Q&A Simple Windows Hardening

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,017
@Andy Ful ,

wouldn't a LOLBin have to launch a malicious file typically dropped in user space? And if this is the case, tight SRP or other anti-executable restrictions should probably stop it?
It is hard to bypass SRP + OSA (properly configured). SRP cannot block .NET DLLs, and probably OSA too. But, executing .NET DLLs via LOLBins usually requires PowerShell or Windows Script Host. PowerShell is already highly restricted to Constrained Language Mode when SRP Default Security Level is set to Disallowed - this can prevent Powershell to load .NET DLLs. Also, other scripting engines can be restricted by SRP/OSA.
The same is true for running the shellcode encoded in documents, pictures, etc. But SRP + OSA requires more attention and maintenance compared to SRP with properly blocked shortcuts (like in H_C). Many things are doubly blocked by SRP and OSA. Sometimes, it is really hard to find out how to whitelist applications in the User Space, especially when DLLs are blocked. There can be also problems with Windows Updates and software updates.
Your SRP + OSA protection model is rather designed for businesses (possible attacks from the Local Network).
Anyway, you seem to like it. So, you can probably live with it.:)(y)
 
Last edited:

wat0114

Level 3
Apr 5, 2021
126
Sometimes, it is really hard to find out how to whitelist applications in the User Space, especially when DLLs are blocked. There can be also problems with Windows Updates and software updates.
I forgot to respond to this earlier. No doubt you know about this already, there is a way to enable Advanced logging - for blocked DLL's especially - in SRP, which I have found invaluable for identifying blocked DLL's and even some executables, though the latter I typically find in Event Viewer:

https://www.itprotoday.com/security/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-applications
 

Andy Ful

Level 71
Verified
Trusted
Content Creator
Dec 23, 2014
6,017
I forgot to respond to this earlier. No doubt you know about this already, there is a way to enable Advanced logging - for blocked DLL's especially - in SRP, which I have found invaluable for identifying blocked DLL's and even some executables, though the latter I typically find in Event Viewer:

https://www.itprotoday.com/security/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-applications
Yes. In H_C one can still use Advanced logging. I left this option for users who would like to block also DLLs by SRP via the reg tweak. The H_C Log can also filter the logged DLLs to show only DLLs blocked by SRP in the User Space (many system DLLs are skipped for clarity).
Anyway, in the Home environment, I prefer the security model which can efficiently block the malware before it could load/run malicious DLLs or use LOLBins. It is much easier (and more efficient) to block malware in the early infection stage. Furthermore, such protection is simpler and easier to understand.

Edit
This idea is also true for SWH, except that EXE and MSI files must be efficiently protected by the AV, SmartScreen, or a kind of file reputation service in the cloud. The cautious users can be simply cautious with EXE or MSI files.
 
Last edited:
Top