What i like on Windows SRP is it allows global enforcements (on privileges, account type, DLLs, etc...) while in Applocker it is rules-based (hence more granular even if SRP can do the same in a lesser extent)Ad 4: H_C has all the functionality of managing SRP rules like secpol or gpedit. All Windows versions have SRP build-in (but in Home version you normally can't manage them, but thanks to Andy Ful's H_C it is possible) H_C is easier to use than Microsoft secpol/gpedit.
AppLocker rules take precedence over SRP rules, so you are a real Umbra--San to use them both(link to Microsoft explaining it)
Using OS_Armor and Hard_Configurator together
- Thread starter Lenny_Fox
- Start date
- Dec 23, 2014
- 8,511
That is right. The "H_C Recommended Settings" setup is just like any other H_C setting profile. These profiles were made by me, because many users who tweak Windows and use SRP do not do it optimally and have false confidence of security. The most common security issue is allowing shortcuts in SRP - users do it because it is not easy to protect shortcuts in a convenient and secure way. The shortcuts open a wide road to fileless attacks and its impossible to block all possibilities by Applocker, Application Control, or OSA.
Unfortunately, H_C cannot activate all functionalities of Windows Enterprise editions. For example, H_C cannot configure/apply Applocker (it is not possible on Windows Home). The Application Control can be applied on Windows Home, but cannot be configured on Windows Home. Anyway, all options available in H_C (including Windows built-in SRP, ConfigureDefender, and FirewallHardening) can be activated.
- Dec 23, 2014
- 8,511
When we compare @Lenny_Linux H_C & OSA setup with SRP & Applocker setup, then they seem to be very similar. Both have similar pros and cons for the home users, except that Applocker is more compatible with Windows and it is much better documented. On the other side, Applocker can be applied for free only on Windows Enterprise. Both are very configurable but can be managed only by advanced users.
I have seen SRP & Applocker setups (+ Application Control) used by security experts in enterprises.
I have seen SRP & Applocker setups (+ Application Control) used by security experts in enterprises.
Last edited:
- Oct 1, 2019
- 1,120
One thing to note: Andreas from NVT seems to appear and disappear on security forums. In the silent periods the software also seems to receive no updates, so when you encounter a problem after a Windows update, the only solution might be de-installing OS_armor.
- Dec 23, 2014
- 8,511
That is the price of using 3rd party security. It is also possible, that one of the major Windows Updates will disable OSA driver (that happened for some AVs).
Is your girlfriend a happy clicker? If so, then it would be better to disable in OSA the possibility of whitelisting the processes via the button in the blocking alert. Such an easy way of whitelisting is useful for semi-advanced users, but it can be also an easy way to infect the system.
Is your girlfriend a happy clicker? If so, then it would be better to disable in OSA the possibility of whitelisting the processes via the button in the blocking alert. Such an easy way of whitelisting is useful for semi-advanced users, but it can be also an easy way to infect the system.
Last edited:
- Oct 1, 2019
- 1,120
On my dual os (Linux and Window10) I also run as SUA (not Admin anymore) on my windows 10. I will have a look at that Windows_10_NoElevationSUA_Enhanced profile thanks. (@Andy Ful)
On that old laptop I only run H_C as security and some WD exploit Protection tweaks). I wished I could disable the Windows Defender Antivirus (I tried but re-enables itsel).
(@Andy Ful)On that old laptop I only run H_C as security and some WD exploit Protection tweaks). I wished I could disable the Windows Defender Antivirus (I tried but re-enables itsel).
- Dec 23, 2014
- 8,511
Did you try to disable Tamper Protection and next disable WD by the policy tweak?On my dual os (Linux and Window10) I also run as SUA (not Admin anymore) on my windows 10. I will have a look at that Windows_10_NoElevationSUA_Enhanced profile thanks.
On that old laptop I only run H_C as security and some WD exploit Protection tweaks). I wished I could disable the Windows Defender Antivirus (I tried but re-enables itsel).
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
After restarting Windows, you should get WD turned off.
Last edited:
- Dec 23, 2014
- 8,511
Here is a list of web browsers and some good applications from Microsoft Store, which will work and auto-update on Windows_10_NoElevationSUA_Enhanced profile:
Web browsers:
Microsoft Edge (Windows built-in)
Microsoft Edge Dev (Chromium based)
Firefox
Brave
Applications from Microsoft Store:
Office document viewer:
Microsoft (Excel, Word, PowerPoint) Mobile (AppContainer)
Office document editors (all do not use AppContainer):
Neat Office (based on Libre Office)
Office Online (web browser extension for Edge & Chrome)
Ultra Office from CompuClever (based on Libre Office)
WPS Office 2019 for Microsoft Store
PDF viewers (all use Appcontainer):
Adobe Reader Touch
Foxit MobilePDF
PDF Viewer Plus, from GSnathan
PDF Reader from Kdan Mobile
Perfect PDF Reader, from soft Xpansion
Xodo PDF Reader & Editor (very fast with big documents)
Other applications from Microsoft Store:
Adobe Photoshop Express (APPContainer)
Foobar2000 Mobile (APPContainer)
MusicBee for Microsoft Store (not in APPContainer)
Microsoft Whiteboard (APPContainer)
Microsoft To-Do (APPContainer)
Microsoft OneNote (APPContainer)
Spotify for Microsoft Store (not in APPContainer)
VLC for Microsoft Store (APPContainer)
Wunderlist (APPContainer)
Web browsers:
Microsoft Edge (Windows built-in)
Microsoft Edge Dev (Chromium based)
Firefox
Brave
Applications from Microsoft Store:
Office document viewer:
Microsoft (Excel, Word, PowerPoint) Mobile (AppContainer)
Office document editors (all do not use AppContainer):
Neat Office (based on Libre Office)
Office Online (web browser extension for Edge & Chrome)
Ultra Office from CompuClever (based on Libre Office)
WPS Office 2019 for Microsoft Store
PDF viewers (all use Appcontainer):
Adobe Reader Touch
Foxit MobilePDF
PDF Viewer Plus, from GSnathan
PDF Reader from Kdan Mobile
Perfect PDF Reader, from soft Xpansion
Xodo PDF Reader & Editor (very fast with big documents)
Other applications from Microsoft Store:
Adobe Photoshop Express (APPContainer)
Foobar2000 Mobile (APPContainer)
MusicBee for Microsoft Store (not in APPContainer)
Microsoft Whiteboard (APPContainer)
Microsoft To-Do (APPContainer)
Microsoft OneNote (APPContainer)
Spotify for Microsoft Store (not in APPContainer)
VLC for Microsoft Store (APPContainer)
Wunderlist (APPContainer)
- Jun 23, 2018
- 441
I've been having some bizarre networking problems the last 2 mo. using only Windows Firewall and OSA on 1903. Considering that OSA isn't being updated and has poor documentation, I've decided to uninstall it and use H_C w/ recommended settings instead. I don't yet know if OSA had anything to do with the networking problem, but so far I'm liking H_C.
- Dec 23, 2014
- 8,511
I did not find a good & free alternative to MS Office which supports AppContainer.
The non-mobile version of Foobar2000 does not support AppContainer, "Groove Music" does.
I did not test the Chromium Edge and non-mobile versions of MS Office. It can be easily tested by using Sysinternals Process Explorer or a similar tool.
The "Necessary" can be a very personal decision.
Similar threads
