Paranoid Banking Computer.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Forum Veteran
Dec 23, 2014
10,006
1
65,846
8,398
65
Poland
Paranoid Banking Computer.

This is the craziest idea I tried to realize so far. I post this experimental setup here to show that it is possible (with some effort) if one does not like the other options.

My friend asked me to turn the old laptop with Windows 10 into a one-purpose machine. The purpose was to use it only for banking. She has a second laptop with Windows 11, which serves as a home computer.
I thought about Linux or ChromeOS Flex, but I had a bad experience with both on old laptops (display and Wi-Fi problems). Furthermore, my security experience is related to Windows OS, so I decided to use Windows 10. However, Microsoft stopped supporting Windows 10, which requires mitigating the exploit problem, especially against highly privileged exploits.

I had to think over the Zero Trust config based on some observations:
  1. Banking requires using only a few websites. Others can be blocked.
  2. There is no need to install third-party applications or web browser extensions.
  3. No Windows Updates.
Point 1 allows the domain-based default-deny restrictions while allowing only domains required to run Windows 10 with Microsoft Defender and Edge (plus a few banking domains). I used NextDNS Max settings (including blocking over 1500 TLDs). Such extreme blocking required extended whitelisting of domains used by Windows. I used NextDNS with a free account. I also confirmed (to my surprise) that it can be configured at the system level (IPv4 and IPv6 NextDNS personal addresses added via Network and Sharing Center).

Point 2 allows a strong combination of "WDAC/SRP/Exploit protection/Microsoft Defender" restrictions:
  • The Intel display driver was removed due to the incompatibility with Core Isolation.
  • WDAC policy was activated, which allows only Hard_Configurator and Windows native processes (stronger than the WDAC policy used in Windows S mode).
  • Hard_Configurator MAX settings on the Standard User Account were applied to restrict risky user-initiated actions.
  • Microsoft Defender MAX settings (via ConfigureDefender) were applied for general protection on the post-exploitation stage.
  • Console Window Host (conhost.exe) was blocked by Exploit protection, which blocks almost all LOLBins independently of Hard_Configurator (SRP and FirewallHardening) restrictions. This can be important against system-privileged exploits. With this restriction, it is recommended to allow Windows Security Center when applying ConfigureDefender Max settings!
  • Edge web browser was hardened by several policies and a few "Exploit protection" mitigations.
The most time-consuming can be the domain whitelisting. So, I post here my working whitelist:
account.live.com
activity.windows.com
adl.windows.com
arc.msn.com
azureedge.net
blob.core.windows.net
cass.api.microsoft.com
cdp.microsoft.com
checkappexec.microsoft.com
cloudflare.com
cxcs.microsoft.net
data.microsoft.com
dds.microsoft.com
digicert.com
dns.msftncsi.com
edge.microsoft.com
go.microsoft.com
graph.microsoft.com
iris.microsoft.com
login.live.com
login.microsoft.com
metaservices.microsoft.com
mp.microsoft.com
msauth.net
msedge.net
msftconnecttest.com
msftauth.net
nextdns.io
onecdn.static.microsoft.com
oneocsp.microsoft.com
pti.store.microsoft.com
res.public.onecdn.static.microsoft
sdx.microsoft.com
smartscreen.microsoft.com
ssmartscreen-prod.microsoft.com
storeedge.microsoft.com
storequality.microsoft.com
time.windows.com
update.microsoft.com
wdcp.microsoft.com
wdcpalt.microsoft.com
windows.policies.live.net
windowsupdate.com
wns.windows.com

The list must be extended if one wants to use online MS Office, OneDrive, and some favorite websites.
Whitelisting is rather easy with NextDNS.
 
Last edited:
  • Like
  • +Reputation
  • Wow
Reactions: Dave Russo, Sampei.Nihira, harlan4096 and 7 others
Andy Ful said:
Point 1 allows the domain-based default-deny restrictions while allowing only domains required to run Windows 10 with Microsoft Defender and Edge (plus a few banking domains). I used NextDNS Max settings (including blocking over 1500 TLDs). Such extreme blocking required extended whitelisting of domains used by Windows. I used NextDNS with a free account. I also confirmed (to my surprise) that it can be configured at the system level (IPv4 and IPv6 NextDNS personal addresses added via Network and Sharing Center).
Click to expand...
Is this stage essential?
Just visiting specific websites (no web surfing outside)!
 
  • Like
Reactions: Sampei.Nihira and Andy Ful
Thank you, @Andy Ful , for sharing this detailed strategy. On some of my Windows 10 machines I also use a setup inspired by several of the elements you mention, such as NextDNS, Hard_Configurator, and other protection layers. I don’t intend to compare my knowledge with yours, of course, and in my case I don’t use these PCs for online banking, but I have managed to build a fairly solid defense for everyday use. Seeing what you’ve done is truly inspiring, and I think it may encourage other users to adopt similar approaches according to their needs. 🛡️🔒⚔️
 
  • Like
Reactions: Sampei.Nihira, Andy Ful and simmerskool
Parkinsond said:
Is this stage essential?
Just visiting specific websites (no web surfing outside)!
Click to expand...

It is not the most important for banking. However, the domains are also blocked outside the web browser. So, if the system were exploited or attacked, the malware could not call the malicious domains (important at the initial stage). Of course, this cannot stop the final payload from using direct IPs.
 
Last edited:
  • Like
Reactions: Sampei.Nihira, Parkinsond, Khushal and 1 other person
Andy Ful said:
Paranoid Banking Computer.

This is the craziest idea I tried to realize so far. I post this experimental setup here to show that it is possible (with some effort) if one does not like the other options.

My friend asked me to turn the old laptop with Windows 10 into a one-purpose machine. The purpose was to use it only for banking. She has a second laptop with Windows 11, which serves as a home computer.
I thought about Linux or ChromeOS Flex, but I had a bad experience with both on old laptops (display and Wi-Fi problems). Furthermore, my security experience is related to Windows OS, so I decided to use Windows 10. However, Microsoft stopped supporting Windows 10, which requires mitigating the exploit problem, especially against highly privileged exploits.

I had to think over the Zero Trust config based on some observations:
  1. Banking requires using only a few websites. Others can be blocked.
  2. There is no need to install third-party applications or web browser extensions.
  3. No Windows Updates.
Point 1 allows the domain-based default-deny restrictions while allowing only domains required to run Windows 10 with Microsoft Defender and Edge (plus a few banking domains). I used NextDNS Max settings (including blocking over 1500 TLDs). Such extreme blocking required extended whitelisting of domains used by Windows. I used NextDNS with a free account. I also confirmed (to my surprise) that it can be configured at the system level (IPv4 and IPv6 NextDNS personal addresses added via Network and Sharing Center).

Point 2 allows a strong combination of "WDAC/SRP/Exploit protection/Microsoft Defender" restrictions:
  • The Intel display driver was removed due to the incompatibility with Core Isolation.
  • WDAC policy was activated, which allows only Hard_Configurator and Windows native processes (stronger than the WDAC policy used in Windows S mode).
  • Hard_Configurator MAX settings on the Standard User Account were applied to restrict risky user-initiated actions.
  • Microsoft Defender MAX settings (via ConfigureDefender) were applied for general protection on the post-exploitation stage.
  • Console Window Host (conhost.exe) was blocked by Exploit protection, which blocks almost all LOLBins independently of Hard_Configurator (SRP and FirewallHardening) restrictions. This can be important against system-privileged exploits. With this restriction, it is recommended to allow Windows Security Center when applying ConfigureDefender Max settings!
  • Edge web browser was hardened by several policies and a few "Exploit protection" mitigations.
The most time-consuming can be the domain whitelisting. So, I post here my working whitelist:
account.live.com
activity.windows.com
adl.windows.com
arc.msn.com
azureedge.net
blob.core.windows.net
cass.api.microsoft.com
cdp.microsoft.com
checkappexec.microsoft.com
cloudflare.com
cxcs.microsoft.net
data.microsoft.com
dds.microsoft.com
digicert.com
dns.msftncsi.com
edge.microsoft.com
go.microsoft.com
graph.microsoft.com
iris.microsoft.com
login.live.com
login.microsoft.com
metaservices.microsoft.com
mp.microsoft.com
msauth.net
msedge.net
msftconnecttest.com
msftauth.net
nextdns.io
onecdn.static.microsoft.com
oneocsp.microsoft.com
pti.store.microsoft.com
res.public.onecdn.static.microsoft
sdx.microsoft.com
smartscreen.microsoft.com
ssmartscreen-prod.microsoft.com
storeedge.microsoft.com
storequality.microsoft.com
time.windows.com
update.microsoft.com
wdcp.microsoft.com
wdcpalt.microsoft.com
windows.policies.live.net
windowsupdate.com
wns.windows.com

The list must be extended if one wants to use online MS Office, OneDrive, and some favorite websites.
Whitelisting is rather easy with NextDNS.
Click to expand...

Great experiment.;)
You can't do it with that measly whitelist.
I recommend checking the domains more thoroughly with these filter lists by Nick Spaargaren:

GitHub - nickspaargaren/no-google: Completely block Google and its services
 
Victor M said:
How do you know that the domains you set up does not include trackers ? i rely on 'privacy badger', what are you using?
Click to expand...

If you use Firefox + PB, you block third-party trackers.
You will never block first-party trackers, which will not even be blocked at the DNS level for website compatibility reasons.

To achieve superior tracker blocking, you need to use uBo with filter lists.
Even better is to add at least dynamic filtering with third-party frame blocking.
 
Last edited:

You may also like...