SECURITY: Complete wat0114 security config 2021

Last updated
Jun 12, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
Linux distro
Debian Buster (10)
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Standard user - Limited permissions
Other users
Other accounts are Admin users
Security updates
Manual - check for updates, but do not auto-install
Windows UAC
Maximum - always notify
Network firewall
ISP-issued router
Real-time protection
Windows Defender, OSArmor
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
-ConfigureDefender on Medium, Malwarebytes Firewall Interface for Windows Defender Firewall, severl Group Policy settings enabled.
SRP - Default-deny
-Hard_Configurator_6_Beta1: Recommended Settings
-Full BitLocker encrypted system partition.
-BIOS: passworded, Memory Protection, Intel Virtualization & Intel VT-d- enabled
-Hyper-V enabled
Malware testing
No malware samples
Periodic security scanners
VirusTotal
Secure DNS
Cloudflare
Quad9
VPN
None
Password manager
Lastpass and Browser's built-in
Browsers, Search and Addons
Firefox latest (primary), MS Edge

-uBlockO
-CSS Exfil
-LocalCDN
Maintenance and Cleaning
Occasional system images using IFW (Image for Windows) and Disk cleanup using built-in Disk cleaner
Personal Files & Photos backup
-Separate, encrypted partition
-USB Drive
Personal backup routine
Manual (maintained by self)
Device recovery & backup
IFW (Image for Windows)
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the web. 
  2. Browsing to unknown sites. 
  3. Emails. 
  4. Multimedia. 
  5. Streaming. 
Computer specs
Device name Lenovo-E580
Processor Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz 2.70 GHz
Installed RAM 8.00 GB (7.86 GB usable)
System type 64-bit operating system, x64-based processor
Feedback Response

Most critical feedback

wat0114

Level 3
Apr 5, 2021
140
This is what I've come up with, even though it may be seen as overkill for a home user like myself, but I have this inexplicable obsession with securing my hardware to make it as bullet proof as possible against existing threats and future threats as well. I guess I see it as trying to solve a complex crossword puzzle, helping to exercise my brain as I'm getting on in years :p

So here is my current policy with it's ridiculous, almost "extremist level" set of rules:

Enforcement: All software files, All users, Ignore certificate rules

Designated File Types: Defaults and added PS1, JSE, VBS, SCT, VBE, WSF

Security Levels: Disallowed

Additional Rules: Path Rules as follows...
NameTypeSecurity Level
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%PathUnrestricted
C:\$WinREAgent\Scratch\*-*-*-*-*\DismCorePS.dllPathUnrestricted
C:\accesschk64.exePathUnrestricted
C:\Intel\GfxCPLBatchFiles\{*-*-*-*-*}.batPathUnrestricted
C:\Program FilesPathUnrestricted
C:\Program Files (x86)PathUnrestricted
C:\ProgramData\Lenovo\ImController\*PathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{*}\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\*\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.exePathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exePathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\NisSrv.exePathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Scans\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnkPathUnrestricted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnkPathUnrestricted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnkPathUnrestricted
C:\Users\Public\Desktop\DocumentsAntiExploit(x64).exePathUnrestricted
C:\Users\Public\Desktop\Firefox.lnkPathUnrestricted
C:\Users\Public\Desktop\Google Chrome Beta.lnkPathUnrestricted
C:\Users\name\AppData\Local\Google\Chrome Beta\User Data\SwReporter\*\software_reporter_tool.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\FileSync*.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\qjpeg.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\qsvg.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\qwindows.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*EAY32.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\ADAL.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\amd64\FileCoAuthLib64.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\ETWLog.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileCoAuth.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileCoAuthLib.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileSync*.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileSyncConfig.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\LoggingPlatform.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\LogUploader.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\MSVCP140.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\OneDriveTelemetryStable.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick.2\qtquick2plugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Controls.2\qtquickcontrols2plugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Layouts\qquicklayoutsplugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Templates*\qtquicktemplates2plugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Window.2\windowplugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\QT5*.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\RemoteAccess.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\SyncEngine.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\Telemetry.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\ucrtbase.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\UpdateRingSettings.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\VCRUNTIME140.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\WnsClient.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\WnsClientApi.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\OneDrive.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exePathUnrestricted
C:\Users\name\AppData\Local\Temp\*-*-*-*-*\dismhost.exePathUnrestricted
C:\Users\name\AppData\Local\Temp\*-*-*-*\*.dllPathUnrestricted
C:\Users\name\AppData\Local\Temp\*.tmp\GoogleUpdate.exePathUnrestricted
C:\Users\name\AppData\Local\Temp\*.tmp\System.dllPathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted
C:\Users\name\AppData\Local\Temp\n*.tmp\nsRandom.dllPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome Beta.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\OneDrive.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\gmp-widevinecdm\*\widevinecdm.dllPathUnrestricted
C:\Users\name\Desktop\accesschk.batPathUnrestricted
C:\Users\name\Desktop\Autoruns64.exePathUnrestricted
C:\Users\name\Desktop\Command Prompt.lnkPathUnrestricted
C:\Users\name\Desktop\ConfigureDefender.exe - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\Event Viewer.lnkPathUnrestricted
C:\Users\name\Desktop\gpedit - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\Lock-R.batPathUnrestricted
C:\Users\name\Desktop\procexp64 - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\SRPLogs.txt - Shortcut.lnkPathUnrestricted
C:\Users\name\Downloads\ConfigureDefender-master\ConfigureDefender-masterPathUnrestricted
C:\Users\name\Downloads\CR_*.tmp\setup.exePathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Outlook.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnkPathUnrestricted
C:\Users\name\Desktop\Microsoft Update sever IP addresses-WFC.txt - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\powershell.batPathUnrestricted
C:\Users\name\Desktop\SRPLogs delete.batPathUnrestricted
C:\Windows\*.dllPathUnrestricted
C:\Windows\*.exePathUnrestricted
C:\WINDOWS\assembly\NativeImages_*\*PathUnrestricted
C:\Windows\CbsTempPathDisallowed
C:\WINDOWS\Lenovo\ImController\Service\Lenovo.Modern.ImController.exePathUnrestricted
C:\WINDOWS\Microsoft.Net\assembly\GAC_64\CustomMarshalers\*\*.dllPathUnrestricted
C:\WINDOWS\Microsoft.Net\assembly\GAC_64\System.Transactions\*\*.*.dllPathUnrestricted
C:\Windows\Microsoft.NET\Framework\*\*.dllPathUnrestricted
C:\Windows\Microsoft.NET\Framework\*\mscoreei.dllPathUnrestricted
C:\Windows\Microsoft.NET\Framework64\*\*PathUnrestricted
C:\Windows\PantherPathDisallowed
C:\Windows\RegistrationPathUnrestricted
C:\Windows\Sys*\FxsTmpPathDisallowed
C:\Windows\Sys*\Tasks\Microsoft\Windows\PLA\SystemPathDisallowed
C:\Windows\system32\*.dllPathUnrestricted
C:\Windows\system32\*.exePathUnrestricted
C:\WINDOWS\SYSTEM32\CRYPTSP.dllPathUnrestricted
c:\windows\system32\drivers\umdf\*.dllPathUnrestricted
C:\WINDOWS\System32\DriverStore\FileRepository\*PathUnrestricted
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeysPathDisallowed
c:\Windows\System32\spoolPathDisallowed
C:\Windows\System32\spool\drivers\*PathUnrestricted
C:\WINDOWS\system32\spool\PRTPROCS\x64\us008pc.dllPathUnrestricted
C:\WINDOWS\system32\spool\PRTPROCS\x64\winprint.dllPathUnrestricted
C:\WINDOWS\system32\wbem\*.dllPathUnrestricted
C:\WINDOWS\system32\wbem\*.exePathUnrestricted
C:\WINDOWS\SYSTEM32\wbemcomn.dllPathUnrestricted
C:\WINDOWS\SysWOW64\*.exePathUnrestricted
C:\Windows\SysWOW64\com\*.dllPathUnrestricted
C:\Windows\SysWOW64\com\*.exePathUnrestricted
C:\WINDOWS\SysWOW64\Lenovo\PowerMgr\*.exePathUnrestricted
C:\Windows\TempPathDisallowed
C:\WINDOWS\Temp\*-*-*-*-*\mpengine.dllPathUnrestricted
C:\WINDOWS\TEMP\*-*-*-*-*\MpUpdate.dllPathUnrestricted
C:\WINDOWS\Temp\*-*-*-*\mpgear.dllPathUnrestricted
C:\WINDOWS\Temp\*\*\ConfigureDefender_x64.exePathUnrestricted
C:\WINDOWS\TEMP\__PSScriptPolicyTest_*.*.ps1PathUnrestricted
C:\WINDOWS\TEMP\nsi????.tmp\System.dllPathUnrestricted
C:\Windows\tracingPathDisallowed
C:\WINDOWS\WinSxS\*PathUnrestricted
C:\$WinREAgent\Scratch\*-*-*-*-*\dismprov.dllPathUnrestricted

 
Last edited:

wat0114

Level 3
Apr 5, 2021
140
I can't seem to get the spoiler code to work properly on the list of rules :( Otherwise that is it so far.

There are some rules under the system folder I had to create for some DLL's because they were being blocked for some reason, so those are the anomalies. The rules under the Temp folder are tricky, because I don't obviously want anything too permissive, so I went with common patterns I was seeing in the advanced logs such as for example: C:\WINDOWS\Temp\*-*-*-*\mpgear.dll. I could have gone more restrictive with: C:\WINDOWS\Temp\????????-????-????-????????????\mpgear.dll, but I chose not to.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,145
Remove these rules:

C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted

By applying them you disabled the most important PowerShell security = Constrained Language Mode.(y)
 

Thales

Level 12
Nov 26, 2017
576
Remove these rules:

C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted

By applying them you disabled the most important PowerShell security = Constrained Language Mode.(y)
Wait! is it secure to use this in syshardener? or OP gave unrestricted rules?
1623531017699.png
 

wat0114

Level 3
Apr 5, 2021
140
Remove these rules:

C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted

By applying them you disabled the most important PowerShell security = Constrained Language Mode.(y)
Thanks Andy, I had those rules froma policy I created a few years back, thinking they were needed. I should mention, I substituted my user name with "name".

Do you check your permissions in whitelisted locations only by searching permissions for built-in user groups (Users, Authenticated Users, Everyone...) or your specific username also?
I just used accesschk to search for them, so I think it checks for all users. Hopefully I haven't missed any directories that users can write to. This is a work in progress so if there's room for improvement I'll make the necessary changes.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,145
Wait! is it secure to use this in syshardener? or OP gave unrestricted rules?
View attachment 258963
These policies are not related to SRP. They also do not support whitelisting. Two first rules have to be used together because the first can be easily bypassed without the second. The last is not required on the fresh installed Windows 10 (PowerShell 2.0 is disabled by default).
 
Last edited:

Minimalist

Level 6
Oct 2, 2020
288
I just used accesschk to search for them, so I think it checks for all users. Hopefully I haven't missed any directories that users can write to. This is a work in progress so if there's room for improvement I'll make the necessary changes.
When I've used SRP I used icacls.exe to check if there are any locations where there was my specific username given right to write to.
I've used this command to store a list of items in txt file, which I later examined:
icacls c: /findsid Username /t /c /q >>d:\icacls.txt
If I remember correctly there were some folders in Program files that did not have rights set for user groups but did so for my username. Off course I blocked them.
 

Minimalist

Level 6
Oct 2, 2020
288
If I click on that folder, I'm prompted for credentials
Maybe because I'm admin on my system and that folder is protected from access by SUAs?

One can use this:
Code:
Icacls "c:\Program Files" /findsid WhoAmI /T /C >> d:\icacls.txt

WhoAmI in this CmdLine is the user - you can find it by using the whoamI command in the CMD console.
For me it doesn't work as a substitute for actual username? I know it returns username if used separately.
Here is what I get: "No files with a matching SID was found"
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,145
I rerun that command and found this folder on my system:

View attachment 258964
There might be more...
Normally only the first and last entry is present.

For me it doesn't work as a substitute for actual username? I know it returns username if used separately.
Here is what I get: "No files with a matching SID was found"
Did you use the whoami command in the cmd console to obtain the user (WhoAmI)? For example in my case after using whoami command I can obtain (not a real user) WhoAmI = desktop-ajxyzd7\username. So the command is:
Icacls "c:\Program Files" /findsid desktop-ajxyzd7\username /T /C >> d:\icacls.txt
 

wat0114

Level 3
Apr 5, 2021
140
Maybe because I'm admin on my system and that folder is protected from access by SUAs?
Okay I checked again and found that I could write a file into it. Thanks for pointing that out. I have run accesschk64 from withing the root directory, and ported the results to a text file with the following strings:

accesschk64 -w -s -q -u Users "C:\Program Files"
accesschk64 -w -s -q -u Users "C:\Program Files (x86)"
accesschk64 -w -s -q -u Users "C:\Windows"
accesschk64 -w -s -q -u Everyone "C:\Program Files"
accesschk64 -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk64 -w -s -q -u Everyone "C:\Windows"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk64 -w -s -q -u Interactive "C:\Program Files"
accesschk64 -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk64 -w -s -q -u Interactive "C:\Windows"

I am going over the results carefully and will modify the SRP policy as necessary.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,145
Microsoft states the PSScriptPolicyTest scripts are merely to verify that AppLocker is running.
Yes. But if this test fails (the script can be run), then SRP and Applocker do not use Constrained Language Mode for PowerShell.
Also, every check of HC I have seen PS language mode is set to Full Language mode.
The H_C uses SRP only for processes running with standard rights. So Constrained Language Mode works in this case only for not-elevated PowerShell. When PowerShell is running with high privileges it uses Full Language Mode.

Okay I checked again and found that I could write a file into it. Thanks for pointing that out. I have run accesschk64 from withing the root directory, and ported the results to a text file with the following strings:

accesschk64 -w -s -q -u Users "C:\Program Files"
accesschk64 -w -s -q -u Users "C:\Program Files (x86)"
accesschk64 -w -s -q -u Users "C:\Windows"
accesschk64 -w -s -q -u Everyone "C:\Program Files"
accesschk64 -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk64 -w -s -q -u Everyone "C:\Windows"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk64 -w -s -q -u Interactive "C:\Program Files"
accesschk64 -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk64 -w -s -q -u Interactive "C:\Windows"

I am going over the results carefully and will modify the SRP policy as necessary.

I think that you should also try this with not-elevated Powershell :

Code:
$whoami = whoami
Icacls "c:\Windows" /findsid $whoami /T /C >> d:\icacls.txt
Icacls "c:\Program Files (x86)" /findsid $whoami /T /C >> d:\icacls.txt
Icacls "c:\Program Files" /findsid $whoami /T /C >> d:\icacls.txt
 

Minimalist

Level 6
Oct 2, 2020
288
Did you use the whoami command in the cmd console to obtain the user (WhoAmI)? For example in my case after using whoami command I can obtain (not a real user) WhoAmI = desktop-ajxyzd7\username. So the command is:
Icacls "c:\Program Files" /findsid desktop-ajxyzd7\username /T /C >> d:\icacls.txt
No, I copy-pasted your code from post #13. I knew about whoami command but thought that it can be used as replacement for username.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,145
Top