- Dec 23, 2014
- 8,513
They probably are not prepared to run from SUA and try to display some windows/alerts on the desktop of Administrator account, so they are not visible on SUA.
Thales Hard Protected Setup
- Thread starter Thales
- Start date
- Dec 23, 2014
- 8,513
- Nov 26, 2017
- 731
Nope, I'm very pleased to read this discussion.
Also, I'm a big fan of SRP.
I'm happy that you had a good laugh, what a lot of people find even funnier is that in all other OSs you do not need to login and then logout in a different account to do administrative work, elevation to admin works fine and the UX was designed well from the get go.
Also please read more carefuly, my post was clear, I didn't not discuss non-dev corporate environments, it was dev corporate where I mentioned that SRP-like whitelisting led to people who put it getting fired and the rest of the discussion was about dev home, where it's dysfunctional and home personal where it seems to work fine and with Andy's tool it's easy to setup too.
Last edited:
- Dec 23, 2014
- 8,513
I agree with @Umbra that SRP can be used in many enterprises, especially when they use similar software on many computers.
I agree with @notabot that SRP can fail in many enterprises, if they use different software on many computers or administrators are not trained in applying more complex SRP restrictions. It can also fail if directors do not realize that the staff cannot do anything they want, on computers at work. Furthermore, sometimes it is hard to find the right balance between security and productivity.
I think that in enterprises the best solution would be the combination of SRP and AppLocker - some SRP restrictions are not available via AppLocker. SRP restrictions should allow elevated processes but also should block the users' stupid actions (like running scripts from email attachments). Applocker should apply the restrictions for elevated processes, because the malware can attack computers via the enterprise network with admin rights.
I agree with @notabot that SRP can fail in many enterprises, if they use different software on many computers or administrators are not trained in applying more complex SRP restrictions. It can also fail if directors do not realize that the staff cannot do anything they want, on computers at work. Furthermore, sometimes it is hard to find the right balance between security and productivity.
I think that in enterprises the best solution would be the combination of SRP and AppLocker - some SRP restrictions are not available via AppLocker. SRP restrictions should allow elevated processes but also should block the users' stupid actions (like running scripts from email attachments). Applocker should apply the restrictions for elevated processes, because the malware can attack computers via the enterprise network with admin rights.
Last edited:
They probably are not prepared to run from SUA and try to display some windows/alerts on the desktop of Administrator account, so they are not visible on SUA.
Could be, HP also was a good free security app that's like WDAG that also doesn't run with SUA, see .
When I find time to play with it, if I'm happy with that in terms of performance, I may scrap the SUA acc, as the security benefits of running virtualized anything exploitable are quite cool. MS wants to expand WDAG beyond Edge but I think they plan it only for office365-business for now
- Dec 23, 2014
- 8,513
As many such 3rd party solutions, it will produce issues on Windows 10:
"As a solution, HP proposes to install the HP Sure Click version 4.1.0.5734 provided on the site. This means: With every update of Windows 10 you have to expect issues with HP Sure Click. Then you have to wait for an update of the software and install it. Given these issues, I’d rather uninstall HP Sure Click from the machines using the Control Panel."
Issues with HP Sure Click in Windows 10
[German]Today still a blog post about HP Sure Click, which is shipped by the manufacturer with certain business PCs and should protect Windows 10 systems, but can lead to very unsightly collateral…
borncity.com
As many such 3rd party solutions, it will produce issues on Windows 10:
"As a solution, HP proposes to install the HP Sure Click version 4.1.0.5734 provided on the site. This means: With every update of Windows 10 you have to expect issues with HP Sure Click. Then you have to wait for an update of the software and install it. Given these issues, I’d rather uninstall HP Sure Click from the machines using the Control Panel."
Issues with HP Sure Click in Windows 10
[German]Today still a blog post about HP Sure Click, which is shipped by the manufacturer with certain business PCs and should protect Windows 10 systems, but can lead to very unsightly collateral…
Shame, though to be expected, oh well, someday MS may release WDAG for Office Home users
- Oct 1, 2019
- 1,120
Side note Firejail works flawlesly wit MANJARO but when you check protections, Firejail only adds some folder protection when using Chromium (COMPARED TO DEFAULT PROTECTIONS)
SORRY: EDIT IN CAPS
SORRY: EDIT IN CAPS
Last edited:
It's a bit out of context so I'll reply shortly, if you're using Ubuntu, chromium is available as a snap app, which are containerised and come with their own AppArmor profile, so there's no need to install it via apt and containerize it with firejail. If you want to add folder restrictions, you can edit the AppArmor profile, the trouble with that is that you'll need to maintain your edits with updates
- Oct 1, 2019
- 1,120
On Manjaro Chromium is also availble as snap app, but my point was that Firejail does not add much protection (anymore) on Manjaro (on most distro's with build-in AppArmor profiles, I am told). Thanks for your answer, some time ago I asked whether form members used snapapps on Manjaro and what the added value was of using SnapApps. I shoudl have not restricted that question to Manjaro. You sort of answered my old questions thanks @notabot
On Manjaro Chromium is also availble as snap app, but my point was that Firejail does not add much protection (anymore) on Manjaro (on most distro's with build-in AppArmor profiles, I am told). Thanks for your answer, some time ago I asked whether form members used snapapps on Manjaro and what the added value was of using SnapApps. I shoudl have not restricted that question to Manjaro. You sort of answered my old questions thanks @notabot
you are welcome but probably this is the wrong thread, this is Thales' computer thread
To resume, in most "serious" corporate environment, most employee workstations are locked via Windows SRP + Applocker or 3rd party SRP like SEP Managed.
That is a fact, that SRP is a well-known and solid mechanism for corporate environment, but is has to be properly used which require training, reason you don't see SRP on Home user products, the only case I heard is Kaspersky which use a comparable but simplified mechanism in SystemWatcher.
That is a fact, that SRP is a well-known and solid mechanism for corporate environment, but is has to be properly used which require training, reason you don't see SRP on Home user products, the only case I heard is Kaspersky which use a comparable but simplified mechanism in SystemWatcher.
- Nov 26, 2017
- 731
I tried to slim down the system a little bit. I missed the 1,6 GB of RAM usage.
After the boot my system used 3GB RAM. I had to do something.
Removed
Installed
After the boot my system used 3GB RAM.
I had to do something.Removed
- Windows Defender is disabled completely in ConfigureDefender and in O&O ShutUp10
Installed
- HMPA
- Eset Nod32 Antivirus only
- O&O ShutUp10
Last edited:
- Dec 23, 2014
- 8,513
@Thales,
It is strange. Usually, WD has similar RAM usage to Eset and smaller than most AVs. I disabled WD to see the difference (no AV at all) and the RAM usage dropped by 100 MB. I do not think that skipping WD was the cause of 1GB free space.
Anyway, Eset is a good choice, too.
It is strange. Usually, WD has similar RAM usage to Eset and smaller than most AVs. I disabled WD to see the difference (no AV at all) and the RAM usage dropped by 100 MB. I do not think that skipping WD was the cause of 1GB free space.
Anyway, Eset is a good choice, too.
- Nov 26, 2017
- 731
@Thales,
It is strange. Usually, WD has similar RAM usage to Eset and smaller than most AVs. I disabled WD to see the difference (no AV at all) and the RAM usage dropped by 100 MB. I do not think that skipping WD was the cause of 1GB free space.
Anyway, Eset is a good choice, too.
Yeah probably something else. The "antimalware service executable" was still active (but consumed only 150 MB) after I installed Eset. Had to disable all WD features I could in ConfigureDefender and in O&O ShutUp10 too.
I don't know what was the main issue but disabling WD solved the problem
- Dec 23, 2014
- 8,513
When you installed Eset, then WD is disabled automatically, no need to use any software for that. I think that O&O Shutup (or something else) slimmed your system with or without disabling WD.... Had to disable all WD features I could in ConfigureDefender and in O&O ShutUp10 too.
I don't know what was the main issue but disabling WD solved the problem
O&O Shutup disables many services and tasks that are loaded to memory with Windows start. But, be careful with slimming down the system. Windows Updates are not tested by M$ on slimmed systems and this usually can cause hidden problems. I had a few such problems on my slimmed system a few years ago. Finally (after some months), it turned out that one unnecessary service should be enabled to finish the cumulative update.
Eset + H_C is a very strong setup. Eset will be also more comfortable (fewer false positives) as compared to WD MAX or HIGH Protection Level.
Last edited:
- Nov 26, 2017
- 731
I made a completely new config from scratch.
The main goal was to make a system that uses minimal RAM as possible and don't lose the performance.
Portable apps are an integral part of this configuration.
1. Remove bloats,
- Windows Privacy Dashboard
- O&O ShutUp10
- Easy service optimizer
I removed everything unnecessary after the clean install. Also, made a backup image for the future.
2. Hardening Windows
- syshardener did the job
I've skipped the srp for now to test this config.
3. Security
- Installed WiseVector and HMPA
I think HMPA and Wisevector is a light and very powerful combo.
4. Portable system apps
- CCleaner, Wise Disk Cleaner, Cleanmgr+
No 3rd party firewall, chrome is portable, no VPN just proxy extension.
This is the final result after browsing for a while.
It is more than I expected. Previously the system used 2,5 - 3 GB, now it is 1.5 GB.
And another one
The main goal was to make a system that uses minimal RAM as possible and don't lose the performance.
Portable apps are an integral part of this configuration.
1. Remove bloats,
- Windows Privacy Dashboard
- O&O ShutUp10
- Easy service optimizer
I removed everything unnecessary after the clean install. Also, made a backup image for the future.
2. Hardening Windows
- syshardener did the job
I've skipped the srp for now to test this config.
3. Security
- Installed WiseVector and HMPA
I think HMPA and Wisevector is a light and very powerful combo.
4. Portable system apps
- CCleaner, Wise Disk Cleaner, Cleanmgr+
No 3rd party firewall, chrome is portable, no VPN just proxy extension.
This is the final result after browsing for a while.
It is more than I expected. Previously the system used 2,5 - 3 GB, now it is 1.5 GB.
And another one
You know that considering having a lot of free RAM as beneficial is a erroneous concept.
RAM is supposed to be used, reason why some programs when detecting lot of available RAM increase their RAM usage to gain more responsiveness and efficiency.
Having lot of RAM is only needed when you use heavy softwares (Movie/Sound/Photo editors, VMs, etc...).
Even Windows adapts its RAM usage depending on the active softwares.
WD doesn't make the system slow because it uses lot of RAM, it does because it keep real-time scanning the system over and over.
RAM is supposed to be used, reason why some programs when detecting lot of available RAM increase their RAM usage to gain more responsiveness and efficiency.
Having lot of RAM is only needed when you use heavy softwares (Movie/Sound/Photo editors, VMs, etc...).
Even Windows adapts its RAM usage depending on the active softwares.
WD doesn't make the system slow because it uses lot of RAM, it does because it keep real-time scanning the system over and over.
- Nov 26, 2017
- 731
Yes, I forget to mention I have a special program that uses a lot of RAM and I need it everyday.
My laptop has only 8 GB of RAM and the APU uses 1 GB, so I had to do something because sometimes my program couldn't finish the task because of the low RAM issue.
Last edited:
Similar threads
