Advanced Plus Security Thales Hard Protected Setup

[shmu26]

Feel free to give me some advice to improve my system I you feel i need to.

@Andy Ful put out a FirewallHardener tool, it is an easy way and effective way to add block rules to Windows firewall for LOL bins that can be dangerous if they have internet access. It is a natural complement to Windows SRP for those who are into system hardening. Just mentioning it as a suggestion.

 

[Thales]

What's that wallpaper? Electric Batman? Niiice!

I want it!

It's a Radeon wallpaper!
Wallpaper

 

[oldschool]

It is a natural complement to Windows SRP for those who are into system hardening.

And for those not using SRP?

 

[Thales]

@Andy Ful put out a FirewallHardener tool, it is an easy way and effective way to add block rules to Windows firewall for LOL bins that can be dangerous if they have internet access. It is a natural complement to Windows SRP for those who are into system hardening. Just mentioning it as a suggestion.

Is it a standalone program or part of the H_C?

 

[oldschool]

Is it a standalone program or part of the H_C?

Standalone. You can find it here: Discuss - Hard_Configurator - Windows Hardening Configurator

 

[shmu26]

And for those not using SRP?

Oh, you mean there are still people in the world not using SRP? They should SURELY use FirewallHardener

 

[Thales]

Standalone. You can find it here: Discuss - Hard_Configurator - Windows Hardening Configurator

Thank you.
I tried it but in my case it's pointless to use because I use WFC in default deny mode. Everything is blocked by default.

 

[Andy Ful]

Hi,
What Default Security Level did you apply in SRP?
What is your setting under the SRP Enforcement option “Apply software restriction policies to the following users”?
How do you protect shortcuts?
Did you harden Windows subfolders?

 

[Thales]

Hi,
What Default Security Level did you apply in SRP?
What is your setting under the SRP Enforcement option “Apply software restriction policies to the following users”?
How do you protect shortcuts?
Did you harden Windows subfolders?

Default Security Level is Disallowed.
All Software files except libraries.
I enabled shortcuts because I need them. (Is it too bad?)
Windows folder is disallowed. I didn't put them in the exception list.

 

[Andy Ful]

Default Security Level is Disallowed.
All Software files except libraries.
I enabled shortcuts because I need them. (Is it too bad?)
Windows folder is disallowed. I didn't put them in the exception list.

There are additional options in Enforcement Window. One of them is “Apply software restriction policies to the following users”. Did you chose settings: 'All users' or 'All users except local administrators'?

If you have enabled shortcuts, then you have to be very cautious, because shortcuts can run command lines with script Interpreters or LOLBins (known SRP bypass).

What do you mean by "Windows folder is disallowed"?
Did not you allow even the folder "C:\Windows\system32" ?

 

[Thales]

Thanks @Andy Ful I didn't know about that shortcut issue. Shortcuts have been disabled.
Here it is my settings.

Spoiler: 1

 

[Andy Ful]

Thanks @Andy Ful I didn't know about that shortcut issue. Shortcuts have been disabled.
Here it is my settings.

Spoiler: 1

View attachment 215066
View attachment 215067

Can you run regedit.exe without SRP block?
In fact, you whitelisted all Windows folder via the Unrestricted rule:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
This is OK, but allows bypassing SRP via writable subfolders of the Windows folder.

 

[Andy Ful]

The below paths (sometimes only its sub-paths) are usually writable in WIndows (some are actually blocked in Windows 10):
C:\windows\debug\WIA
C:\windows\Registration\CRMLog
C:\windows\servicing\Packages
C:\windows\servicing\Sessions
C:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
C:\windows\System32\com\dmp
C:\windows\System32\FxsTmp
C:\windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\windows\System32\spool\drivers\color
C:\windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\windows\System32\Tasks
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\Tasks
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing

I am not sure if you can blacklist the path c:\Windows\Temp, because it can be used by some Windows processes. If you would have SRP set to allow processes with admin rights, then this folder can be safely blacklisted. But you have Enforcement setting "All users", so SRP can block also processes run with admin rights.

 

[Thales]

Can you run regedit.exe without SRP block?
In fact, you whitelisted all Windows folder via the Unrestricted rule:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
This is OK, but allows bypassing SRP via writable subfolders of the Windows folder.

I can't run regedit in my currrent settings. To do that I need to change the security level to Unrestricted temporally.
The %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% is there in default I think, so I didn't want to delete.

The below paths (sometimes only its sub-paths) are usually writable in WIndows (some are actually blocked in Windows 10):
C:\windows\debug\WIA
C:\windows\Registration\CRMLog
C:\windows\servicing\Packages
C:\windows\servicing\Sessions
C:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
C:\windows\System32\com\dmp
C:\windows\System32\FxsTmp
C:\windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\windows\System32\spool\drivers\color
C:\windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\windows\System32\Tasks
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\Com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\Tasks
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing

I am not sure if you can blacklist the path c:\Windows\Temp, because it can be used by some Windows processes. If you would have SRP set to allow processes with admin rights, then this folder can be safely blacklisted. But you have Enforcement setting "All users", so SRP can block also processes run with admin rights.

In the past I used most of these rules however I got tons of error messages (maybe the C:\Windows\Temp or the WD). I switched to linux after that for 1 year and then I totally forgot those rules :emoji_cold_sweat:.
The only reason I don't use 3rd party app for SRP is because I love it in it's current form and I want to know what folders and programs allowed to run and the SRP gives me the safe feeling that an antivirus can't. Added these rules again and I hope not using WD will avoid error messages.
Thank you :emoji_pray:

 

[Andy Ful]

I can't run regedit in my currrent settings. To do that I need to change the security level to Unrestricted temporally.
The %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% is there in default I think, so I didn't want to delete.


In the past I used most of these rules however I got tons of error messages (maybe the C:\Windows\Temp or the WD). I switched to linux after that for 1 year and then I totally forgot those rules :emoji_cold_sweat:.
The only reason I don't use 3rd party app for SRP is because I love it in it's current form and I want to know what folders and programs allowed to run and the SRP gives me the safe feeling that an antivirus can't. Added these rules again and I hope not using WD will avoid error messages.
Thank you :emoji_pray:

You have the SRP setup similar to that suited to enterprises. It is not especially useful in the home environment. Anyway, your actual setup is OK. It can be bypassed, but first, something has to be exploited.
I hope that you do not use MS Office or Adobe Acrobat Reader. To make SRP working with WD, you can add Unrestricted rule for:
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath%

 

[Thales]

I hope that you do not use MS Office or Adobe Acrobat Reader.

Never :emoji_grimacing:

 

[Thales]

Removed

• Kapsersky cloud free

Added

• H_C
• WD with High settings by H_C
• Switched to SRP using H_C

I started to use H_C because I found it very cool. Thanks @Andy Ful

I'm thinking about to replace BitLocker with something else but Veracrypt is not offering encryption on used disk space only. I have a 120GB SSD and I don't really want to do a full disk encryption on every 2-3 weeks ( too slow) when I restore the system with Macrium. Disk encryption is crucial to me because I don't live alone and I don't trust anyone.

 

[Andy Ful]

You are welcome. Be safe.

 

[shmu26]

Removed

• Kapsersky cloud free

Added

• H_C
• WD with High settings by H_C
• Switched to SRP using H_C

I also just switched back from KSCF to WD.

 

[Thales]

I also just switched back from KSCF to WD.

The reason you switched back?
I had issues with the update service. I got "database is corrupted" error message and nothing could fix it. Also the windows startup was kinda slow (compared to HMPA or WD) on SSD. Removing KSCF has fixed the problem