Advice Request Safe email on SUA.

Please provide comments and solutions that are helpful to the author of this topic.

Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Safe email on SUA.

Although there are known tools that can restrict Windows system/software to support AV protection, they are usually system-wide. So, they are not good solutions for average people without the occasional support of advanced users.

But, there exists a partial solution that I called “Safe email account“. The main idea is preparing a special Standard User Account with strong restrictions applied only to this account (non-systemwide). Such an account can be adjusted for using the email client and some applications that are essential for emails like a web browser, document/ebook reader, document editor (DOC, DOCX), picture viewer, etc. This will separate and neutralize the most casual vector of attack from the rest of the user activities.

Such an account can be highly restricted because it will be used only for email maintenance - no software updates, no software installations, and no admin tasks. It will require the initial configuration, but nothing else. After that, the average user will be able to easily use it without any help from an advanced user.

I think that the below restrictions can be applied:
  1. All scripting blocked (CMD, Windows Script Host, PowerShell, MSI installers).
  2. All unsafe file extensions blocked (like over 170 Paranoid Extensions in H_C).
  3. Popular file extensions allowed.
  4. Office macros blocked or office documents opened by the editor which does not use macros at all (like Softmaker Office free).
  5. All LOLBins blocked (also task scheduler).
  6. The access to the autorun registry keys blocked.
How will work such an account?
The user can simply sign in, next run the email client to easily access several email boxes. Even when the phishing link or email attachment is going to introduce something malicious (malware or exploit), it will not execute or will be neutralized. After finishing the work related to emails, the user can sign off and work on the normal account (no restrictions).

What Windows built-in features can be applied?
Software Restriction Policies and some other policies in HKU Registry Hive (the SID of the user account needed).

How they can be applied?
The restrictions can be introduced by running a simple application (with ON/OFF switch) from the chosen Standard User Account. Creating such an application is rather easy (although it is only in my mind for now).
The restrictions can be also applied/removed by importing two REG files (the user SID has to be replaced by the SID of the concrete account).

Is it safe?
Yes. The restrictions do not apply to other user accounts. Furthermore, If the user does not like it, then he can simply sign in to the Administrator account and remove the "Safe email account".

What do you think about such protection? Can it be useful for average users or MT members?
 
Last edited:
  • Like
  • Wow
  • Thanks
Reactions: Mercenary, Vitali Ortzi, shmu26 and 10 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
DDE_Server said:
Good idea but i think a lot of hardening is not good for productivity wise .you may need working with third party software while cheeking mail such as pdf reader for example
Click to expand...
This should not be a problem. All applications already installed in Program Files will work (whitelisted by default).
 
  • Like
Reactions: DDE_Server, harlan4096, [correlate] and 1 other person
F

ForgottenSeer 85179

To be fair I don't think users want switching the windows account just for checking mail. Even if they're advanced user's and while for normal user's this is a good idea, they will forget.

Also your great tools already harden the system to a high standard so even with non-AppContainer programs the system stay safe (y)
 
  • Like
Reactions: Jan Willy, [correlate], DDE_Server and 2 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
security123 said:
To be fair I don't think users want switching the windows account just for checking mail. Even if they're advanced user's and while for normal user's this is a good idea, they will forget.
...
Click to expand...
If the average user has two or more email boxes and does not use an email client, then the "Safe email account" is more convenient. You do not need to open a web browser and sign in to the several email boxes - just one sign in to the "Safe email account" and running the email client. This difference is easy to remember.

It is even easier for children, because you can create the email box and keep the password to yourself. The emails will be available for the child only when using "Safe email account".

I think that "Safe email account" can be easily applied for the people who did not use personal computers before.
 
Last edited:
  • Like
Reactions: [correlate], ForgottenSeer 85179 and harlan4096
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
shmu26 said:
Sounds like a great solution for family and friends who want to use your computer.
Click to expand...
For such activities, it is even better to activate first the Guest account.
www.businessinsider.com

How to create a guest account on your Windows 10 computer in 6 steps

You can create a guest account on a Windows 10 computer by using the Command Prompt feature. Here's what you'll need to do.
www.businessinsider.com www.businessinsider.com
Next, harden it as in OP, but skipping integration of email boxes with an email client.
 
  • Like
  • Wow
Reactions: [correlate], ForgottenSeer 85179, shmu26 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
It is probable that the configuration WD + ConfigureDefender HIGH + "Safe email account" + unrestricted Admin account would be for average users as safe as WD + ConfigureDefender HIGH + Simple Windows Hardening on Admin account. But, "Safe email account" can be used also when some ASR rules are too restrictive when managing emails and the normal Admin account can be used without script restrictions.:unsure:
 
Last edited:
  • Like
Reactions: [correlate]
ErzCrz

ErzCrz

Level 22
Verified
Top Poster
Well-known
Aug 19, 2019
1,157
I tend to use an admin account on my laptop which is more for convenience than anything. Sounds great that you can lock down email with a SUA but I'd love to also see a way of restricting email client somehow but that's probably down to the client itself rather than windows environment. Anyway, well done with this.
 
  • Like
Reactions: Andy Ful, [correlate] and ForgottenSeer 85179
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
ErzCrz said:
I tend to use an admin account on my laptop which is more for convenience than anything. Sounds great that you can lock down email with a SUA but I'd love to also see a way of restricting email client somehow but that's probably down to the client itself rather than windows environment. Anyway, well done with this.
Click to expand...
It would be hard to secure the email client in a way that could include all applications needed to maintain emails. When you click the link in the email, you need a web browser to see the link content. Next, you can download a video clip, or document, or ebook, etc. So, if you want to open those files you need other applications too. The solution is a special sandbox. The "Safe email account" is just such a sandbox with strong execution policies. You could probably do something similar by using a highly tweaked ReHIPS sandbox. But, using "Safe email account" avoids many problems with using 3rd party sandboxes and it is stronger than most sandboxes.
Using "Safe email account" is like using Hard_Configurator on MAX settings to sandboxing only one particular account with easy access to your emails and all required applications.

I know that this idea is like introducing the seat-belts for safer driving. It is much easier to convince the novice driver to do it than someone who is used to drive without seat-belts.

I have the impression that using something like "Safe email account" is simpler and safer than applying complex security layers, anti-ransomware applications, strong system-wide HIPS, etc.
 
Last edited:
  • Like
  • Thanks
Reactions: ErzCrz, ForgottenSeer 85179, [correlate] and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
There is one popular vector of attack not covered by "Safe email account", e.g. USB drives.
But, this vector is not so dangerous, because finding the 0-day malware on the friend's USB drive is much less probable than via email spam. First, the malware can be detected by the AV on the friend's machine. Second, the friend has to decide to share it with you. Third, the sharing is not an immediate event - let's say it will be one-day-delay.
Of course, the responsible user can always use the friend's USB drive from "Safe email account". There is also a way to allow USB drives only from "Safe email account", but this would require tweaking the registry and would be acceptable only for children.

Anyway, the ConfigureDefender HIGH settings include the ASR rule that blocks the execution of unsafe executables (but not scripts) from USB drives, which can be additional protection.
 
Last edited:
  • Like
Reactions: ErzCrz, harlan4096, ForgottenSeer 85179 and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
I tried to use the email client in the ReHIPS sandbox to emulate the "Safe email account". But, this would be an uneasy task because there are several email clients and even more document readers, document editors, etc. Furthermore, web browsers do not like 3rd party sandboxes. Finally, the average users have conceptual problems with using sandboxes.
The more promising is probably Sandboxie, but it has its own problems with Windows 10 and web browser incompatibilities and it is not easy for average users.
So, the "Safe email account" seems to be the simplest solution for average users.
 
Last edited:
  • Like
Reactions: ForgottenSeer 85179, upnorth and harlan4096
Vitali Ortzi

Vitali Ortzi

Level 24
Verified
Top Poster
Well-known
Dec 12, 2016
1,320
I'm planning buying a family computer but is there any good way to isolate and restrict like a Killswitch different storage mediums on a pc whatever software isolation or hardware Killswitch?

I would basically kill the current system with preferably total hardware isolation like via a power outage of the storage medium .
Is there any easier way to do so without opening the case and physically removing the medium?
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,484
Vitali Ortzi said:
I'm planning buying a family computer but is there any good way to isolate and restrict like a Killswitch different storage mediums on a pc whatever software isolation or hardware Killswitch?

I would basically kill the current system with preferably total hardware isolation like via a power outage of the storage medium .
Is there any easier way to do so without opening the case and physically removing the medium?
Click to expand...
Could you expand the meaning of "killswitch different storage mediums" and "hardware killswitch"? Did you mean killswitch = making something inaccessible or accessible by using a kind of software switch (like reg tweak)?
If so then it is possible by using Sandboxie or GPO (reg tweak). See for example:
petri.com

Disable Access to Removable Storage in Windows 7 and Later

Learn how to block all access to removable storage, such as USB drives, in Windows 7 and Windows Server 2008 R2 (or later), to help reduce security risks.
petri.com petri.com
www.utilizewindows.com

Removable Storage and System Security in Windows 7 - Utilize Windows

Explore in-depth guides, tips, and tutorials on everything Windows. From troubleshooting and optimization to mastering Windows features, Utilize Windows is your go-to resource for enhancing your Windows experience.
www.utilizewindows.com www.utilizewindows.com

There is also a useful article about Windows Vista (I am not sure if all options are present in Windows 10):
docs.microsoft.com

Device Management and Installation Step-by-Step Guide: Controlling Device Driver Installation and Usage with Group Policy

docs.microsoft.com
 
Last edited:
  • Like
  • Thanks
Reactions: Vitali Ortzi, ForgottenSeer 85179 and harlan4096

Similar threads

Gandalf_The_Grey
    • Wow
    • +Reputation
Security News Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Replies
0
Views
2,444
Security News
Gandalf_The_Grey
Gandalf_The_Grey
I
    • Like
    • Sad
    • Wow
Serious Discussion Microsoft blocks popular Local Account workaround
Replies
1
Views
426
Windows 11
Bot
Bot
Exceedinglife
Serious Discussion Azure Tenant Scanning
Replies
1
Views
227
General Security Discussions
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top