Paranoid Banking Computer.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Forum Veteran
Dec 23, 2014
10,018
1
65,897
8,398
65
Poland
Paranoid Banking Computer.

This is the craziest idea I tried to realize so far. I post this experimental setup here to show that it is possible (with some effort) if one does not like the other options.

My friend asked me to turn the old laptop with Windows 10 into a one-purpose machine. The purpose was to use it only for banking. She has a second laptop with Windows 11, which serves as a home computer.
I thought about Linux or ChromeOS Flex, but I had a bad experience with both on old laptops (display and Wi-Fi problems). Furthermore, my security experience is related to Windows OS, so I decided to use Windows 10. However, Microsoft stopped supporting Windows 10, which requires mitigating the exploit problem, especially against highly privileged exploits.

I had to think over the Zero Trust config based on some observations:
  1. Banking requires using only a few websites. Others can be blocked.
  2. There is no need to install third-party applications or web browser extensions.
  3. No Windows Updates.
Point 1 allows the domain-based default-deny restrictions while allowing only domains required to run Windows 10 with Microsoft Defender and Edge (plus a few banking domains). I used NextDNS Max settings (including blocking over 1500 TLDs). Such extreme blocking required extended whitelisting of domains used by Windows. I used NextDNS with a free account. I also confirmed (to my surprise) that it can be configured at the system level (IPv4 and IPv6 NextDNS personal addresses added via Network and Sharing Center).

Point 2 allows a strong combination of "WDAC/SRP/Exploit protection/Microsoft Defender" restrictions:
  • The Intel display driver was removed due to the incompatibility with Core Isolation.
  • WDAC policy was activated, which allows only Hard_Configurator and Windows native processes (stronger than the WDAC policy used in Windows S mode).
  • Hard_Configurator MAX settings on the Standard User Account were applied to restrict risky user-initiated actions.
  • Microsoft Defender MAX settings (via ConfigureDefender) were applied for general protection on the post-exploitation stage.
  • Console Window Host (conhost.exe) was blocked by Exploit protection, which blocks almost all LOLBins independently of Hard_Configurator (SRP and FirewallHardening) restrictions. This can be important against system-privileged exploits. With this restriction, it is recommended to allow Windows Security Center when applying ConfigureDefender Max settings!
  • Edge web browser was hardened by several policies and a few "Exploit protection" mitigations.
The most time-consuming can be the domain whitelisting. So, I post here my working whitelist:
account.live.com
activity.windows.com
adl.windows.com
arc.msn.com
azureedge.net
blob.core.windows.net
cass.api.microsoft.com
cdp.microsoft.com
checkappexec.microsoft.com
cloudflare.com
cxcs.microsoft.net
data.microsoft.com
dds.microsoft.com
digicert.com
dns.msftncsi.com
edge.microsoft.com
go.microsoft.com
graph.microsoft.com
iris.microsoft.com
login.live.com
login.microsoft.com
metaservices.microsoft.com
mp.microsoft.com
msauth.net
msedge.net
msftconnecttest.com
msftauth.net
nextdns.io
onecdn.static.microsoft.com
oneocsp.microsoft.com
pti.store.microsoft.com
res.public.onecdn.static.microsoft
sdx.microsoft.com
sectigo.com
smartscreen.microsoft.com
ssmartscreen-prod.microsoft.com
storeedge.microsoft.com
storequality.microsoft.com
time.windows.com
update.microsoft.com
wdcp.microsoft.com
wdcpalt.microsoft.com
windows.policies.live.net
windowsupdate.com
wns.windows.com

The list must be extended if one wants to use online MS Office, OneDrive, and some favorite websites.
Whitelisting is rather easy with NextDNS.

Update.
Added sectigo.com to the whitelisted domains.
 
Last edited:
  • Like
  • Applause
  • +Reputation
Reactions: pytroman86, Brahman, TairikuOkami and 10 others
Andy Ful said:
Point 1 allows the domain-based default-deny restrictions while allowing only domains required to run Windows 10 with Microsoft Defender and Edge (plus a few banking domains). I used NextDNS Max settings (including blocking over 1500 TLDs). Such extreme blocking required extended whitelisting of domains used by Windows. I used NextDNS with a free account. I also confirmed (to my surprise) that it can be configured at the system level (IPv4 and IPv6 NextDNS personal addresses added via Network and Sharing Center).
Click to expand...
Is this stage essential?
Just visiting specific websites (no web surfing outside)!
 
  • Like
Reactions: Sampei.Nihira and Andy Ful
Thank you, @Andy Ful , for sharing this detailed strategy. On some of my Windows 10 machines I also use a setup inspired by several of the elements you mention, such as NextDNS, Hard_Configurator, and other protection layers. I don’t intend to compare my knowledge with yours, of course, and in my case I don’t use these PCs for online banking, but I have managed to build a fairly solid defense for everyday use. Seeing what you’ve done is truly inspiring, and I think it may encourage other users to adopt similar approaches according to their needs. 🛡️🔒⚔️
 
  • Like
Reactions: Sampei.Nihira, Andy Ful and simmerskool
Parkinsond said:
Is this stage essential?
Just visiting specific websites (no web surfing outside)!
Click to expand...

It is not the most important for banking. However, the domains are also blocked outside the web browser. So, if the system were exploited or attacked, the malware could not call the malicious domains (important at the initial stage). Of course, this cannot stop the final payload from using direct IPs.
 
Last edited:
  • Like
  • +Reputation
Reactions: simmerskool, Halp2001, Sampei.Nihira and 3 others
Andy Ful said:
Paranoid Banking Computer.

This is the craziest idea I tried to realize so far. I post this experimental setup here to show that it is possible (with some effort) if one does not like the other options.

My friend asked me to turn the old laptop with Windows 10 into a one-purpose machine. The purpose was to use it only for banking. She has a second laptop with Windows 11, which serves as a home computer.
I thought about Linux or ChromeOS Flex, but I had a bad experience with both on old laptops (display and Wi-Fi problems). Furthermore, my security experience is related to Windows OS, so I decided to use Windows 10. However, Microsoft stopped supporting Windows 10, which requires mitigating the exploit problem, especially against highly privileged exploits.

I had to think over the Zero Trust config based on some observations:
  1. Banking requires using only a few websites. Others can be blocked.
  2. There is no need to install third-party applications or web browser extensions.
  3. No Windows Updates.
Point 1 allows the domain-based default-deny restrictions while allowing only domains required to run Windows 10 with Microsoft Defender and Edge (plus a few banking domains). I used NextDNS Max settings (including blocking over 1500 TLDs). Such extreme blocking required extended whitelisting of domains used by Windows. I used NextDNS with a free account. I also confirmed (to my surprise) that it can be configured at the system level (IPv4 and IPv6 NextDNS personal addresses added via Network and Sharing Center).

Point 2 allows a strong combination of "WDAC/SRP/Exploit protection/Microsoft Defender" restrictions:
  • The Intel display driver was removed due to the incompatibility with Core Isolation.
  • WDAC policy was activated, which allows only Hard_Configurator and Windows native processes (stronger than the WDAC policy used in Windows S mode).
  • Hard_Configurator MAX settings on the Standard User Account were applied to restrict risky user-initiated actions.
  • Microsoft Defender MAX settings (via ConfigureDefender) were applied for general protection on the post-exploitation stage.
  • Console Window Host (conhost.exe) was blocked by Exploit protection, which blocks almost all LOLBins independently of Hard_Configurator (SRP and FirewallHardening) restrictions. This can be important against system-privileged exploits. With this restriction, it is recommended to allow Windows Security Center when applying ConfigureDefender Max settings!
  • Edge web browser was hardened by several policies and a few "Exploit protection" mitigations.
The most time-consuming can be the domain whitelisting. So, I post here my working whitelist:
account.live.com
activity.windows.com
adl.windows.com
arc.msn.com
azureedge.net
blob.core.windows.net
cass.api.microsoft.com
cdp.microsoft.com
checkappexec.microsoft.com
cloudflare.com
cxcs.microsoft.net
data.microsoft.com
dds.microsoft.com
digicert.com
dns.msftncsi.com
edge.microsoft.com
go.microsoft.com
graph.microsoft.com
iris.microsoft.com
login.live.com
login.microsoft.com
metaservices.microsoft.com
mp.microsoft.com
msauth.net
msedge.net
msftconnecttest.com
msftauth.net
nextdns.io
onecdn.static.microsoft.com
oneocsp.microsoft.com
pti.store.microsoft.com
res.public.onecdn.static.microsoft
sdx.microsoft.com
smartscreen.microsoft.com
ssmartscreen-prod.microsoft.com
storeedge.microsoft.com
storequality.microsoft.com
time.windows.com
update.microsoft.com
wdcp.microsoft.com
wdcpalt.microsoft.com
windows.policies.live.net
windowsupdate.com
wns.windows.com

The list must be extended if one wants to use online MS Office, OneDrive, and some favorite websites.
Whitelisting is rather easy with NextDNS.
Click to expand...

Great experiment.;)
You can't do it with that measly whitelist.
I recommend checking the domains more thoroughly with these filter lists by Nick Spaargaren:

GitHub - nickspaargaren/no-google: Completely block Google and its services
 
  • Like
  • +Reputation
Reactions: simmerskool, Halp2001 and Captain Awesome
Victor M said:
How do you know that the domains you set up does not include trackers ? i rely on 'privacy badger', what are you using?
Click to expand...

If you use Firefox + PB, you block third-party trackers.
You will never block first-party trackers, which will not even be blocked at the DNS level for website compatibility reasons.

To achieve superior tracker blocking, you need to use uBo with filter lists.
Even better is to add at least dynamic filtering with third-party frame blocking.
 
Last edited:
  • Like
Reactions: simmerskool and Halp2001
Victor M said:
How do you know that the domains you set up does not include trackers ? i rely on 'privacy badger', what are you using?
Click to expand...

I used NextDNS log, and asked ChatGPT about blocked domains (Should a home user allow outbound connections to the domain ....?).
Some important system domains are documented:
learn.microsoft.com

Connection endpoints for Windows 10 Enterprise, version 21H2 - Windows Privacy

Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2.
learn.microsoft.com

In my case whitelistng was easier, because for banking websites I simply tested each website and whitelisted only those domains that were strictly necessary.
 
  • Like
  • +Reputation
Reactions: simmerskool, Halp2001, Victor M and 1 other person
  • Like
  • +Reputation
Reactions: simmerskool, Halp2001 and Sampei.Nihira
Andy Ful said:
Paranoid Banking Computer.

This is the craziest idea I tried to realize so far. I post this experimental setup here to show that it is possible (with some effort) if one does not like the other options.

My friend asked me to turn the old laptop with Windows 10 into a one-purpose machine. The purpose was to use it only for banking. She has a second laptop with Windows 11, which serves as a home computer.
I thought about Linux or ChromeOS Flex, but I had a bad experience with both on old laptops (display and Wi-Fi problems). Furthermore, my security experience is related to Windows OS, so I decided to use Windows 10. However, Microsoft stopped supporting Windows 10, which requires mitigating the exploit problem, especially against highly privileged exploits.

I had to think over the Zero Trust config based on some observations:
  1. Banking requires using only a few websites. Others can be blocked.
  2. There is no need to install third-party applications or web browser extensions.
  3. No Windows Updates.
Point 1 allows the domain-based default-deny restrictions while allowing only domains required to run Windows 10 with Microsoft Defender and Edge (plus a few banking domains). I used NextDNS Max settings (including blocking over 1500 TLDs). Such extreme blocking required extended whitelisting of domains used by Windows. I used NextDNS with a free account. I also confirmed (to my surprise) that it can be configured at the system level (IPv4 and IPv6 NextDNS personal addresses added via Network and Sharing Center).

Point 2 allows a strong combination of "WDAC/SRP/Exploit protection/Microsoft Defender" restrictions:
  • The Intel display driver was removed due to the incompatibility with Core Isolation.
  • WDAC policy was activated, which allows only Hard_Configurator and Windows native processes (stronger than the WDAC policy used in Windows S mode).
  • Hard_Configurator MAX settings on the Standard User Account were applied to restrict risky user-initiated actions.
  • Microsoft Defender MAX settings (via ConfigureDefender) were applied for general protection on the post-exploitation stage.
  • Console Window Host (conhost.exe) was blocked by Exploit protection, which blocks almost all LOLBins independently of Hard_Configurator (SRP and FirewallHardening) restrictions. This can be important against system-privileged exploits. With this restriction, it is recommended to allow Windows Security Center when applying ConfigureDefender Max settings!
  • Edge web browser was hardened by several policies and a few "Exploit protection" mitigations.
The most time-consuming can be the domain whitelisting. So, I post here my working whitelist:
account.live.com
activity.windows.com
adl.windows.com
arc.msn.com
azureedge.net
blob.core.windows.net
cass.api.microsoft.com
cdp.microsoft.com
checkappexec.microsoft.com
cloudflare.com
cxcs.microsoft.net
data.microsoft.com
dds.microsoft.com
digicert.com
dns.msftncsi.com
edge.microsoft.com
go.microsoft.com
graph.microsoft.com
iris.microsoft.com
login.live.com
login.microsoft.com
metaservices.microsoft.com
mp.microsoft.com
msauth.net
msedge.net
msftconnecttest.com
msftauth.net
nextdns.io
onecdn.static.microsoft.com
oneocsp.microsoft.com
pti.store.microsoft.com
res.public.onecdn.static.microsoft
sdx.microsoft.com
smartscreen.microsoft.com
ssmartscreen-prod.microsoft.com
storeedge.microsoft.com
storequality.microsoft.com
time.windows.com
update.microsoft.com
wdcp.microsoft.com
wdcpalt.microsoft.com
windows.policies.live.net
windowsupdate.com
wns.windows.com

The list must be extended if one wants to use online MS Office, OneDrive, and some favorite websites.
Whitelisting is rather easy with NextDNS.
Click to expand...
While the setup assumes that blocking network delivery and payload execution renders unpatched CVEs unreachable, how does this strategy hold up against sophisticated, chained exploits that bypass these layers to reach kernel space?
 
  • Like
Reactions: simmerskool, Halp2001 and Andy Ful
Divergent said:
While the setup assumes that blocking network delivery and payload execution renders unpatched CVEs unreachable, ...
Click to expand...

It does not assume so. The setup includes several preventive and anti-exploit layers:
  1. Blocking network delivery, phishing, malvertising, etc.
  2. Mitigating MitM attacks.
  3. Blocking the attackers' discovery actions.
  4. Preventing the installation of vulnerable drivers.
  5. Blocking/mitigating non-kernel exploits.
  6. Mitigating post-exploitation actions in UserLand.

Divergent said:
how does this strategy hold up against sophisticated, chained exploits that bypass these layers to reach kernel space?
Click to expand...

It is hardly possible at home. However, even if the attacker could use a sophisticated kernel exploit such as Eternal Blue, the malicious payload would mainly fail due to Exploit protection/WDAC/delivery restrictions.
Bypassing a Paranoid Banking Computer is hardly possible, except for highly targeted attacks when the computer is connected to the compromised Enterprise network. But even in this case, most attacks can be blocked because the attackers' discovery actions are blocked on the kernel level.
 
Last edited:
  • Like
  • +Reputation
  • Hundred Points
Reactions: simmerskool, Halp2001, Sampei.Nihira and 2 others
Andy Ful said:
It does not assume so. The setup includes several preventive and anti-exploit layers:
  1. Blocking network delivery, phishing, malvertising, etc.
  2. Mitigating MitM attacks.
  3. Blocking the attackers' discovery actions.
  4. Preventing the installation of vulnerable drivers.
  5. Blocking/mitigating non-kernel exploits.
  6. Mitigating post-exploitation actions in UserLand.



It is hardly possible at home. However, even if the attacker could use a sophisticated kernel exploit such as Eternal Blue, the malicious payload would mainly fail due to WDAC/Exploit protection/delivery restrictions.
Bypassing a Paranoid Banking Computer is hardly possible, except for highly targeted attacks when the computer is connected to the compromised Enterprise network. But even in this case, most attacks can be blocked because the attackers' discovery actions are blocked on the kernel level.
Click to expand...
If the hardware supports it, you should enable Core Isolation / Memory Integrity (HVCI).

Without it, an unpatched kernel vulnerability gives an attacker the same privilege level as your security software (WDAC), meaning they could potentially disable it.

With HVCI enabled, the WDAC enforcement logic is moved into a hardware-protected Hypervisor container. This effectively validates your claim, even if a sophisticated exploit lands in the kernel, it is physically prevented from tampering with the security policy. This is the only way to safely run EOL Windows 10 against modern exploits.
 
  • Like
Reactions: simmerskool
Andy Ful said:
I had to think over the Zero Trust config based on some observations:
  1. Banking requires using only a few websites. Others can be blocked.
  2. There is no need to install third-party applications or web browser extensions.
  3. No Windows Updates.
Click to expand...
What if a vulnerability is discovered in the Windows Kernel, TCP/IP stack, or Wi-Fi driver (which runs with high privileges) as it does not come under user mode?
I would also add ocsp.digicert.com and ocsp.sectigo.com as blocking these can cause SSL handshake errors.
 
  • Like
Reactions: simmerskool, Halp2001, Sampei.Nihira and 1 other person
Brahman said:
What if a vulnerability is discovered in the Windows Kernel, TCP/IP stack, or Wi-Fi driver (which runs with high privileges) as it does not come under user mode?
Click to expand...

Such exploits are mainly absent in attacks on home users. However, even if such an exploit could happen, the attack would fail on the post-exploitation stage. I never heard about the attack fully conducted in the kernel. Banking malware runs mainly in UserLand, or is initiated via UserLand.
However, it would be interesting to analyze an example of a real-world attack like WannaCry. (y)

Brahman said:
I would also add ocsp.digicert.com and ocsp.sectigo.com as blocking these can cause SSL handshake errors.
Click to expand...

The digicert.com is already whitelisted. The banking websites in my example do not use sectigo.com. However, it will not hurt to add it too. :) (y)
 
Last edited:
  • Like
  • +Reputation
  • Hundred Points
Reactions: simmerskool, Halp2001, Brahman and 1 other person

You may also like...