Basic Security ParaXY's Windows 10 desktop Config

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
2) I know AppLocker secures things pretty well if you set the rules up correctly but I know I am still vulnerable to malware macros running in Word/Excel docs. How does one protect yourself from these nasties? Stupid question but if a macro was allowed to run that was in a Word/Excel doc what executables etc does the macro use to do its malicious activity? In AppLocker I have blocked many system executables from running for my non-admin account (such as powershell) so I was wondering if there was anything further I need to do to protect myself from malicious macros?
If you don't think you're ever going to need to run legitimate macros you can go ahead and disable them outright.
 

Arequire

Level 29
Verified
Top Poster
Content Creator
Feb 10, 2017
1,814
Thats very helpful, thanks!

I have disabled macros from running for Excel, Word and Powerpoint.

Does anything else need to be done for Outlook?
You should be good as is. Config looks solid and you've blocked off a lot of infection vectors.
 

ParaXY

Level 6
Thread author
Verified
Mar 14, 2017
273
You should be good as is. Config looks solid and you've blocked off a lot of infection vectors.

Thanks, I'm hoping I haven't forgotten anything!

I thought I'd share my config in more detail now that the rebuild is (mostly) complete.

First off, after reinstalling I enabled Device and Credential Guard. This ended up being a frustrating experience! DG didn't like my video drivers (Intel HD 4000) for some reason (even after upgrading them) so every time I played a video file it caused a BSOD. I'm guessing I could have worked around this issue by buying a compatible video card with drivers that worked with DG but the deal breaker for me was Hyper-V. Since DG needs the Hyper-V role installed you can't run VMware Workstation Pro at the same time. I was willing to swap from VMware to Hyper-V (I use VMware Workstation everyday for my job) but I just couldn't get on with Hyper-V and it ended up frustrating me so in the end I had to remove DG/CG due to the drivers issue I was experiencing and not being able to use VMware Workstation. The other issue with DG is the limited and sometimes difficult to follow documentation. Also keeping your policy file up to date every time you install new software is time consuming and painful (took about 45min to create a new policy file on my i7/32GB RAM/SSD machine.

So after the above learning exercise I now have the following setup on my new secure desktop config:

1) Two user accounts. Lets call them User and Admin. Both of these accounts have very long passwords set and each one also has a PIN set. The User account has Windows Hello access enabled with the Logitech BRIO camera.

2) UAC set at it's maximum setting. I thought this would drive me nuts like it did when I last tried this but after the machine was setup it was pretty painless when prompted if I used the Admin PIN. This feature in Win10 is awesome.

3) Bitlocker enabled on ALL drives using AES-XTS 256bit and using an encryption key on a removeable USB key (I don't have TPM). If I want I can take the USB key with me and my encrypted drives will be safe.

4) I deleted ALL the default incoming and outgoing firewall rules and manually created ALL my own rules. Basically anything incoming is blocked except for ICMP and outgoing is controlled to the apps I want to have internet access for updating or for them to function properly. I also use Windows Firewall Control (WFC) to stop apps creating their own firewall rules by using a feature called "Secure Rules". This means my rules stay the same no matter what is installed/configured.

5) AppLocker is used. Basically my Admin account can run anything but my User account is very locked down/restricted to only run trusted apps. Most of my rules are Publish rules but there are a handful of hash rules due to the software not being signed. I also changed the default rule for modern apps to only allow Microsoft signed apps. The default was to run ALL signed apps which I didn't like.

I also changed the Publisher rule for all Microsoft software to EXCLUDE the following from running for extra security/safety (this is a long list but may be helpful):

FLASHUTIL.EXE
HH.EXE
IEXPLORE.EXE
IEXPRESS.EXE
MSHTA.EXE
CSCRIPT.EXE
ONEDRIVE.EXE
ASPNET_COMPILER.EXE
CSC.EXE
DFSVC.EXE
ILASM.EXE
INSTALLUTIL.EXE
JSC.EXE
MSBUILD.EXE
REGASM.EXE
REGSVCS.EXE
VBC.EXE
AT.EXE
ATTRIB.EXE
AUDITPOL.EXE
BCDBOOT.EXE
BCDEDIT.EXE
BITSADMIN.EXE
BOOTCFG.EXE
BOOTIM.EXE
BOOTSECT.EXE
BYTECODEGENERATOR.EXE
CACLS.EXE
CIPHER.EXE
DISKPART.EXE
EVENTVWR.EXE
MMC.EXE
MSRA.EXE
NETSH.EXE
NETSTAT.EXE
POWERSHELL.EXE
POWERSHELL_ISE.EXE
PRESENTATIONHOST.EXE
QUSER.EXE
REG.EXE
REGINI.EXE
REGSVR32.EXE
RUNLEGACYCPLELEVATED.EXE
RUNONCE.EXE
SAMLOCK.EXE
SCRCONS
SETX.EXE
SYSTEMRESET.EXE
TAKEOWN.EXE
TASKKILL.EXE
USERACCOUNTCONTROLSETTINGS.EXE
UTILMAN2.EXE
VSSADMIN.EXE
WMIC.EXE
WRITE
MSIEXEC.EXE
ONEDRIVESETUP.EXE
FLASH.OCX (DLL rule)
FLASHUTIL.DLL (DLL rule)

6) I've also disabled cmd.exe from running for the User account so it can't be used.

7) Signature checking is enabled so that software that isn't signed CAN'T be run with admin rights while logged in as the User account

8) I'm using Windows Defender for AV protection using the real time protection and have Smart Screen enabled

9) I have also added the option in the local GPO to disable macros in Word/Excel/Powerpoint for files from the internet

10) IE11, Windows Media Player, SMB1 and a few other items were uninstalled from the Programs and Features options.

11) I have also enabled the "Ctrl+Alt+Del" screen as it adds another layer of security to the setup so you have to do the "3 finger salute" to login to the machine.

Phew! Hopefully I haven't forgotten anything. The only thing I haven't had any luck with so far is blocking the Edge browser from running using AppLocker. Any ideas?

I've been running the above config for about 2 weeks now and so far so good! Feels lean and mean and secure. It feels good to use the machine with a non-admin account and with all the other restrictions in place but it doesn't feel inconvenient to use.

I'm hoping this setup will protect me from virii, malware, ransomware and drive by attacks.

Look forward to any questions and/or feedback ;-)
 
Last edited:

ParaXY

Level 6
Thread author
Verified
Mar 14, 2017
273
Thanks for going into so much detail about your config.
Can i ask do you use local or Microsoft user accounts?

No problem :)

I use a local account and wouldn't even consider using a MS user account for my secure desktop build.
 
  • Like
Reactions: askmark

ParaXY

Level 6
Thread author
Verified
Mar 14, 2017
273
That's cool. I didn't know you could assign a PIN to a local account.

It's funny you should ask. When I was testing this on build 1607 and I had the "Ctrl+Alt+Del" screen enabled I *couldn't* login using the PIN. The only options I had on the logon screen were password and MS account. Now with build 1703 I have the PIN option too which I am really happy about.

I just wish that when you did a "Ctrl+Alt+Del" that you didn't need to click "Sign in options" each time to be able to select your login option (PIN, password, MS account or Hello). Maybe there is a way to change this?
 
  • Like
Reactions: askmark

ParaXY

Level 6
Thread author
Verified
Mar 14, 2017
273
HIPS, do I need it? :) That is the question.

I've been doing a small amount of reading on HIPS and Comodo Firewall keeps coming up. I used CF years ago and it was good at the time but I went off it so are there any alternatives to getting HIPS protection for my setup? I don't mind paying for something if it is good. Something with little to no bloat if possible.

Currently I met my goal of not having any third party protection on my newly installed Windows 10 machine (with the exception of WFC) and it's working well so far. Feels fast and minimalistic.

Thanks to @Arequire I also disabled macros from running globally in Office. This works great. Even if I hit the "Enable content" button on the yellow bar I then get a red bar telling me that macros have been disabled and they refuse to run so this gives another added layer of protection.

So I'm looking to take my security setup to the next level and was thinking about HIPS. Does anyone have any pointers or suggestions? I'm also open to any other security options or approaches so feel free to mention anything!

I have to say, running as a SUA account has been way WAY better than I originally thought. I almost never get UAC prompts unless I am (obviously) trying to to something admin related. While on the topic of UAC, there is a very useful column in task manager in the details tab that you can enable called "Elevated" and this will show you what processes are running with admin rights which is quite helpful.

I really had high hopes for Device Guard but have had to park this for now. I think MS needs to do two things to make DG more attractive:

1) Better documentation
2) Better tools to manage/maintain DG/CG

(it would also be great it be able to run VMware Workstation with DG/CG enabled)

Thanks for reading!
 

ozone

Level 3
Verified
Jan 17, 2017
97
CF is great but in your case I would use ReHIPS
It uses windows built-in mechanisms and you also get sandbox
 

ParaXY

Level 6
Thread author
Verified
Mar 14, 2017
273
CF is great but in your case I would use ReHIPS
It uses windows built-in mechanisms and you also get sandbox

Now this looks interesting...and minimalistic, my kind of software!

Doesn't look like I can download it, even a demo version so if there a release date set for this and any idea of cost?

How does this software work and is it any good?
 
D

Deleted member 178

You have to register on the forul and request it there: How to get beta v2.2?

The latest version is beta RC4 but we (closed testers and devs) considered it as good as a stable.

ParaXy said:
Now this looks interesting...and minimalistic, my kind of software!
But with lot of granular settings & options.
Remember, ReHIPS is a sandbox with Application Control on top.
 
Last edited by a moderator:
  • Like
Reactions: Sunshine-boy

ParaXY

Level 6
Thread author
Verified
Mar 14, 2017
273
You have to register on the forul and request it there: How to get beta v2.2?

The latest version is beta RC4 but we (closed testers and devs) considered it as good as a stable.


But with lot of granular settings & options.
Remember, ReHIPS is a sandbox with Application Control on top.

Thanks for the link, I will try and sign up. When I tried on the weekend it said there was a database error.

I thought I'd post my AppLocker setup here for comment/criticism. This is my first setup using AppLocker:

First, all rules set to enforce:

upload_2017-4-25_21-20-21.png


Including DLL rules:

upload_2017-4-25_21-20-40.png


Executable Rules:

upload_2017-4-25_21-20-58.png


As you can see most are Publisher Rules with some File Hash Rules for software that isn't signed.

Simple Windows Installer Rules:

upload_2017-4-25_21-22-2.png

Only my single admin account can run these.

Same applies for Script Rules:

upload_2017-4-25_21-22-38.png


I did have to put in a File Hash rule for my onboard Intel video driver to run.

Lots of (mostly) Publisher DLL rules:

upload_2017-4-25_21-23-38.png


Packaged Apps Rules:

upload_2017-4-25_21-24-3.png


I changed this from a "*" rule to only Allow Microsoft signed software.

I think some of the magic happens with all the exceptions I have for Microsoft signed software. I based most of my exception list using Excubits blacklist (with some exceptions):

http://excubits.com/content/files/blacklist.txt

This is VERY powerful IF you are running a SUA. All those Microsoft signed executables that are vulnerable to malware and attacking your system (like regsvr32.exe) are blocked...nice!

The only thing I haven't been able to block so far is Edge.

Although I have a handful of File Hash rules only 3 or 4 of this software gets regularly updates so hopefully having to update this hashes doesn't become a pain.
 

ParaXY

Level 6
Thread author
Verified
Mar 14, 2017
273
the forum?

new adress: ReHIPS forum - Index

I managed to register and request the trial/demo version so thank you.

Having read up a bit about ReHIPS and AppGuard it got me thinking:

Since I use anti-exe/whitelisting/AppLocker and I use a SUA and I have macros blocked system wide, do I even need or should I even be considering AppGuard and/or ReHIPS?
 
  • Like
Reactions: Handsome Recluse
D

Deleted member 178

Since I use anti-exe/whitelisting/AppLocker and I use a SUA and I have macros blocked system wide, do I even need or should I even be considering AppGuard and/or ReHIPS?
Appguard would help you only for its memory/folder protection but except that Applocker does more or less the same as AG.
ReHIPS is a sandbox , so your apps and browsers will be isolated , and it has some application control.
 
  • Like
Reactions: Sunshine-boy

askmark

Level 12
Verified
Top Poster
Well-known
Aug 31, 2016
578
Thanks for the link, I will try and sign up. When I tried on the weekend it said there was a database error.

I thought I'd post my AppLocker setup here for comment/criticism. This is my first setup using AppLocker:

First, all rules set to enforce:

View attachment 147721

Including DLL rules:

View attachment 147722

Executable Rules:

View attachment 147723

As you can see most are Publisher Rules with some File Hash Rules for software that isn't signed.

Simple Windows Installer Rules:

View attachment 147724
Only my single admin account can run these.

Same applies for Script Rules:

View attachment 147725

I did have to put in a File Hash rule for my onboard Intel video driver to run.

Lots of (mostly) Publisher DLL rules:

View attachment 147726

Packaged Apps Rules:

View attachment 147727

I changed this from a "*" rule to only Allow Microsoft signed software.

I think some of the magic happens with all the exceptions I have for Microsoft signed software. I based most of my exception list using Excubits blacklist (with some exceptions):

http://excubits.com/content/files/blacklist.txt

This is VERY powerful IF you are running a SUA. All those Microsoft signed executables that are vulnerable to malware and attacking your system (like regsvr32.exe) are blocked...nice!

The only thing I haven't been able to block so far is Edge.

Although I have a handful of File Hash rules only 3 or 4 of this software gets regularly updates so hopefully having to update this hashes doesn't become a pain.
Thanks for sharing your Applocker configuration. Very helpful and informative.
 
  • Like
Reactions: Sunshine-boy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top