Use Windows 10 build-in (anti)execution options

[Windows_Security]

Indeed, when blocking child processes in powershell.exe, its execution will fail with an error. But, not in the case of powershell_ise.exe. So probably, the error for powershell.exe is a bug, that can be corrected by Microsoft in the future.

I like powershell_ise with its commandlets, context sensitive help and syntax highlighting.

 

[Andy Ful]

I like powershell_ise with its commandlets, context sensitive help and syntax highlighting.

Criminals do like cakes too. But, you are well protected.

 

[oldschool]

@Windows_Security

My Windows 10 Security using internal mechanisms only

1. Andy's Configure (Windows) Defender (to easily enable Attack Surface Reduction, Smartscreen and other stuff)
2. Andy's Hard Configurator to block execution of removable disks and run as basic user (allow run as admin)
3. Andreas' NVT (Windows) SysHardener (to disable all the home user obsolete stuff and set UAC to deny elevation of unsigned)
4. Eenabled Windows Defender protected folders feature for Ransonware protection
5. Allow user to only install apps from store
6. Added a few extra WD Anti Exploit Protection settings (e.g. Edge, Office2013 and Powershell)
7. Added a Deny Execute Access Control List for internet facing folders and User startup folders (last one also with deny create/write)
8. Removed basic user rights from HKCU startup entries with regedit
9. Added MalwareBytes extension for Chrome with some about:flags hardening and Adguard to Edge (with optimized filters and browser security enabled), using Norton Safebrowsing as DNS (set in hardware properties of wireless card)
10. Added user programs (in AppData) and startup folders to protected folders list to effectively set them in whitelist mode (thx @Andy Ful for the TIP) and close Basic User holes

So IMO opinion on Windows 10 Home edition security is a non-issue thanks to this forum (to use ideas), Andy and Andreas

P.S. maybe Andy could add 7 and 8 to Hard Configrator (with seperate option to set ACL deny execute file/traverse on download folders, becauise that is the only one with functional impact.) Setting this ACL on public folders or User/Appdata/Temp temporaray Internet folders, etc. has zero functional impact). So many hurdles and tripwires for malware makes me smile and security a non-issue.

@Windows_Security & @Andy Ful - would either/both of you please expand/explain:

#4. Do you mean CFA?
#5 I don't see/cannot find this feature in Apps & Features on my Windows 10 Home 1803
#6. Provide tips please.
#10. I understand the concept, which is simple & elegant, but not sure exactly how to do this. Advise tips.

Thank you in advance for you patience with my Level 1 questions!

Edit: I found the answer to #10 in post #s 57 & 58 but could still use advice for the rest. Maybe I'm an actual Level 2 now?

 

[Andy Ful]

@Windows_Security


@Windows_Security & @Andy Ful - would either/both of you please expand/explain:

#4. Do you mean CFA?
#5 I don't see/cannot find this feature in Apps & Features on my Windows 10 Home 1803
#6. Provide tips please.
#10. I understand the concept, which is simple & elegant, but not sure exactly how to do this. Advise tips.

Thank you in advance for you patience with my Level 1 questions!

Edit: I found the answer to #10 in post #s 57 & 58 but could still use advice for the rest. Maybe I'm an actual Level 2 now?

#4. Ransomware protection is the new name of CFA in Windows 10 ver. 1803
#5. Use Admin account.
#6. Windows 10 - Use Windows 10 build-in (anti)execution options

I do not recommend you using SysHardener, until you will master H_C. Many SysHardener settings can do the same as H_C but in a different way, so if you will disable them in H_C, they will be still enabled by SysHardener, and in many cases, you will not know what to do. Also, SysHardener blocks are silent and there is no LOG to check what was blocked. SysHardener has not the 'back to Windows defaults' feature, so you have to know very well Windows to do it. The 'back to Windows defaults' feature is important because from time to time something goes wrong with Windows on non-default settings (usually one specific broken Windows Update).
Setting UAC to deny elevation of unsigned will prevent using 'Run As SmartSreen' which is the important feature of the default-deny H_C setup. @Windows_Security uses 'deny elevation of unsigned' + 'Run as administrator' for many years - this a good replacement for 'Run As SmartScreen' for the advanced and cautious users who know the limitations of SmartScreen.
Please, bear in mind that H_C setup is too restrictive for many people, and @Windows_Security setup adds many additional restrictions. Please, do not try to be the master of restrictions from the beginning. The masters like @Windows_Security are doing this for many years.
My advice would be - the restrictions should be applied in accordance with the growing knowledge.

 

[oldschool]

@Andy Ful - OK, got it!

 

[Andy Ful]

I would like to recommend everyone the caution with applying restrictions & hardening to Windows OS. There were many lovers of the restricted setup who stopped loving it just after the first broken Windows Update or other problems which they could not resolve (see knowledge). The Windows Updates are created in hurry and are not well tested on non-default setups.:emoji_pray:
Windows restrictions & hardening resembles me the Hatha yoga asanas and knowledge can be compared to the Hatha yoga breathing. Keep them in balance and be patient, then they will help you to be healthy.
It is good to have a simple restricted setup that you understand well, which does not harm your habits and the system, and which can be easily reverted to Windows defaults (if required). Next, you can experiment with some more restrictions & hardening, and safely go back if the experiment fails. Never apply the restriction when you do not know how to safely revert it.

 

[oldschool]

I just love your analogies! :notworthy:

 

[shmu26]

I would like to recommend everyone the caution with applying restrictions & hardening to Windows OS. There were many lovers of the restricted setup who stopped loving it just after the first broken Windows Update or other problems which they could not resolve (see knowledge). The Windows Updates are created in hurry and are not well tested on non-default setups.:emoji_pray:
Windows restrictions & hardening resembles me the Hathajoga asanas and knowledge can be compared to the Hathajoga breathing. Keep them in balance and be patient, then they will help you to be healthy.
It is good to have a simple restricted setup that you understand well, which does not harm your habits and the system, and which can be easily reverted to Windows defaults (if required). Next, you can experiment with some more restrictions & hardening, and safely go back if the experiment fails. Never apply the restriction when you do not know how to safely revert it.

Security yoga . lol.

 

[Windows_Security]

I would like to recommend everyone the caution with applying restrictions & hardening to Windows OS. It is good to have a simple restricted setup that you understand well, which does not harm your habits and the system, and which can be easily reverted to Windows defaults (if required).

Sound advice

 

[Syafiq]

SysHardener has not the 'back to Windows defaults' feature

Yes, but I think you can use the import/export settings feature, right?

 

[oldschool]

Yes, but I think you can use the import/export settings feature, right?

Incorrect. You can restore Windows defaults. I haven't used it in a while, but there is a way via the GUI. It's not import/export settings feature, as far as I know.

Edit: there is a "restore default" option. So it will restore all checked options to Windows defaults. If you're not sure what you checked, you may use "Select all" (in Tweaks)>Restore defaults = presto, you now have OS default values after reboot.

 

[Syafiq]

Incorrect. You can restore Windows defaults. I haven't used it in a while, but there is a way via the GUI. It's not import/export settings feature, as far as I know.

Edit: there is a "restore default" option. So it will restore all checked options to Windows defaults. If you're not sure what you checked, you may use "Select all" (in Tweaks)>Restore defaults = presto, you now have OS default values after reboot.

Oh, I forgot that there is a Restore feature, Did you mean this?

 

[oldschool]

Oh, I forgot that there is a Restore feature, Did you mean this?View attachment 223912

Yes! Oh, I should have written Select All>Restore selected = done!

 

[DeepWeb]

OS Armor and SysHardener are amazing tools and I wish I discovered them earlier. But that memo came too late for me. I already did all the hardening through Group Policy and I am not in the mood to revert it. But if I set up a new computer I would absolutely use the tools NVT has provided to us. Like others have said, backup backup backup if you go into Group Policy. There are some policy configurations that can literally lock you out from Windows such as Early Launch Antimalware which can refuse to boot Windows unless every driver is signed and trusted.