_SZ /d "nc.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "26" /t REG_SZ /d "nc64.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "27" /t REG_SZ /d "ntkd.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "28" /t REG_SZ /d "ntsd.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "29" /t REG_SZ /d "powershell.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "30" /t REG_SZ /d "powershell_ise.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "31" /t REG_SZ /d "powershellcustomhost.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "32" /t REG_SZ /d "psexec.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "33" /t REG_SZ /d "rcsi.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "34" /t REG_SZ /d "regsvr32.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "35" /t REG_SZ /d "runscripthelper.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "36" /t REG_SZ /d "scrcons.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "37" /t REG_SZ /d "texttransform.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "38" /t REG_SZ /d "visualuiaverifynative.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "39" /t REG_SZ /d "wbemtest.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "40" /t REG_SZ /d "wecutil.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "41" /t REG_SZ /d "werfault.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "42" /t REG_SZ /d "wfc.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "43" /t REG_SZ /d "windbg.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "44" /t REG_SZ /d "winrm.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "45" /t REG_SZ /d "winrs.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "46" /t REG_SZ /d "wmic.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "47" /t REG_SZ /d "wscript.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "48" /t REG_SZ /d "wsl.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "49" /t REG_SZ /d "wslconfig.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "50" /t REG_SZ /d "wslhost.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "51" /t REG_SZ /d "ftp.exe" /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "52" /t REG_SZ /d "certutil.exe" /f
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,121
Thanks, added to my list. It is not nearly as good as SRP, but it should prevent an elevation bypass.
...
It will work well as a prevention from running by the user Windows Script Host and HTA scripts manually or by a shortcut, so it is worth something. Of course, it will not work when these scripts or LOLBins are run via Command Prompt or PowerShell.
 

mazskolnieces

Level 3
Jul 25, 2020
116
Correct, a lot of the items on those lists are certainly okay to disable permanently... but I am not finding rundll32 and regsvr32 on either list! :ROFLMAO:


Permanently blocking rundll32 / regsvr32 and blocking bash (for example) are two VERY different things. One month later and that is the only evidence that he can find.
The OP in that thread asked about policies to prevent AppLocker bypasses. At the top of the list are rundll32 and regsvr32AppLocker bypasses. Microsoft knows about this aspect of AppLocker. So if you ask Microsoft Security, then they're going to point you to the LOLBin, MITRE and other online security resources that give the only way to prevent those AppLocker bypasses - and that is to disable both rundll32 and regsvr32 permanently. Disabling both are a security best practice. If a user wants to assume the risk, then they don't have to disable them. Microsoft has always promoted this strategy of best security practices.

Both rundll32 and regsvr32 are not needed by either Windows for workstation nor server to function properly. Nor do any programs require them to function. Literally millions of enterprise endpoints and servers have both permanently disabled with no ill effects.

A user does not need full-time access to Control Panel via rundll32. Given that the average user goes into Control Panel very little, disabling access is not any kind of inconvenience. A user can turn off protections with a single click, go into Control Panel, do what they need to do, and then re-enable protections. Microsoft clients have been doing this for the past 20 or years.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,121
When blocking the command-line access via SRP (by blocking shortcuts, scripts, files with active content, etc.), blocking LOLBins on well updated Windows 10 is not needed at all.
The situation with SRP introduced via AppLocker or Application Control is different as compared to the home environment:
  1. Shortcuts and files with active content (except Windows scripts) cannot be restricted.
  2. In enterprises, the scripting is not blocked.
  3. In businesses, there are usually vulnerable applications that can be exploited and the system can be not well updated.
So, access to command-line or scripting is opened and LOLBins can be used to bypass the protection.
 
Last edited:

danb

From VoodooShield
Verified
Developer
May 31, 2017
959
The OP in that thread asked about policies to prevent AppLocker bypasses. At the top of the list are rundll32 and regsvr32AppLocker bypasses. Microsoft knows about this aspect of AppLocker. So if you ask Microsoft Security, then they're going to point you to the LOLBin, MITRE and other online security resources that give the only way to prevent those AppLocker bypasses - and that is to disable both rundll32 and regsvr32 permanently. Disabling both are a security best practice. If a user wants to assume the risk, then they don't have to disable them. Microsoft has always promoted this strategy of best security practices.

Both rundll32 and regsvr32 are not needed by either Windows for workstation nor server to function properly. Nor do any programs require them to function. Literally millions of enterprise endpoints and servers have both permanently disabled with no ill effects.

A user does not need full-time access to Control Panel via rundll32. Given that the average user goes into Control Panel very little, disabling access is not any kind of inconvenience. A user can turn off protections with a single click, go into Control Panel, do what they need to do, and then re-enable protections. Microsoft clients have been doing this for the past 20 or years.
You said blocking rundll32 and regsvr32 are included in Microsoft's Best Practices.

This is simply not true.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,121
I am having difficulty fitting into this subject, are you guys discussing home or enterprise security?
The OP is obviously related to non-home users. It would be hard to find a clear Microsoft statement directed to home users, except maybe about using Standard User Account. Of course, some statements directed to non-home users (usually Enterprise customers) can be also true in the home environment.
We probably will not find agreement on this topic. :)(y)

Edit.
In many cases, one could block rundll32.exe and regsvr32.exe, but there are too many applications that still use them from time to time. The regsvr32.exe is sometimes (rarely) used by the system after Windows Updates, but I did not found any issues after blocking it. Blocking such LOLBins in the home environment is possible, but can be also an issue for inexperienced users. The users who know well H_C could probably block all LOLBins, but this is not needed in the H_C default -deny setup.
 
Last edited:

mazskolnieces

Level 3
Jul 25, 2020
116
The OP is obviously related to non-home users.
Windows 10 S is meant for home users. Afterall, Microsoft did install it on their Surface tablets as an answer to Apple's iPad. 10 S continues to have strong sales in Education and Enterprise.

Microsoft talked at length about Windows 10 S system lockdown and why it was their most secure default version of Windows ever. And why it was created precisely for home users.

In many cases, one could block rundll32.exe and regsvr32.exe, but there are too many applications that still use them from time to time.
rundll32.exe and regsvr32.exe are not needed for Windows for workstation or server - even with a bunch of the widely-used 3rd party software installed. Of course there are some programs that use rundll32.exe, but those are few and far in between.

It's no big deal anyway. If it breaks something, just allow it. "Usability problem" solved, while the entirety of the rest of the default deny policy continues to be high level protection.

There's literally millions of systems out there running with all LOLBins permanently disabled, and the system doesn't black screen, spit sparks at the user and burn their house down.
 

danb

From VoodooShield
Verified
Developer
May 31, 2017
959
Then why does Microsoft block rundll32 and regsvr32 in their enterprise security templates.

Of course it is true. Otherwise Microsoft Security's division wouldn't do it.

Blocking rundll32.exe and regsvr32.exe are Microsoft best practice.
Actually, you inadvertently provided direct evidence which demonstrates rundll32.exe and regsvr32.exe are NOT part of Microsoft's Best Practices.


If you find evidence to the contrary, please let me know.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,121
Windows 10 S is meant for home users. Afterall, Microsoft did install it on their Surface tablets as an answer to Apple's iPad. 10 S continues to have strong sales in Education and Enterprise.

Microsoft talked at length about Windows 10 S system lockdown and why it was their most secure default version of Windows ever. And why it was created precisely for home users.
Yes, if we only focus on Windows 10S, then it was intended also for home users. It is even possible to apply similar security on any modern Windows 10 machine (I can do it on my machine with Windows Home in one minute). But, such a setup would be unacceptable for most users.:unsure:

Edit.
Applying such a setup is simple, but first, one has to prepare the appropriate WDAC policy file on Windows Pro ( or higher edition like E3, E5). This can be done with some knowledge and effort.
 
Last edited:

mazskolnieces

Level 3
Jul 25, 2020
116
Yes, if we only focus on Windows 10S, then it was intended also for home users. It is even possible to apply similar security on any modern Windows 10 machine (I can do it on my machine with Windows Home in one minute). But, such a setup would be unacceptable for most users.:unsure:

Edit.
Applying such a setup is simple, but first, one has to prepare the appropriate WDAC policy file on Windows Pro ( or higher edition like E3, E5). This can be done with some knowledge and effort.
Microsoft studied Chromebooks and especially Apple iPad due to the extraordinarily low infection rates (well, Chromebooks without the ability to install Android apps). And of course, Microsoft wanted to come up with its own equivalent solution and market it. The most important security measure of Windows 10 S is that the user is not permitted to install any software that is not available in the Windows Store. This feature, combined with the minimum disabled processes, resulted in a version of Windows with the lowest rate of infection ever. However, since people want to install untrusted code and\or game, 10 S was not popular with home users. The biggest complaint was, back then, home users wanted to use Chrome browser and Microsoft said no - and rightly so.

On the other hand, it is a different narrative with Education and Enterprise. Windows 10 S is very actively sold to Education and Enterprise. 10 S sales have been robust.

Microsoft has given Enterprises ample opportunity to stop old bad habits such as running logon scripts and better ways for admins to remotely manage endpoints without using all the methods and processes that get them into trouble.

I never saw rundll32.exe blocked in any business and nobody ever shared with me that they block this executable.
That's no surprise. Of course. Most companies do not adhere to Microsoft best practices.

It's common enough practice, especially with those companies determined to protect their servers and especially laptops that are used by roaming staff. If an organization uses AppLocker and wants to protect against AppLocker bypasses, then it has no choice but to disable rundll32.

Lots of people here seem to think that enterprises are all on Windows 10. Meanwhile, reality is an enterprise infrastructure that continues to use unpatched Windows 7, XP, Server 2008 and even 2003. If a company is determined to protect those systems with the best possible security that Microsoft makes available to them, then they have to use the technology that they provide. The first of these is AppLocker and software restriction policy. Then apply the widely accepted industry and organization LOLBin lists.

Every single high-level organization from Microsoft to NSA to FSB to UK GCHQ to Australian Communications Directorate to US, Euro, Japan CERTS all list rundll32 on their advisory lists. Since Microsoft cooperates extensively with all of these organizations, Microsoft's support of their recommendations is implicit.

The advisories are not for no reason. There are so many ways to bypass default deny security with rundll32, from malicious .cpl to even running disabled LOLBins as a DLL. Dieder Stevens and other researchers began warning about rundll32 at BruCon 2015. Before that there was Poweliks. And before that, ways to bypass disabling disabled control.exe.

Since rundll32 is used by most printing services, it is up to the company\user to decide how best to handle the protection policy. Some don't care and allow rundll32 full time, others toggle policy dependent upon a number of factors to prevent rundll32, and then there are those that can disable rundll32 permanently on most or all of their endpoints.
 

mazskolnieces

Level 3
Jul 25, 2020
116
Actually, you inadvertently provided direct evidence which demonstrates rundll32.exe and regsvr32.exe are NOT part of Microsoft's Best Practices.


If you find evidence to the contrary, please let me know.
Did you actually believe that the 10 S and the other list are the de facto final word on Microsoft best practices ? Obviously you did.

Microsoft does not publish a 10,000 page manual that outlines everything that professionals and users need to figure out for themselves. Microsoft's best practice has always been "if you don't need it, then disable it." And that references, in particular, LOLBins of which Microsoft has supported and advised every major body that provides security infos out there. Just about everything you find on the major security advisory websites, Microsoft has had a hand in it, devoted resources and contributed directly. Microsoft adheres and endorses, and always has, the greater security community advisories. It's implicit in their best practices.

Enterprises routinely disable many more processes than are listed in the OP.

You won't find anywhere where Microsoft says that access to Control Panel via rundll32 is a vital system resource. In fact, in any enterprise environment, no admin in their right mind would want anyone other than the admin accessing the control panel. Security 101. ~ IQ.

It doesn't matter if you disagree with Microsoft's best practices and you insist upon placing your product users at risk because you think they should have access to control panel. It's an absurd argument that denying access to control panel is breaking vital functionality.

Here's the thing about you. You're not really interested in evidence. Even if I presented a letter from Satya Nadella that explained Microsoft best practices in depth, you would come up with some way to deny Microsoft's position. I mean, the fact that you keep insisting that if it isn't in writing is nothing more than a silly game that you're playing.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,121

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,121
The "Zero Trust" framework was not invented by Microsoft - it is known for several years. It is based on the observation that the old model based on AV+Hardening+Whitelisting ("Castel and moat" model) is not sufficient in Enterprises due to increasing attack surface and increasing sophistication of malware (especially in the targeted attacks). Some vectors of attacks are hard to stop, like human error and insufficient cybersecurity knowledge of the staff. In many cases, the Windows system is not patched (for several reasons) and vulnerable software is used (new license costs). So, in fact, the modern Enterprise defense has to assume that there is a high possibility of the breach and the security must still protect the Enterprise against disaster, data leak, lateral movement, deep penetration of the network, etc.
The "Zero Trust" framework can usually produce an enormous amount of incidents from the machines in the Enterprise network and network/Internet traffic. Such a framework can be efficiently applied in Enterprises only when using AI and Machine Learning which can intelligently reduce the incident noise to the most important classes of incidents. Finally, all these important classes of incidents are displayed in real-time on one console to help the Administrators prevent the attacks.
What is Zero Trust? A Comprehensive Security Model - Varonis
CyberTalk with Dr. Zero Trust - Chase Cunningham - Ep. 50 | Forcepoint
Zero Trust Architecture (nist.gov)

Zero Trust eXtended Ecosystem Platform Providers, Q3 2020:

1609760837244.png


What’s New In The 2020 Forrester Zero Trust Wave? (forbes.com)
 
Last edited:
Top