- Dec 31, 2019
- 12
Heavy reliance on Group Policy including AppLocker , management and enforcement of the Windows Firewall with all inbound & outbound connections blocked by default (and Allow local firewalls rules set to NO), running of Startup/Shutdown & Logon/Logoff scripts and of course Administrative Templates for both Computer and User Configurations.
I make decent use of the Windows 10 Exploit Protection settings, eg those you can alter under Windows Security > App & browser control but do not use Windows Defender or SmartScreen.
Each internet facing app, and even some that have no internet connection, runs under its own standard user account via scripts (stored in a folder with only Admin/System NTFS Permissions alongside an extra set of block rules for Pumpernickel when active) and PsExec with Group Policy set to deny elevation requests.
Each 'user' is allowed to only use the exe, or dlls associated with it via the related AppLocker Rules. My DLLs rules are a tad more lenient allowing all signed or system folder based dlls to be allowed by default (though it does have a list of path based exceptions along side some others like lxssmanager and system.management)
Updates to Windows are done manually via the MS Catalog downloads. This is partially so that I have time to test them first in a VM and cut off any obvious issues and partially to avoid excessive service/svchost allowances during normal use.
Updates to apps (currently only excluding Steam-with no service installed) are done manually or by installing the updated setup files in a VM and copying the related files over as needed.
I also make use of two drivers, MemProtect and Pumpernickel for increased Memory and File based privacy/security.
MemProtect is set to [#DEFAULTALLOW] eg blocking everything by default. While Windows Medium Integrity is already fairly well isolated from High and above I like the added isolation this allows me to accomplish by preventing each App from reading or messing with any other apps memory which is also running as a Standard user.
Pumpernickel is a tad more laid back but seeing as I store about all the related apps and their data in specific folders on a certain drive I was able to create some broad rules for those locations then add !priority rules to give them access to the relevant areas while keeping them blocked from everything else. If it had an option to disable DefaultAllow I would have likely spent the time in a VM setting rules for the OS first then simply adding more like I did with MemProtect but....
The final layer I use is also my first in the scheme I have set up: Unified Write Filter
Group Policy is set via scripts to check if the Unified Write Filter is active at startup, then it double checks the BFE, Windows Firewall and AppLocker service. If they are all running it then runs other scripts which create the user accounts used to launch the internet related apps as described above along with various event based tasks, eg the termination of C:\path\this.exe which in turn run other scripts set to RMDIR the related user/apps folder and clean the registries ProfileList of the related SID also. Outside of ProgramData or other areas 'excluded' in my setup this allows me control what gets saved and restored though I admit it can be a pain in the butt to set up initially.
If the scripts detect that the UWF, BFE, Firewall or AppID are not running no NICs are activated and nor are any accounts or tasks created. This is normally because I've disabled the UWF and rebooted in order to apply some .cab file updates via dism.
All NICs are disabled during the logoff phase regardless of UWF, etc.
Then there is perhaps what it likely to be my most controversial changes that I expect to take some flak for.
I run as the built in Administrator, yes that Super Admin account without the UAC prompts!
But wait, before you start spitting on me take a second look at my setup as already stated and then note that doing this allows me to prevent non-elevated admins (who run at medium integrity, eg as SuA, so far as the OS is normally concerned until an elevation) from being able to read other areas where I have made NTFS Permission changes removing even the normal User Read rights among others. I also have my 'drunk rules' which prevent my admin account from launching anything in my download or user set areas along with some others.
Also please note that the NONE entries for the backups are there because they vary quite a bit.
I only backup my OS when I do a fresh offline install.
My 'Data' backups via Bvckup are all different, depending on the area and importance I place on it.
The VMs referenced above vary on occasion but more often than not these days I default to a Windows 10 LTSC 1809 x64 image run on VMWare Workstation 15.x.x to increase the likelihood of catching issues that might appear on my live system during testing. I also heavily test potential live system changes in the VM rather often to avoid surprises.
Also the Last Changes isn't exact. It was about the start of the 2019 year when I ditched SBIE but took almost a month to get things working fully as intended and booted between two OS until that was satisfactorily done.
I also use some custom .infs and lgpo.exe to 'disable\remove Windows related things and even more scripts/regs to tweak or disable stuff post install and post update that aren't 'removed' this same way. That's all a bit complex and while not directly related to security I think it may count as it disables or removes access to potenial attack vectors (except to Trustedinstaller) in most cases. Here's a bit more detail on what I do on that front:
I make decent use of the Windows 10 Exploit Protection settings, eg those you can alter under Windows Security > App & browser control but do not use Windows Defender or SmartScreen.
Each internet facing app, and even some that have no internet connection, runs under its own standard user account via scripts (stored in a folder with only Admin/System NTFS Permissions alongside an extra set of block rules for Pumpernickel when active) and PsExec with Group Policy set to deny elevation requests.
Each 'user' is allowed to only use the exe, or dlls associated with it via the related AppLocker Rules. My DLLs rules are a tad more lenient allowing all signed or system folder based dlls to be allowed by default (though it does have a list of path based exceptions along side some others like lxssmanager and system.management)
Updates to Windows are done manually via the MS Catalog downloads. This is partially so that I have time to test them first in a VM and cut off any obvious issues and partially to avoid excessive service/svchost allowances during normal use.
Updates to apps (currently only excluding Steam-with no service installed) are done manually or by installing the updated setup files in a VM and copying the related files over as needed.
I also make use of two drivers, MemProtect and Pumpernickel for increased Memory and File based privacy/security.
MemProtect is set to [#DEFAULTALLOW] eg blocking everything by default. While Windows Medium Integrity is already fairly well isolated from High and above I like the added isolation this allows me to accomplish by preventing each App from reading or messing with any other apps memory which is also running as a Standard user.
Pumpernickel is a tad more laid back but seeing as I store about all the related apps and their data in specific folders on a certain drive I was able to create some broad rules for those locations then add !priority rules to give them access to the relevant areas while keeping them blocked from everything else. If it had an option to disable DefaultAllow I would have likely spent the time in a VM setting rules for the OS first then simply adding more like I did with MemProtect but....
The final layer I use is also my first in the scheme I have set up: Unified Write Filter
Group Policy is set via scripts to check if the Unified Write Filter is active at startup, then it double checks the BFE, Windows Firewall and AppLocker service. If they are all running it then runs other scripts which create the user accounts used to launch the internet related apps as described above along with various event based tasks, eg the termination of C:\path\this.exe which in turn run other scripts set to RMDIR the related user/apps folder and clean the registries ProfileList of the related SID also. Outside of ProgramData or other areas 'excluded' in my setup this allows me control what gets saved and restored though I admit it can be a pain in the butt to set up initially.
If the scripts detect that the UWF, BFE, Firewall or AppID are not running no NICs are activated and nor are any accounts or tasks created. This is normally because I've disabled the UWF and rebooted in order to apply some .cab file updates via dism.
All NICs are disabled during the logoff phase regardless of UWF, etc.
Then there is perhaps what it likely to be my most controversial changes that I expect to take some flak for.
I run as the built in Administrator, yes that Super Admin account without the UAC prompts!
But wait, before you start spitting on me take a second look at my setup as already stated and then note that doing this allows me to prevent non-elevated admins (who run at medium integrity, eg as SuA, so far as the OS is normally concerned until an elevation) from being able to read other areas where I have made NTFS Permission changes removing even the normal User Read rights among others. I also have my 'drunk rules' which prevent my admin account from launching anything in my download or user set areas along with some others.
Also please note that the NONE entries for the backups are there because they vary quite a bit.
I only backup my OS when I do a fresh offline install.
My 'Data' backups via Bvckup are all different, depending on the area and importance I place on it.
The VMs referenced above vary on occasion but more often than not these days I default to a Windows 10 LTSC 1809 x64 image run on VMWare Workstation 15.x.x to increase the likelihood of catching issues that might appear on my live system during testing. I also heavily test potential live system changes in the VM rather often to avoid surprises.
Also the Last Changes isn't exact. It was about the start of the 2019 year when I ditched SBIE but took almost a month to get things working fully as intended and booted between two OS until that was satisfactorily done.
I also use some custom .infs and lgpo.exe to 'disable\remove Windows related things and even more scripts/regs to tweak or disable stuff post install and post update that aren't 'removed' this same way. That's all a bit complex and while not directly related to security I think it may count as it disables or removes access to potenial attack vectors (except to Trustedinstaller) in most cases. Here's a bit more detail on what I do on that front:
Last edited:
