Not necessary, but educational. Some people asked, and I replied.The discussion about blocking LOLBins is interesting, but not really necessary for home users in the thread about (classic) SRP.
What I do know is that the "LOLBins initiatives" began as security research movements as part of investigations of SRP protections - and continued on with SRPv2 (AppLocker) and SRPv3 (WDAC). So discussion of LOLBins is relevant. Does a user have to block every single LOLBin applicable to their OS? No. Not necessary. I know I have never said that. But users do have the option to do so if they so choose, using multiple different methods.
Microsoft's official position on LOLBins is a bit different. If it had its way, it would force S Mode, with its laundry-list of blocked processes and DLLs, onto every unmanaged Windows device user, but will not because users complain they cannot "use stuff" and undermine a superior protection model. Since it cannot force S Mode onto users, it came up with SAC.
As far as only discussing topics that are appropriate for "home users." Meh. This is a forum by and for security geeks - and not the average computer user that has little or no interest in what they can or cannot accomplish on Windows. I think detailed discussions get squashed here too often because the thinking is that a "home user" might read something and hurt themselves with it.
(This is not intended for you, @Andy Ful ). I just don't get it. In the Linux and Mac worlds, discussions about LOLBins trigger no strong feelings, and yet on this forum particularly, anything that blocks globally on Windows sets some members off into a tizzy. If one talks about addressing an entirely preventable and controllable primary issue - user behaviors - then that triggers people as well. Just odd.
Last edited by a moderator: