Advanced Plus Security wat0114 security config 2021

Last updated
Jun 12, 2021
How it's used?
For home and private use
Operating system
Windows 11
Other operating system
MX-21
On-device encryption
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Check for updates and Notify
User Access Control
Always notify
Smart App Control
Network firewall
Real-time security
Windows Defender, OSArmor
Firewall security
Microsoft Defender Firewall
About custom security
Malwarebytes Firewall Interface for Windows Defender Firewall, Added all but Adobe Reader Firewall Hardening measures in Hard_Configurartor, several Group Policy settings enabled.
SRP - Default-deny
-Hard_Configurator_6_latest: High setting
-Full BitLocker encrypted system partition.
-BIOS: passworded, Memory Protection, Intel Virtualization & Intel VT-d- enabled
-Hyper-V enabled
Periodic malware scanners
VirusTotal
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Firefox latest (primary), MS Edge

-uBlockO
-CSS Exfil
-LocalCDN
Secure DNS
Cloudflare
Quad9
Desktop VPN
None
Password manager
Lastpass and Browser's built-in

Keepass free
Maintenance tools
Occasional system images using IFW (Image for Windows) and Disk cleanup using built-in Disk cleaner
File and Photo backup
-Separate, encrypted partition
-USB Drive
System recovery
IFW (Image for Windows)
Risk factors
    • Browsing to popular websites
    • Browsing to unknown / untrusted / shady sites
    • Opening email attachments
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
Device name Lenovo-E580
Processor Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz 2.70 GHz
Installed RAM 8.00 GB (7.86 GB usable)
System type 64-bit operating system, x64-based processor
What I'm looking for?

Looking for maximum feedback.

wat0114

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 5, 2021
547
This is what I've come up with, even though it may be seen as overkill for a home user like myself, but I have this inexplicable obsession with securing my hardware to make it as bullet proof as possible against existing threats and future threats as well. I guess I see it as trying to solve a complex crossword puzzle, helping to exercise my brain as I'm getting on in years :p

So here is my current policy with it's ridiculous, almost "extremist level" set of rules:

Enforcement: All software files, All users, Ignore certificate rules

Designated File Types: Defaults and added PS1, JSE, VBS, SCT, VBE, WSF

Security Levels: Disallowed

Additional Rules: Path Rules as follows...
NameTypeSecurity Level
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%PathUnrestricted
C:\$WinREAgent\Scratch\*-*-*-*-*\DismCorePS.dllPathUnrestricted
C:\accesschk64.exePathUnrestricted
C:\Intel\GfxCPLBatchFiles\{*-*-*-*-*}.batPathUnrestricted
C:\Program FilesPathUnrestricted
C:\Program Files (x86)PathUnrestricted
C:\ProgramData\Lenovo\ImController\*PathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{*}\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\*\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.exePathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\MsMpEng.exePathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Platform\*\NisSrv.exePathUnrestricted
C:\ProgramData\Microsoft\Windows Defender\Scans\*.dllPathUnrestricted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnkPathUnrestricted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnkPathUnrestricted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnkPathUnrestricted
C:\Users\Public\Desktop\DocumentsAntiExploit(x64).exePathUnrestricted
C:\Users\Public\Desktop\Firefox.lnkPathUnrestricted
C:\Users\Public\Desktop\Google Chrome Beta.lnkPathUnrestricted
C:\Users\name\AppData\Local\Google\Chrome Beta\User Data\SwReporter\*\software_reporter_tool.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\FileSync*.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\qjpeg.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\qsvg.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*\qwindows.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\*EAY32.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\ADAL.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\amd64\FileCoAuthLib64.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\ETWLog.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileCoAuth.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileCoAuthLib.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileSync*.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\FileSyncConfig.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\LoggingPlatform.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\LogUploader.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\MSVCP140.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\OneDriveTelemetryStable.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick.2\qtquick2plugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Controls.2\qtquickcontrols2plugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Layouts\qquicklayoutsplugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Templates*\qtquicktemplates2plugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\qml\QtQuick\Window.2\windowplugin.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\QT5*.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\RemoteAccess.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\SyncEngine.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\Telemetry.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\ucrtbase.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\UpdateRingSettings.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\VCRUNTIME140.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\WnsClient.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\*\WnsClientApi.dllPathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\OneDrive.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exePathUnrestricted
C:\Users\name\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exePathUnrestricted
C:\Users\name\AppData\Local\Temp\*-*-*-*-*\dismhost.exePathUnrestricted
C:\Users\name\AppData\Local\Temp\*-*-*-*\*.dllPathUnrestricted
C:\Users\name\AppData\Local\Temp\*.tmp\GoogleUpdate.exePathUnrestricted
C:\Users\name\AppData\Local\Temp\*.tmp\System.dllPathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted
C:\Users\name\AppData\Local\Temp\n*.tmp\nsRandom.dllPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome Beta.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\OneDrive.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Mozilla\Firefox\Profiles\*.default-release\gmp-widevinecdm\*\widevinecdm.dllPathUnrestricted
C:\Users\name\Desktop\accesschk.batPathUnrestricted
C:\Users\name\Desktop\Autoruns64.exePathUnrestricted
C:\Users\name\Desktop\Command Prompt.lnkPathUnrestricted
C:\Users\name\Desktop\ConfigureDefender.exe - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\Event Viewer.lnkPathUnrestricted
C:\Users\name\Desktop\gpedit - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\Lock-R.batPathUnrestricted
C:\Users\name\Desktop\procexp64 - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\SRPLogs.txt - Shortcut.lnkPathUnrestricted
C:\Users\name\Downloads\ConfigureDefender-master\ConfigureDefender-masterPathUnrestricted
C:\Users\name\Downloads\CR_*.tmp\setup.exePathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Outlook.lnkPathUnrestricted
C:\Users\name\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnkPathUnrestricted
C:\Users\name\Desktop\Microsoft Update sever IP addresses-WFC.txt - Shortcut.lnkPathUnrestricted
C:\Users\name\Desktop\powershell.batPathUnrestricted
C:\Users\name\Desktop\SRPLogs delete.batPathUnrestricted
C:\Windows\*.dllPathUnrestricted
C:\Windows\*.exePathUnrestricted
C:\WINDOWS\assembly\NativeImages_*\*PathUnrestricted
C:\Windows\CbsTempPathDisallowed
C:\WINDOWS\Lenovo\ImController\Service\Lenovo.Modern.ImController.exePathUnrestricted
C:\WINDOWS\Microsoft.Net\assembly\GAC_64\CustomMarshalers\*\*.dllPathUnrestricted
C:\WINDOWS\Microsoft.Net\assembly\GAC_64\System.Transactions\*\*.*.dllPathUnrestricted
C:\Windows\Microsoft.NET\Framework\*\*.dllPathUnrestricted
C:\Windows\Microsoft.NET\Framework\*\mscoreei.dllPathUnrestricted
C:\Windows\Microsoft.NET\Framework64\*\*PathUnrestricted
C:\Windows\PantherPathDisallowed
C:\Windows\RegistrationPathUnrestricted
C:\Windows\Sys*\FxsTmpPathDisallowed
C:\Windows\Sys*\Tasks\Microsoft\Windows\PLA\SystemPathDisallowed
C:\Windows\system32\*.dllPathUnrestricted
C:\Windows\system32\*.exePathUnrestricted
C:\WINDOWS\SYSTEM32\CRYPTSP.dllPathUnrestricted
c:\windows\system32\drivers\umdf\*.dllPathUnrestricted
C:\WINDOWS\System32\DriverStore\FileRepository\*PathUnrestricted
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeysPathDisallowed
c:\Windows\System32\spoolPathDisallowed
C:\Windows\System32\spool\drivers\*PathUnrestricted
C:\WINDOWS\system32\spool\PRTPROCS\x64\us008pc.dllPathUnrestricted
C:\WINDOWS\system32\spool\PRTPROCS\x64\winprint.dllPathUnrestricted
C:\WINDOWS\system32\wbem\*.dllPathUnrestricted
C:\WINDOWS\system32\wbem\*.exePathUnrestricted
C:\WINDOWS\SYSTEM32\wbemcomn.dllPathUnrestricted
C:\WINDOWS\SysWOW64\*.exePathUnrestricted
C:\Windows\SysWOW64\com\*.dllPathUnrestricted
C:\Windows\SysWOW64\com\*.exePathUnrestricted
C:\WINDOWS\SysWOW64\Lenovo\PowerMgr\*.exePathUnrestricted
C:\Windows\TempPathDisallowed
C:\WINDOWS\Temp\*-*-*-*-*\mpengine.dllPathUnrestricted
C:\WINDOWS\TEMP\*-*-*-*-*\MpUpdate.dllPathUnrestricted
C:\WINDOWS\Temp\*-*-*-*\mpgear.dllPathUnrestricted
C:\WINDOWS\Temp\*\*\ConfigureDefender_x64.exePathUnrestricted
C:\WINDOWS\TEMP\__PSScriptPolicyTest_*.*.ps1PathUnrestricted
C:\WINDOWS\TEMP\nsi????.tmp\System.dllPathUnrestricted
C:\Windows\tracingPathDisallowed
C:\WINDOWS\WinSxS\*PathUnrestricted
C:\$WinREAgent\Scratch\*-*-*-*-*\dismprov.dllPathUnrestricted

 
Last edited:

wat0114

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 5, 2021
547
I can't seem to get the spoiler code to work properly on the list of rules :( Otherwise that is it so far.

There are some rules under the system folder I had to create for some DLL's because they were being blocked for some reason, so those are the anomalies. The rules under the Temp folder are tricky, because I don't obviously want anything too permissive, so I went with common patterns I was seeing in the advanced logs such as for example: C:\WINDOWS\Temp\*-*-*-*\mpgear.dll. I could have gone more restrictive with: C:\WINDOWS\Temp\????????-????-????-????????????\mpgear.dll, but I chose not to.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Remove these rules:

C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted

By applying them you disabled the most important PowerShell security = Constrained Language Mode.(y)
 

Thales

Level 15
Verified
Top Poster
Well-known
Nov 26, 2017
708
Remove these rules:

C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted

By applying them you disabled the most important PowerShell security = Constrained Language Mode.(y)
Wait! is it secure to use this in syshardener? or OP gave unrestricted rules?
1623531017699.png
 

wat0114

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 5, 2021
547
Remove these rules:

C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.ps1PathUnrestricted
C:\Users\name\AppData\Local\Temp\__PSScriptPolicyTest_*.psm1PathUnrestricted

By applying them you disabled the most important PowerShell security = Constrained Language Mode.(y)
Thanks Andy, I had those rules froma policy I created a few years back, thinking they were needed. I should mention, I substituted my user name with "name".

Do you check your permissions in whitelisted locations only by searching permissions for built-in user groups (Users, Authenticated Users, Everyone...) or your specific username also?
I just used accesschk to search for them, so I think it checks for all users. Hopefully I haven't missed any directories that users can write to. This is a work in progress so if there's room for improvement I'll make the necessary changes.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Wait! is it secure to use this in syshardener? or OP gave unrestricted rules?
View attachment 258963
These policies are not related to SRP. They also do not support whitelisting. Two first rules have to be used together because the first can be easily bypassed without the second. The last is not required on the fresh installed Windows 10 (PowerShell 2.0 is disabled by default).
 
Last edited:

Minimalist

Level 9
Verified
Well-known
Oct 2, 2020
439
I just used accesschk to search for them, so I think it checks for all users. Hopefully I haven't missed any directories that users can write to. This is a work in progress so if there's room for improvement I'll make the necessary changes.
When I've used SRP I used icacls.exe to check if there are any locations where there was my specific username given right to write to.
I've used this command to store a list of items in txt file, which I later examined:
icacls c: /findsid Username /t /c /q >>d:\icacls.txt
If I remember correctly there were some folders in Program files that did not have rights set for user groups but did so for my username. Off course I blocked them.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
One can use this:
Code:
Icacls "c:\Program Files" /findsid WhoAmI /T /C >> d:\icacls.txt

WhoAmI in this CmdLine is the user - you can find it by using the whoamI command in the CMD console.
 

Minimalist

Level 9
Verified
Well-known
Oct 2, 2020
439
If I click on that folder, I'm prompted for credentials
Maybe because I'm admin on my system and that folder is protected from access by SUAs?

One can use this:
Code:
Icacls "c:\Program Files" /findsid WhoAmI /T /C >> d:\icacls.txt

WhoAmI in this CmdLine is the user - you can find it by using the whoamI command in the CMD console.
For me it doesn't work as a substitute for actual username? I know it returns username if used separately.
Here is what I get: "No files with a matching SID was found"
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I rerun that command and found this folder on my system:

View attachment 258964
There might be more...
Normally only the first and last entry is present.

For me it doesn't work as a substitute for actual username? I know it returns username if used separately.
Here is what I get: "No files with a matching SID was found"
Did you use the whoami command in the cmd console to obtain the user (WhoAmI)? For example in my case after using whoami command I can obtain (not a real user) WhoAmI = desktop-ajxyzd7\username. So the command is:
Icacls "c:\Program Files" /findsid desktop-ajxyzd7\username /T /C >> d:\icacls.txt
 

wat0114

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 5, 2021
547
Maybe because I'm admin on my system and that folder is protected from access by SUAs?
Okay I checked again and found that I could write a file into it. Thanks for pointing that out. I have run accesschk64 from withing the root directory, and ported the results to a text file with the following strings:

accesschk64 -w -s -q -u Users "C:\Program Files"
accesschk64 -w -s -q -u Users "C:\Program Files (x86)"
accesschk64 -w -s -q -u Users "C:\Windows"
accesschk64 -w -s -q -u Everyone "C:\Program Files"
accesschk64 -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk64 -w -s -q -u Everyone "C:\Windows"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk64 -w -s -q -u Interactive "C:\Program Files"
accesschk64 -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk64 -w -s -q -u Interactive "C:\Windows"

I am going over the results carefully and will modify the SRP policy as necessary.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Microsoft states the PSScriptPolicyTest scripts are merely to verify that AppLocker is running.
Yes. But if this test fails (the script can be run), then SRP and Applocker do not use Constrained Language Mode for PowerShell.
Also, every check of HC I have seen PS language mode is set to Full Language mode.
The H_C uses SRP only for processes running with standard rights. So Constrained Language Mode works in this case only for not-elevated PowerShell. When PowerShell is running with high privileges it uses Full Language Mode.

Okay I checked again and found that I could write a file into it. Thanks for pointing that out. I have run accesschk64 from withing the root directory, and ported the results to a text file with the following strings:

accesschk64 -w -s -q -u Users "C:\Program Files"
accesschk64 -w -s -q -u Users "C:\Program Files (x86)"
accesschk64 -w -s -q -u Users "C:\Windows"
accesschk64 -w -s -q -u Everyone "C:\Program Files"
accesschk64 -w -s -q -u Everyone "C:\Program Files (x86)"
accesschk64 -w -s -q -u Everyone "C:\Windows"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Program Files (x86)"
accesschk64 -w -s -q -u "Authenticated Users" "C:\Windows"
accesschk64 -w -s -q -u Interactive "C:\Program Files"
accesschk64 -w -s -q -u Interactive "C:\Program Files (x86)"
accesschk64 -w -s -q -u Interactive "C:\Windows"

I am going over the results carefully and will modify the SRP policy as necessary.

I think that you should also try this with not-elevated Powershell :

Code:
$whoami = whoami
Icacls "c:\Windows" /findsid $whoami /T /C >> d:\icacls.txt
Icacls "c:\Program Files (x86)" /findsid $whoami /T /C >> d:\icacls.txt
Icacls "c:\Program Files" /findsid $whoami /T /C >> d:\icacls.txt
 

Minimalist

Level 9
Verified
Well-known
Oct 2, 2020
439
Did you use the whoami command in the cmd console to obtain the user (WhoAmI)? For example in my case after using whoami command I can obtain (not a real user) WhoAmI = desktop-ajxyzd7\username. So the command is:
Icacls "c:\Program Files" /findsid desktop-ajxyzd7\username /T /C >> d:\icacls.txt
No, I copy-pasted your code from post #13. I knew about whoami command but thought that it can be used as replacement for username.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top