Advanced Plus Security Thales Hard Protected Setup

Last updated
Jul 31, 2019
Windows Edition
Pro
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
  • HMPA
  • F-Secure SAFE
  • syshardener
Firewall security
Microsoft Defender Firewall
About custom security
  • syshardener (Almost everything is checked)
Periodic malware scanners
  • HMPA
  • F-Secure SAFE
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Chrome (Portable)
  • Adguard
  • BitWarden
Maintenance tools
Cleaners
  • Wise Cleaner (portable)
  • Cleanmgr+ (Portable)
  • CCleaner (portable)
Other
  • Bandizip (portable)
  • Geek uninstaller (portable)
File and Photo backup
  • MEGA
System recovery
  • Macrium Reflect Free
Risk factors
    • Gaming
    • Logging into my bank account
    • Browsing to popular websites
    • Streaming audio/video content from shady sites
    • Working from home
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Acer Aspire 3 A315-41

CPU
: AMD Ryzen 3 2200U
GPU: Radeon Vega Mobile Gfx
RAM: 8GB DDR4 2400Mhz
Storage: 128GB SSD

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Feel free to give me some advice to improve my system I you feel i need to.
@Andy Ful put out a FirewallHardener tool, it is an easy way and effective way to add block rules to Windows firewall for LOL bins that can be dangerous if they have internet access. It is a natural complement to Windows SRP for those who are into system hardening. Just mentioning it as a suggestion.
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
732
@Andy Ful put out a FirewallHardener tool, it is an easy way and effective way to add block rules to Windows firewall for LOL bins that can be dangerous if they have internet access. It is a natural complement to Windows SRP for those who are into system hardening. Just mentioning it as a suggestion.

Is it a standalone program or part of the H_C?
 
  • Like
Reactions: oldschool

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
Hi,
What Default Security Level did you apply in SRP?
What is your setting under the SRP Enforcement option “Apply software restriction policies to the following users”?
How do you protect shortcuts?
Did you harden Windows subfolders?
:giggle:(y)
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
732
Hi,
What Default Security Level did you apply in SRP?
What is your setting under the SRP Enforcement option “Apply software restriction policies to the following users”?
How do you protect shortcuts?
Did you harden Windows subfolders?
:giggle:(y)
Default Security Level is Disallowed.
All Software files except libraries.
I enabled shortcuts because I need them. (Is it too bad?)
Windows folder is disallowed. I didn't put them in the exception list.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
Default Security Level is Disallowed.
All Software files except libraries.
I enabled shortcuts because I need them. (Is it too bad?)
Windows folder is disallowed. I didn't put them in the exception list.
There are additional options in Enforcement Window. One of them is “Apply software restriction policies to the following users”. Did you chose settings: 'All users' or 'All users except local administrators'?

If you have enabled shortcuts, then you have to be very cautious, because shortcuts can run command lines with script Interpreters or LOLBins (known SRP bypass).:(

What do you mean by "Windows folder is disallowed"?:unsure:
Did not you allow even the folder "C:\Windows\system32" ?
 
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
732
Thanks @Andy Ful I didn't know about that shortcut issue. Shortcuts have been disabled.
Here it is my settings.
215066

215067
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
Thanks @Andy Ful I didn't know about that shortcut issue. Shortcuts have been disabled.
Here it is my settings.
Can you run regedit.exe without SRP block?
In fact, you whitelisted all Windows folder via the Unrestricted rule:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
This is OK, but allows bypassing SRP via writable subfolders of the Windows folder. (y)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
The below paths (sometimes only its sub-paths) are usually writable in WIndows (some are actually blocked in Windows 10):
C:\windows\debug\WIA
C:\windows\Registration\CRMLog
C:\windows\servicing\Packages
C:\windows\servicing\Sessions
C:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
C:\windows\System32\com\dmp
C:\windows\System32\FxsTmp
C:\windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\windows\System32\spool\drivers\color
C:\windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\windows\System32\Tasks
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\Tasks
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing

I am not sure if you can blacklist the path c:\Windows\Temp, because it can be used by some Windows processes. If you would have SRP set to allow processes with admin rights, then this folder can be safely blacklisted. But you have Enforcement setting "All users", so SRP can block also processes run with admin rights.
 
Last edited:

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
732
Can you run regedit.exe without SRP block?
In fact, you whitelisted all Windows folder via the Unrestricted rule:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
This is OK, but allows bypassing SRP via writable subfolders of the Windows folder. (y)
I can't run regedit in my currrent settings. To do that I need to change the security level to Unrestricted temporally.
The %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% is there in default I think, so I didn't want to delete.

The below paths (sometimes only its sub-paths) are usually writable in WIndows (some are actually blocked in Windows 10):
C:\windows\debug\WIA
C:\windows\Registration\CRMLog
C:\windows\servicing\Packages
C:\windows\servicing\Sessions
C:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
C:\windows\System32\com\dmp
C:\windows\System32\FxsTmp
C:\windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\windows\System32\spool\drivers\color
C:\windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\windows\System32\Tasks
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\Tasks
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing

I am not sure if you can blacklist the path c:\Windows\Temp, because it can be used by some Windows processes. If you would have SRP set to allow processes with admin rights, then this folder can be safely blacklisted. But you have Enforcement setting "All users", so SRP can block also processes run with admin rights.
In the past I used most of these rules however I got tons of error messages (maybe the C:\Windows\Temp or the WD). I switched to linux after that for 1 year and then I totally forgot those rules :emoji_cold_sweat:.
The only reason I don't use 3rd party app for SRP is because I love it in it's current form and I want to know what folders and programs allowed to run and the SRP gives me the safe feeling that an antivirus can't. Added these rules again and I hope not using WD will avoid error messages.
Thank you :emoji_pray:
 
  • Like
Reactions: floalma and shmu26

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,600
I can't run regedit in my currrent settings. To do that I need to change the security level to Unrestricted temporally.
The %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% is there in default I think, so I didn't want to delete.


In the past I used most of these rules however I got tons of error messages (maybe the C:\Windows\Temp or the WD). I switched to linux after that for 1 year and then I totally forgot those rules :emoji_cold_sweat:.
The only reason I don't use 3rd party app for SRP is because I love it in it's current form and I want to know what folders and programs allowed to run and the SRP gives me the safe feeling that an antivirus can't. Added these rules again and I hope not using WD will avoid error messages.
Thank you :emoji_pray:
You have the SRP setup similar to that suited to enterprises. It is not especially useful in the home environment. Anyway, your actual setup is OK. It can be bypassed, but first, something has to be exploited. (y)
I hope that you do not use MS Office or Adobe Acrobat Reader. To make SRP working with WD, you can add Unrestricted rule for:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath%
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
732
Removed
  • Kapsersky cloud free

Added
  • H_C
  • WD with High settings by H_C
  • Switched to SRP using H_C
I started to use H_C because I found it very cool. Thanks @Andy Ful

I'm thinking about to replace BitLocker with something else but Veracrypt is not offering encryption on used disk space only. I have a 120GB SSD and I don't really want to do a full disk encryption on every 2-3 weeks ( too slow) when I restore the system with Macrium. Disk encryption is crucial to me because I don't live alone and I don't trust anyone.
 

Thales

Level 15
Thread author
Verified
Top Poster
Well-known
Nov 26, 2017
732
I also just switched back from KSCF to WD. :)
The reason you switched back?
I had issues with the update service. I got "database is corrupted" error message and nothing could fix it. Also the windows startup was kinda slow (compared to HMPA or WD) on SSD. Removing KSCF has fixed the problem
 
  • Like
Reactions: Andy Ful and shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top