The above SRP setup was pretty good 10 years ago. Nowadays, it is vulnerable because of malicious documents (.pdf, Office, etc.) which can run many Windows programs from whitelisted locations C:\Windows, C:\Windows\system32, etc. So for example, they can execute script engines (CMD, PowerShell, Windows Script Host) to download and execute highly obfuscated PowerShell payloads (keyloggers, trojans, rootkits) bypassing completely your SRP settings and many Antivirus/Antimalware programs.
Hi Andy, I did my homework that you suggested
and I am still trying to understand the above reply. First, thank you very much for all those references and the work you've done to help us, mere mortals! You indicated 3 potential holes in the original default-deny SRP setup I had quoted: embedded CMD, Powershell, and WSH executions. So if I were to block executions of these 3 would this be enough?
Or is there other important gaping holes? E.g. other ways for malicious code to get executed by downloaded Acrobat document?
I read your links multiple times as well as the excellent Hard Configurator manual. If you don't mind answering some more questions...
What I ultimately want to do is to have
as secure as possible of a setup for
Win 10 Pro + Comodo Firwall/HIPS + Avira AV + Excel/Word + Acrobat Reader + MS PDF writer + Browser (e.g. Firefox) + basic windows utilities (e.g. Notepad/Wordpad/Calculator/Paint).
Nothing else needs to run for this (standard) user. Only above mentioned software needs to run and work. All auto-updates should run too; and per your documents, I think SRP should
not interfere with those, since they are likely going to run as admin (except for Firefox?), right?
I do not mind using GPO / registry editing as much as needed. However, I
cannot download or run any other 3rd party software (outsides of Microsoft, Adobe, or a large security firm). Unfortunately, that includes Hard Configurator too.
With that in mind, I have a number of questions for proper manual SRP setup...
(1) For my desired setup, what are
(1a) recommended DFT list?
Default list from the manual: WSC, WS, VB, URL, SHS, SCT, SCR, REG, PIF, PCD, OCX, MST, MSP, MSC, MDE, MDB, LNK, JAR, ISP, INS, INF, HTA, HLP, EXE, DLL, CRT,CPL, COM, CMD, CHM, BAT, BAS, ADP, ADE
+ MSI
+ PS1, PS2, PSC1, PSC2, PS1XML, PS2XML
+ JS, JSE, VBE, VBS, WSF, and WSH
+
anything else??
(1b) recommendations as to which
sponsors to Disallow? E.g. regedit.exe, others?
all that are listed in Hard Configurator?
(2) What's the difference between
(2a) "blocking a sponsor" like powershell
(2b) manually creating SRP Disallow rule for "powershell.exe" and "powershell_ise.exe"
(2c) adding powershell extensions (PS1, PS2, PSC1, PSC2, PS1XML, and PS2XML) to DFT
(2d) <No PowerShell Exec.> option in Hard Configurator?
My understanding:
- 2a=2b
- 2c is complimentary to 2a/2b and both act on User Space files only (2b seems more powerful than 2a/2b)
- 2d simply sets HKLM\Software\Policies\Microsoft\Windows\PowerShell!EnableScripts to 0 to prevent any powershell execution, including those from System Space. I.e. 2d is even more powerful than others?
Why does this Warning in the manual say to NOT use (2c) + (2d)? "Do not add PS1, PS2, PSC1, PSC2, PS1XML, and PS2XML extensions, if <No PowerShell Exec.> is set to ‘ON’." Later however it says "In the unsafe environment, all the above restricting options should be activated, for the maximum PowerShell mitigation."...
So if I want as-safe-as-possible environment, should I have all of these settings setup?
More on (2d). The Hard Configurator manual says: "In Windows 64Bit there are two PowerShell Hosts (32Bit and 64Bit), but both are disabled/enabled by the below registry key"
- What about HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell key? Is it not used?
- Rather than edit registry would you recommend using GPO Admin Templates > Windows Components > Windows PowerShell > Turn on Script Execution -> set to Disabled?
Finally, the BIG question: Will the system run into issues with these settings given the limited usage of this system as I described it above?
(3) Similar questions for WSH
(3a) Can I effectively apply <Disable Win. Script Host> option manually by setting Enable to 0 for
HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows Script Host\Settings
?
(3b) What are the donwsides if I also add JS, JSE, VBS, VBE, WSF, and WSH extensions to DFT?
(3c) For "block WSH sponsor" option, which exe's should I block aside from wscript.exe and cscript.exe? and how does this option relate to (3a) and (3b)?
The BIG question: Potential issues with above settings for running only the software I had described?
(4) Do you see any issues with Disallow rule for cmd.exe? Can it make other programs stop working? It does
not appear at
https://excubits.com/content/files/blacklist.txt but it is called out in Hard Configurator manual.
(5) Should I just go through all of the excubits blacklist and created Disallow rules for all? Any of them might cause trouble in the desired setup? Did you find any of them to be mire "high risk" for system stability over others?
(6) With Disallowed security level default, should I protect lnk files still?
From Hard Configuarator manual: "<Protect Shortcuts> is suited to work with SRP 'Basic User' security level. If the security level is changed to 'Disallowed' the LNK extension should be removed from Designated File Types.."
Specifically, would you recommend to add lnk extension to DFT and then Allow path rules for 'Windows', 'Program Files', 'Program Files (x86)', 'Desktop', 'Power Menu', 'Start Menu', 'Quick Launch', 'Taskbar', and 'Public Desktop' locations?
Is it better to use path rules or guids?
(7) Would VoodooShield add anything more to such protection or would it be redundant?
Thank you so much!
Justin
P.S. I noticed Windows Defender in my 1709 Win 10 Pro has autoruns set to be run from ProgramData dir; so I think "C:\ProgramData\Microsoft\Windows Defender" has to be added as additional "system space"... (I don't run Windows Defender; except optionally in its limited / manual mode) but it's still in autoruns apparently.
