Andy Ful

Level 63
Verified
Trusted
Content Creator
Safe email on SUA.

Although there are known tools that can restrict Windows system/software to support AV protection, they are usually system-wide. So, they are not good solutions for average people without the occasional support of advanced users.

But, there exists a partial solution that I called “Safe email account“. The main idea is preparing a special Standard User Account with strong restrictions applied only to this account (non-systemwide). Such an account can be adjusted for using the email client and some applications that are essential for emails like a web browser, document/ebook reader, document editor (DOC, DOCX), picture viewer, etc. This will separate and neutralize the most casual vector of attack from the rest of the user activities.

Such an account can be highly restricted because it will be used only for email maintenance - no software updates, no software installations, and no admin tasks. It will require the initial configuration, but nothing else. After that, the average user will be able to easily use it without any help from an advanced user.

I think that the below restrictions can be applied:
  1. All scripting blocked (CMD, Windows Script Host, PowerShell, MSI installers).
  2. All unsafe file extensions blocked (like over 170 Paranoid Extensions in H_C).
  3. Popular file extensions allowed.
  4. Office macros blocked or office documents opened by the editor which does not use macros at all (like Softmaker Office free).
  5. All LOLBins blocked (also task scheduler).
  6. The access to the autorun registry keys blocked.
How will work such an account?
The user can simply sign in, next run the email client to easily access several email boxes. Even when the phishing link or email attachment is going to introduce something malicious (malware or exploit), it will not execute or will be neutralized. After finishing the work related to emails, the user can sign off and work on the normal account (no restrictions).

What Windows built-in features can be applied?
Software Restriction Policies and some other policies in HKU Registry Hive (the SID of the user account needed).

How they can be applied?
The restrictions can be introduced by running a simple application (with ON/OFF switch) from the chosen Standard User Account. Creating such an application is rather easy (although it is only in my mind for now).
The restrictions can be also applied/removed by importing two REG files (the user SID has to be replaced by the SID of the concrete account).

Is it safe?
Yes. The restrictions do not apply to other user accounts. Furthermore, If the user does not like it, then he can simply sign in to the Administrator account and remove the "Safe email account".

What do you think about such protection? Can it be useful for average users or MT members?
 
Last edited:

security123

Level 25
Verified
To be fair I don't think users want switching the windows account just for checking mail. Even if they're advanced user's and while for normal user's this is a good idea, they will forget.

Also your great tools already harden the system to a high standard so even with non-AppContainer programs the system stay safe (y)
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
To be fair I don't think users want switching the windows account just for checking mail. Even if they're advanced user's and while for normal user's this is a good idea, they will forget.
...
If the average user has two or more email boxes and does not use an email client, then the "Safe email account" is more convenient. You do not need to open a web browser and sign in to the several email boxes - just one sign in to the "Safe email account" and running the email client. This difference is easy to remember.

It is even easier for children, because you can create the email box and keep the password to yourself. The emails will be available for the child only when using "Safe email account".

I think that "Safe email account" can be easily applied for the people who did not use personal computers before.
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
Sounds like a great solution for family and friends who want to use your computer.
For such activities, it is even better to activate first the Guest account.
Next, harden it as in OP, but skipping integration of email boxes with an email client.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
It is probable that the configuration WD + ConfigureDefender HIGH + "Safe email account" + unrestricted Admin account would be for average users as safe as WD + ConfigureDefender HIGH + Simple Windows Hardening on Admin account. But, "Safe email account" can be used also when some ASR rules are too restrictive when managing emails and the normal Admin account can be used without script restrictions.:unsure:
 
Last edited:
  • Like
Reactions: Correlate

ErzCrz

Level 7
Verified
I tend to use an admin account on my laptop which is more for convenience than anything. Sounds great that you can lock down email with a SUA but I'd love to also see a way of restricting email client somehow but that's probably down to the client itself rather than windows environment. Anyway, well done with this.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
I tend to use an admin account on my laptop which is more for convenience than anything. Sounds great that you can lock down email with a SUA but I'd love to also see a way of restricting email client somehow but that's probably down to the client itself rather than windows environment. Anyway, well done with this.
It would be hard to secure the email client in a way that could include all applications needed to maintain emails. When you click the link in the email, you need a web browser to see the link content. Next, you can download a video clip, or document, or ebook, etc. So, if you want to open those files you need other applications too. The solution is a special sandbox. The "Safe email account" is just such a sandbox with strong execution policies. You could probably do something similar by using a highly tweaked ReHIPS sandbox. But, using "Safe email account" avoids many problems with using 3rd party sandboxes and it is stronger than most sandboxes.
Using "Safe email account" is like using Hard_Configurator on MAX settings to sandboxing only one particular account with easy access to your emails and all required applications.

I know that this idea is like introducing the seat-belts for safer driving. It is much easier to convince the novice driver to do it than someone who is used to drive without seat-belts.

I have the impression that using something like "Safe email account" is simpler and safer than applying complex security layers, anti-ransomware applications, strong system-wide HIPS, etc.
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
There is one popular vector of attack not covered by "Safe email account", e.g. USB drives.
But, this vector is not so dangerous, because finding the 0-day malware on the friend's USB drive is much less probable than via email spam. First, the malware can be detected by the AV on the friend's machine. Second, the friend has to decide to share it with you. Third, the sharing is not an immediate event - let's say it will be one-day-delay.
Of course, the responsible user can always use the friend's USB drive from "Safe email account". There is also a way to allow USB drives only from "Safe email account", but this would require tweaking the registry and would be acceptable only for children.

Anyway, the ConfigureDefender HIGH settings include the ASR rule that blocks the execution of unsafe executables (but not scripts) from USB drives, which can be additional protection.
 
Last edited:

Andy Ful

Level 63
Verified
Trusted
Content Creator
I tried to use the email client in the ReHIPS sandbox to emulate the "Safe email account". But, this would be an uneasy task because there are several email clients and even more document readers, document editors, etc. Furthermore, web browsers do not like 3rd party sandboxes. Finally, the average users have conceptual problems with using sandboxes.
The more promising is probably Sandboxie, but it has its own problems with Windows 10 and web browser incompatibilities and it is not easy for average users.
So, the "Safe email account" seems to be the simplest solution for average users.
 
Last edited:

Vitali Ortzi

Level 20
Verified
I'm planning buying a family computer but is there any good way to isolate and restrict like a Killswitch different storage mediums on a pc whatever software isolation or hardware Killswitch?

I would basically kill the current system with preferably total hardware isolation like via a power outage of the storage medium .
Is there any easier way to do so without opening the case and physically removing the medium?
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
I'm planning buying a family computer but is there any good way to isolate and restrict like a Killswitch different storage mediums on a pc whatever software isolation or hardware Killswitch?

I would basically kill the current system with preferably total hardware isolation like via a power outage of the storage medium .
Is there any easier way to do so without opening the case and physically removing the medium?
Could you expand the meaning of "killswitch different storage mediums" and "hardware killswitch"? Did you mean killswitch = making something inaccessible or accessible by using a kind of software switch (like reg tweak)?
If so then it is possible by using Sandboxie or GPO (reg tweak). See for example:

There is also a useful article about Windows Vista (I am not sure if all options are present in Windows 10):
 
Last edited:
Top