Danger Sampei Nihira Security Config WinXP (POS Ready2009) 2020

Status
Not open for further replies.
Last updated
Dec 26, 2019
Windows Edition
Home
Operating system
Other
Log-in security
Security updates
Block all updates
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
  • Windows Firewall
  • Firewall Hardware on router
  • 1° AdGuard DNS / 2° CloudFlare DNS
  • MBAE Premium - Custom Setting
  • OSA - Custom Setting
  • Black Viper's List - Some services Disabled/Manual
Firewall security
Microsoft Defender Firewall
About custom security
  • Trick POS Ready 2009 + KB4500331.
  • PsExec - Run browsers + email client with limited rights - Exceptions (OSA) for Interlink Mail News and New Moon.
  • DEP Always ON
  • SMB Protocol Disabled
  • No NET Framework Installed
  • I.E.8 No Flash + Trick 1803 (Block the downloadable executable files) + Disable script (F12 - on/off) + block execution I.E.8.
Periodic malware scanners
Hitman Pro,McAfee Stinger,HijackThis Portable,Adwcleaner v.6.0.4.7
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
New Moon 28 - (Pale Moon fork for Windows XP) Custom Setting about:config

  • Noscript
  • U.B.O.Legacy
  • Decentraleyes
  • No Resource URI Leak
  • Canvas Blocker Legacy 0.2 - Only to pass the ClientRects Fingerprint test
Maintenance tools
  • CCleaner - Many custom rules created by me
  • RegSekeer
  • Process Explorer
  • SigcheckGUI
  • Dependency Walker
  • CFF Explorer
  • Currports
  • WWDC
  • IobitUnistaller Portable
  • Speedyfox -Custom Rule for Interlink Mail News
  • SUMo Portable
  • JKDefragGUI
File and Photo backup
Pen Drive
System recovery
Acer System Backup
Risk factors
    • Logging into my bank account
    • Browsing to popular websites
    • Working from home
Computer specs
Acer Intel Celeron M380 1.60 GHz 1GB RAM
Notable changes
  1. Added some custom rules in OSA for Mimikatz Dump Lsass.exe mitigation.
  2. Added "sc" command rule block in OSA.
  3. Added rule to block execution of I.E.8 in OSA.
  4. Added rule to block msbuild.exe in OSA and the same rule on the Registry Key.
  5. Blocking rule in host file for CCleaner.
Notes by Staff Team
  1. This setup configuration may put you and your device at risk!
    We do not recommend that other members use this setup. We cannot be held responsible for problems that may occur to your device by using this security setup.

  2. This computer configuration is using an unsupported operating system. If possible, we recommend to upgrade to an operating system that is supported by its developers to remain protected from the latest threats.

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
Sampei Nihira,

Although you have made a big effort in securing Windows XP, some things cannot be covered:
  1. Unpatched Windows XP exploits (especially kernel exploits).
  2. The web browser does not have a sandbox.
  3. Some applications can be outdated on Windows XP (so have unpatched vulnerabilities). The user has to have additional knowledge to cover these vulnerabilities.
The user's security on such a system (even with additional protection) can highly depend on habits and activities.
If the user has bad luck or does not perform only safe activities, then he/she can be easily redirected to the malicious web page with an exploit kit and finally get a rootkit.

So, this security setup cannot be recommended for most users. (y)
It can be slightly more secure on SUA.
 
Last edited:

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Thank you very much for your considerations.
It will probably amaze you but I would be very interested in a better explanation of:



You can write comfortably, after this post unfortunately I have to unplug until almost certainly Sunday afternoon.
The usual commitments, the family, wife .....:cautious::)

Thanks a lot again.

That is easy to explain @Sampei Nihira -> Collision & broadcast domain

Just to remember a (OSI Layer 2) Switch has per port a collision domain and a (OSI Layer 3) Router separates/connects Broadcast Domains [Depends on manufacturer and build in features] - In real life it is simple to explain (Broadcast Domain) = The smaller the echo the faster the response. (Collision Domain) = [HUB] no real queue and thats why packets can collide on a [Switch] each port is its own Collision Domain and has a queue refereed in technical terms buffer. That is the reason why switches have allot of price points on packet throughput/bandwidth.

Best regards
Val.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Sampei Nihira,

Although you have made a big effort in securing Windows XP, some things cannot be covered:
  1. Unpatched kernel exploits.
  2. The web browser does not have a sandbox.
  3. Some applications can be outdated on Windows XP (so have unpatched vulnerabilities). The user has to have additional knowledge to cover these vulnerabilities.
The user's security on such a system (even with additional protection) can highly depend on habits and activities.
If the user has bad luck or does not perform only safe activities, then he/she can be easily redirected to the malicious web page with an exploit kit and finally get a rootkit.

So, this security setup cannot be recommended for most users. (y)
It will be more secure (but still not recommended as secure) on SUA.

2) It is irrelevant.
The sandbox with Windows XP does not have 100% functionality as in the post-XP Operating Systems:


2a) A kernel exploit also bypasses the sandbox.

3) It is advisable to choose updated softwares which is not subject to a historical bugs that can be exploited remotely.
I follow this methodology.

1) Unpatched kernel exploits - remotely exploitable in the OS.
All my risk softwares are protected by MBAE + OSA.
All Exploit Test Tool (HPA) tests are passed.
(Windows Defender on Windows 10, for example, does not pass all tests.)

However if you know at least 1 exploit kernel exploitable in the wild of remote on Windows XP (after May 2019) please list it.
TH.

.....It will be more secure (but still not recommended as secure) on SUA......

(y)

I start the browser + email client with limited-user privileges through PsExec.

________________________________________________

Guys now I really have to disconnect ...
 
Last edited:

BoraMurdar

Super Moderator
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
(y):)

I understand your thinking.
The subforum has as its title:

"Computer Security Configuration"

therefore it is obvious that a judgment on the security configuration of the pc is expected.
When the security configuration is OK ......
Your security configuration is good but made on unsupported OS
It's like building a fort on a landslide. No security solution can help you with flaw in the kernel of the OS or unpatched hole where something may freely exploit whatever you throw on it as it will run on System level.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Your security configuration is good but made on unsupported OS
It's like building a fort on a landslide. No security solution can help you with flaw in the kernel of the OS or unpatched hole where something may freely exploit whatever you throw on it as it will run on System level.

The only remote access port is the browser.
Do not be influenced by the exploits that act on I.E.8.
My I.E.8 is closed, nothing enters.
And my New Moon only because started in "SUA mode" + Noscript (settings not by default) is able to stop almost everything.
Then there are also the other mitigations.
 

BoraMurdar

Super Moderator
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
The only remote access port is the browser.
Do not be influenced by the exploits that act on I.E.8.
My I.E.8 is closed, nothing enters.
And my New Moon only because started in "SUA mode" + Noscript (settings not by default) is able to stop almost everything.
Then there are also the other mitigations.
There are dozens of other pathways where something can go wrong. But you know better. It's your system and you have the free will to use it as it pleases you. Just as MalwareTips have a free will to mark your system RISK: DANGER. May you virtualize your system completely from your data, or just put AVG from 2010 on it, it will be marked the same.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
2) It is irrelevant.
The sandbox with Windows XP does not have 100% functionality as in the post-XP Operating Systems:
...

1) Unpatched kernel exploits - remotely exploitable in the OS.
All my risk softwares are protected by MBAE + OSA.
All Exploit Test Tool (HPA) tests are passed.
(Windows Defender on Windows 10, for example, does not pass all tests.)

However if you know at least 1 exploit kernel exploitable in the wild of remote on Windows XP (after May 2019) please list it.
TH.



(y)

I start the browser + email client with limited-user privileges through PsExec.
...

Sandbox could protect you against the web browser exploits and some Windows XP userland exploits, so the chances of infection would be smaller (still not recommended as secure setup). The same is true for SUA.
Limited user privileges can be easily elevated via Windows userland exploits. Some Windows userland exploits can work even from the web browser with anti-exploit protection.
The danger of possible XP kernel exploits is real even if MS would already patch the known examples. Can you be sure of that for the next exploits?

If you like, then I can say that your setup is secure, if the user can avoid Windows XP exploits.(y)

Edit.
MalwareBytes Anti-Exploit can probably do good work to protect popular web browsers, but it is an open question of how well it can protect your web browser, which is based on the outdated project.
There is no proof that your config will be so vulnerable in the wild, because Windows XP is not as popular target as Windows 7 or Windows 10. But, there are too many questions to accept it as secure and recommended.
 
Last edited:

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
By carefully reading the posts... There is a reason for Enterprises to block [Psexec]!

Here is just an example: PSExec Pass the Hash | Offensive Security

Plus SMBv1 is one way to attack Windows XP "EternalBlue" that was patched of course but you never know ;) -> rapid7/metasploit-framework

That is the reason I suggested a layered approach of network segmentation or even go Firewall Appliance with IPS/IDS, Application Control and so on... Grab stuff before it hits your system. The PC System it self should be the last line of defense!

Sincerely
Val.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
Thanks you guys...I appreciate your efforts (y)
I inspected the setup:
It has important advantages over Sampei Nihira setup.
  1. Most of Windows Updates can still be made manually.
  2. The system is protected by ShadowDefender, which can automatically get rid of all known rootkits (after reboot).
 

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
The discussion about the 'upgraded Windows XP' security label is hilarious. It is like someone putting a roll cage in a Citroen deux chevaux and arguing that his upgraded 2CV is as safe as any modern car and therefore should receive a five star NCAP security label :ROFLMAO::ROFLMAO::ROFLMAO:
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
Ha, ha. I think that the author can see it as an old car after a complete renovation and wants to drive on side roads only.
He thinks (probably right) that he can be as safe as driving the modern car in the city. Of course, it does not mean that his car is as secure as modern cars, and additionally, he must know well all the roads.:)(y)
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
Sandbox could protect you against the web browser exploits and some Windows XP userland exploits, so the chances of infection would be smaller (still not recommended as secure setup). The same is true for SUA.
Limited user privileges can be easily elevated via Windows userland exploits. Some Windows userland exploits can work even from the web browser with anti-exploit protection.
The danger of possible XP kernel exploits is real even if MS would already patch the known examples. Can you be sure of that for the next exploits?

If you like, then I can say that your setup is secure, if the user can avoid Windows XP exploits.(y)

Edit.
MalwareBytes Anti-Exploit can probably do good work to protect popular web browsers, but it is an open question of how well it can protect your web browser, which is based on the outdated project.
There is no proof that your config will be so vulnerable in the wild, because Windows XP is not as popular target as Windows 7 or Windows 10. But, there are too many questions to accept it as secure and recommended.

I could enter SandboXIE 3.76 but it is not necessary.

Andy do you know the difference mentioned directly by the old Tzuk developer regarding my operating system and this version of S. compared to the latest operating systems?

....MalwareBytes Anti-Exploit can probably do good work to protect popular web browsers, but it is an open question of how well it can protect your web browser, which is based on the outdated project......

You're talking nonsense.
MBAE has a specific rule for Pale Moon.
The New Moon executable is identical to the Pale Moon executable.
Not to mention that OSA also has a specific anti-exploit rule for Pale Moon.

See the comparison between the "obsolete project" and Firefox:



My version of MBAE Premium was sent to me by Pedro Bustamante in person who confirmed that it is the best performing version for my OS.
Regarding the version that I use of OSA, it is the one that I contributed to make better with the same developer Andreas.
That is, the best one for my OS
You can read the specific 3D in the forum of W.
 
  • Like
Reactions: harlan4096

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
By carefully reading the posts... There is a reason for Enterprises to block [Psexec]!

Here is just an example: PSExec Pass the Hash | Offensive Security

Plus SMBv1 is one way to attack Windows XP "EternalBlue" that was patched of course but you never know ;) -> rapid7/metasploit-framework

That is the reason I suggested a layered approach of network segmentation or even go Firewall Appliance with IPS/IDS, Application Control and so on... Grab stuff before it hits your system. The PC System it self should be the last line of defense!

Sincerely
Val.

PsExec is blocked by a specific OSA rule, I wrote I inserted only 2 exceptions.
SMB1 protocol (XP only has that) has been disabled, that too is written in the configuration.
 
Last edited:

RKRN3

Level 3
Verified
Well-known
Sep 6, 2019
122
The configurations one shares here are available for many to be viewed (I guess it's visible for non-members as well). Now, you know much more about your system that's why you have 100% faith on your security configuration, but newbies (like me who don't have that much of knowledge here) won't be able to secure like what you have done with your PC. They will just screw their PC in one way or the other. Moreover, new PCs come with Windows 10. Even if someone manages to install XP, it won't activate which will lead them to use pirated software which just defeats the purpose of your security configuration. That's why your configuration has been tagged as Risky since if something happens, you can fix it since you know the stuff but not the newbies like me.
 

Sampei Nihira

Level 6
Thread author
Verified
Well-known
Dec 26, 2019
287
The configurations one shares here are available for many to be viewed (I guess it's visible for non-members as well). Now, you know much more about your system that's why you have 100% faith on your security configuration, but newbies (like me who don't have that much of knowledge here) won't be able to secure like what you have done with your PC. They will just screw their PC in one way or the other. Moreover, new PCs come with Windows 10. Even if someone manages to install XP, it won't activate which will lead them to use pirated software which just defeats the purpose of your security configuration. That's why your configuration has been tagged as Risky since if something happens, you can fix it since you know the stuff but not the newbies like me.

(y):)
You are definitely right.
It is a well-known saying that which asserts that the best antimalware is the one that is in front of the PC.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,599
Sampei Nihira,
Please ask yourself.
  1. Are there unpatched Windows XP vulnerabilities?
  2. Can this setup be used without invoking Windows XP exploits?
  3. Can OSA + MBAE be very effective for covering Windows XP exploits?
If you will be satisfied with answers, then simply use this setup.
If you want to convince others, then you should prove that the answers to points '2 and 3' are 'Yes and Yes'. Nothing in your posts is close to proving this. Most of your arguments follow from the faith in OSA + MBAE protection.
Some your arguments are evidently false, like for example:
(I have the best version of something) --> (I should be safe).:unsure:

By the way, some FireFox exploits can possibly work for Palemoon, too. The small number of known Palemoon vulnerabilities, follows from the fact that no one bothered to seek for them.
 
Last edited:
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top