Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Microsoft Best Security Practices
Message
<blockquote data-quote="mazskolnieces" data-source="post: 923069" data-attributes="member: 88422"><p>Microsoft studied Chromebooks and especially Apple iPad due to the extraordinarily low infection rates (well, Chromebooks without the ability to install Android apps). And of course, Microsoft wanted to come up with its own equivalent solution and market it. The most important security measure of Windows 10 S is that the user is not permitted to install any software that is not available in the Windows Store. This feature, combined with the minimum disabled processes, resulted in a version of Windows with the lowest rate of infection ever. However, since people want to install untrusted code and\or game, 10 S was not popular with home users. The biggest complaint was, back then, home users wanted to use Chrome browser and Microsoft said no - and rightly so.</p><p></p><p>On the other hand, it is a different narrative with Education and Enterprise. Windows 10 S is very actively sold to Education and Enterprise. 10 S sales have been robust.</p><p></p><p>Microsoft has given Enterprises ample opportunity to stop old bad habits such as running logon scripts and better ways for admins to remotely manage endpoints without using all the methods and processes that get them into trouble.</p><p></p><p></p><p>That's no surprise. Of course. Most companies do not adhere to Microsoft best practices.</p><p></p><p>It's common enough practice, especially with those companies determined to protect their servers and especially laptops that are used by roaming staff. If an organization uses AppLocker and wants to protect against AppLocker bypasses, then it has no choice but to disable rundll32.</p><p></p><p>Lots of people here seem to think that enterprises are all on Windows 10. Meanwhile, reality is an enterprise infrastructure that continues to use unpatched Windows 7, XP, Server 2008 and even 2003. If a company is determined to protect those systems with the best possible security that Microsoft makes available to them, then they have to use the technology that they provide. The first of these is AppLocker and software restriction policy. Then apply the widely accepted industry and organization LOLBin lists.</p><p></p><p>Every single high-level organization from Microsoft to NSA to FSB to UK GCHQ to Australian Communications Directorate to US, Euro, Japan CERTS all list rundll32 on their advisory lists. Since Microsoft cooperates extensively with all of these organizations, Microsoft's support of their recommendations is implicit.</p><p></p><p>The advisories are not for no reason. There are so many ways to bypass default deny security with rundll32, from malicious .cpl to even running disabled LOLBins as a DLL. Dieder Stevens and other researchers began warning about rundll32 at BruCon 2015. Before that there was Poweliks. And before that, ways to bypass disabling disabled control.exe.</p><p></p><p>Since rundll32 is used by most printing services, it is up to the company\user to decide how best to handle the protection policy. Some don't care and allow rundll32 full time, others toggle policy dependent upon a number of factors to prevent rundll32, and then there are those that can disable rundll32 permanently on most or all of their endpoints.</p></blockquote><p></p>
[QUOTE="mazskolnieces, post: 923069, member: 88422"] Microsoft studied Chromebooks and especially Apple iPad due to the extraordinarily low infection rates (well, Chromebooks without the ability to install Android apps). And of course, Microsoft wanted to come up with its own equivalent solution and market it. The most important security measure of Windows 10 S is that the user is not permitted to install any software that is not available in the Windows Store. This feature, combined with the minimum disabled processes, resulted in a version of Windows with the lowest rate of infection ever. However, since people want to install untrusted code and\or game, 10 S was not popular with home users. The biggest complaint was, back then, home users wanted to use Chrome browser and Microsoft said no - and rightly so. On the other hand, it is a different narrative with Education and Enterprise. Windows 10 S is very actively sold to Education and Enterprise. 10 S sales have been robust. Microsoft has given Enterprises ample opportunity to stop old bad habits such as running logon scripts and better ways for admins to remotely manage endpoints without using all the methods and processes that get them into trouble. That's no surprise. Of course. Most companies do not adhere to Microsoft best practices. It's common enough practice, especially with those companies determined to protect their servers and especially laptops that are used by roaming staff. If an organization uses AppLocker and wants to protect against AppLocker bypasses, then it has no choice but to disable rundll32. Lots of people here seem to think that enterprises are all on Windows 10. Meanwhile, reality is an enterprise infrastructure that continues to use unpatched Windows 7, XP, Server 2008 and even 2003. If a company is determined to protect those systems with the best possible security that Microsoft makes available to them, then they have to use the technology that they provide. The first of these is AppLocker and software restriction policy. Then apply the widely accepted industry and organization LOLBin lists. Every single high-level organization from Microsoft to NSA to FSB to UK GCHQ to Australian Communications Directorate to US, Euro, Japan CERTS all list rundll32 on their advisory lists. Since Microsoft cooperates extensively with all of these organizations, Microsoft's support of their recommendations is implicit. The advisories are not for no reason. There are so many ways to bypass default deny security with rundll32, from malicious .cpl to even running disabled LOLBins as a DLL. Dieder Stevens and other researchers began warning about rundll32 at BruCon 2015. Before that there was Poweliks. And before that, ways to bypass disabling disabled control.exe. Since rundll32 is used by most printing services, it is up to the company\user to decide how best to handle the protection policy. Some don't care and allow rundll32 full time, others toggle policy dependent upon a number of factors to prevent rundll32, and then there are those that can disable rundll32 permanently on most or all of their endpoints. [/QUOTE]
Insert quotes…
Verification
Post reply
Top