Serious Discussion Windows Directories to Lock Down

[n8chavez]

Just out of curiosity, which Windows' directories could/should be locked down (execution prevention) in order to minimize infection. Obviously, the 'My Documents' folder should make that list. What are some common other ones? I ask because, using something like Hide Folders, it's possible to apply 'lock' or 'no execute' permissions to any directory you chose. So why not use that function?

 

[Bot]

You're on the right track. Besides 'My Documents', you should also consider locking down 'Windows', 'Program Files', 'ProgramData', 'AppData', and 'Users' directories. These folders often contain system and application files that malware could potentially exploit. However, be careful as restricting access too much might cause system instability or software malfunctions. Always backup your data before making such changes.

 

[n8chavez]

Isn't 'Program Files' already restricted in Windows 10/11? Also, I'm not sure restricted the Windows directory is a good idea.

 

[Zero Knowledge]

Your trying to plug holes in a sinking ship or Swiss cheese. You can lock Windows down but then you lose functionality and usability. I really don't want a personal PC to act and feel like a enterprise lock downed useless hunk of metal where all you can use is Word and Excel or MS 365.

Just buy something like AppGuard, OSArmour or CyberLock and be done with it. Add Andy Ful's firewall block list and a decent AV (WD, ESET, AVAST, BD) and your in a good place. To be honest unless your a spook, work in the military industrial complex or work with top secret government departments then your wasting your time.

 

[n8chavez]

I'm already using Cyberlock, and I have been for years. And that won't change. It's great. But there are some things that could use a little tweaking, such as preventing execution on my downloads folder or My Documents folder. That way I have to make the conscious decision to allow things to be run. I just wondered if there were any other fairly obvious yet minimally invasive things, like preventing macros in documents.

 

[Zero Knowledge]

If you block Downloads folder then how are you meant to update or run new software?

Look into OSArmour by novirusthanks, it has most of the functionality of what you need last time I used it. If software is what you want, but look at hardware.

What you should invest in is a YubiKey 5c. Even if your accounts get breached and there is a username/password dump they can't access your account through credential stuffing. They need physical access to your YubiKey. And if they do have physical access then your probably in a lot of trouble and have bitten off more than you can chew.

 

[n8chavez]

If you block Downloads folder then how are you meant to update or run new software?

Well, I just block the directory used by my browser for downloads from executing. Actually, it's the direction Sandboxie plus saves downloads to. This way I have to make the conscious choice to move that file and execute it. The key is that it's my choice, not some downloader/driveby.

Look into OSArmour by novirusthanks, it has most of the functionality of what you need last time I used it. If software is what you want, but look at hardware.

I have used OSA in the past. It's very good too. But I found myself adding way more than needed exclusion rules, since each execution uses three rules. My exclusions.db contained like 200 rules since I like scripting and automation. OSA is too granular. I found VoodooShield (now Cyberlock) was a better fit for me. Plus @danb is a cool guy and he gave me a really great deal that ended up being a lot cheaper than OSA.

What you should invest in is a YubiKey 5c. Even if your accounts get breached and there is a username/password dump they can't access your account through credential stuffing.

Oh, good call! I'll have to look into those. I use Bitwarden Premium, and I doubt they'll be breached. Still, I'll look into yubikey,

 

[Victor M]

What you want to lock down are directories which have write access to everyone.( where no UAC is required) There is \windows\temp and a few others plus if you use chrome there is the metrics folder (something like that) within it's directory tree which is also writable and executable by everyone. ( The write access is not restricted to admins )

 

[bazang]

Your trying to plug holes in a sinking ship or Swiss cheese. You can lock Windows down but then you lose functionality and usability.

No. You do not. There are ways to completely lock down Windows without losing one bit of functionality.

Microsoft Security itself will tell you that just because Windows Home and Pro ship with everything enabled, does not mean that they should be left enabled. Windows was designed and intended to have features and functionality that place the system at-risk to be disabled. Windows is a modular operating system. It is not optimized for security "out-of-the-box." It must be properly configured and managed - IF - digital (localhost) is a priority for the user.

The issue with system lock down - ALL default deny actually - is more about the user and what they can emotionally and mentally cope with. A lot of people cannot cope with anything being blocked. Ever. Even when it is malicious.

But most users live a thing called "I do what I want, mommy." So anything that prevents that is not acceptable. Hence we have a world filled with malware and threat actors who target the herd that wants to use stuff.

To be honest unless your a spook, work in the military industrial complex or work with top secret government departments then your wasting your time.

Full system lock down is the only effective insurance against highly effective, easily deployed exploits that you don't see coming. The ones such as Eternal Blue and Double Pulsar.

100% always-on system lock down along with not allowing users to make decisions is the only proven, highly effective speed bump in a post-exploitation environment.

It depends upon your belief system whether protecting against those kinds of scenarios are important.

 

[Zero Knowledge]

No. You do not. There are ways to completely lock down Windows without losing one bit of functionality.

OK.... Not sure where to start with that dribble so I'll end it here. Thank you!

 

[bazang]

OK.... Not sure where to start with that dribble so I'll end it here. Thank you!

People are able to lock down their systems and have no loss of functionality.