Serious Discussion Windows Directories to Lock Down

n8chavez

n8chavez

Level 21
Thread author
Well-known
Feb 26, 2021
1,016
Just out of curiosity, which Windows' directories could/should be locked down (execution prevention) in order to minimize infection. Obviously, the 'My Documents' folder should make that list. What are some common other ones? I ask because, using something like Hide Folders, it's possible to apply 'lock' or 'no execute' permissions to any directory you chose. So why not use that function?
 
  • Like
Reactions: Zero Knowledge
Bot

Bot

AI-powered Bot
Apr 21, 2016
4,780
You're on the right track. Besides 'My Documents', you should also consider locking down 'Windows', 'Program Files', 'ProgramData', 'AppData', and 'Users' directories. These folders often contain system and application files that malware could potentially exploit. However, be careful as restricting access too much might cause system instability or software malfunctions. Always backup your data before making such changes.
 
n8chavez

n8chavez

Level 21
Thread author
Well-known
Feb 26, 2021
1,016
Isn't 'Program Files' already restricted in Windows 10/11? Also, I'm not sure restricted the Windows directory is a good idea.
 
  • Like
Reactions: Zero Knowledge
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
916
Your trying to plug holes in a sinking ship or Swiss cheese. You can lock Windows down but then you lose functionality and usability. I really don't want a personal PC to act and feel like a enterprise lock downed useless hunk of metal where all you can use is Word and Excel or MS 365.

Just buy something like AppGuard, OSArmour or CyberLock and be done with it. Add Andy Ful's firewall block list and a decent AV (WD, ESET, AVAST, BD) and your in a good place. To be honest unless your a spook, work in the military industrial complex or work with top secret government departments then your wasting your time.
 
n8chavez

n8chavez

Level 21
Thread author
Well-known
Feb 26, 2021
1,016
I'm already using Cyberlock, and I have been for years. And that won't change. It's great. But there are some things that could use a little tweaking, such as preventing execution on my downloads folder or My Documents folder. That way I have to make the conscious decision to allow things to be run. I just wondered if there were any other fairly obvious yet minimally invasive things, like preventing macros in documents.
 
  • Like
Reactions: Zero Knowledge
Z

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
916
If you block Downloads folder then how are you meant to update or run new software?

Look into OSArmour by novirusthanks, it has most of the functionality of what you need last time I used it. If software is what you want, but look at hardware.

What you should invest in is a YubiKey 5c. Even if your accounts get breached and there is a username/password dump they can't access your account through credential stuffing. They need physical access to your YubiKey. And if they do have physical access then your probably in a lot of trouble and have bitten off more than you can chew.
 
n8chavez

n8chavez

Level 21
Thread author
Well-known
Feb 26, 2021
1,016
Zero Knowledge said:
If you block Downloads folder then how are you meant to update or run new software?
Click to expand...

Well, I just block the directory used by my browser for downloads from executing. Actually, it's the direction Sandboxie plus saves downloads to. This way I have to make the conscious choice to move that file and execute it. The key is that it's my choice, not some downloader/driveby.

Zero Knowledge said:
Look into OSArmour by novirusthanks, it has most of the functionality of what you need last time I used it. If software is what you want, but look at hardware.
Click to expand...

I have used OSA in the past. It's very good too. But I found myself adding way more than needed exclusion rules, since each execution uses three rules. My exclusions.db contained like 200 rules since I like scripting and automation. OSA is too granular. I found VoodooShield (now Cyberlock) was a better fit for me. Plus @danb is a cool guy and he gave me a really great deal that ended up being a lot cheaper than OSA.

Zero Knowledge said:
What you should invest in is a YubiKey 5c. Even if your accounts get breached and there is a username/password dump they can't access your account through credential stuffing.
Click to expand...

Oh, good call! I'll have to look into those. I use Bitwarden Premium, and I doubt they'll be breached. Still, I'll look into yubikey,
 
  • Like
Reactions: Zero Knowledge
Victor M

Victor M

Level 16
Verified
Top Poster
Well-known
Oct 3, 2022
755
What you want to lock down are directories which have write access to everyone.( where no UAC is required) There is \windows\temp and a few others plus if you use chrome there is the metrics folder (something like that) within it's directory tree which is also writable and executable by everyone. ( The write access is not restricted to admins )
 
Last edited:
  • Like
Reactions: n8chavez and Zero Knowledge
bazang

bazang

Level 11
Jul 3, 2024
550
Zero Knowledge said:
Your trying to plug holes in a sinking ship or Swiss cheese. You can lock Windows down but then you lose functionality and usability.
Click to expand...
No. You do not. There are ways to completely lock down Windows without losing one bit of functionality.

Microsoft Security itself will tell you that just because Windows Home and Pro ship with everything enabled, does not mean that they should be left enabled. Windows was designed and intended to have features and functionality that place the system at-risk to be disabled. Windows is a modular operating system. It is not optimized for security "out-of-the-box." It must be properly configured and managed - IF - digital (localhost) is a priority for the user.

The issue with system lock down - ALL default deny actually - is more about the user and what they can emotionally and mentally cope with. A lot of people cannot cope with anything being blocked. Ever. Even when it is malicious.

But most users live a thing called "I do what I want, mommy." So anything that prevents that is not acceptable. Hence we have a world filled with malware and threat actors who target the herd that wants to use stuff.

Zero Knowledge said:
To be honest unless your a spook, work in the military industrial complex or work with top secret government departments then your wasting your time.
Click to expand...
Full system lock down is the only effective insurance against highly effective, easily deployed exploits that you don't see coming. The ones such as Eternal Blue and Double Pulsar.

100% always-on system lock down along with not allowing users to make decisions is the only proven, highly effective speed bump in a post-exploitation environment.

It depends upon your belief system whether protecting against those kinds of scenarios are important.
 

Similar threads

Victor M
    • Like
    • +Reputation
Serious Discussion Security focused Qubes OS
Replies
12
Views
886
General Security Discussions
Victor M
Victor M
annaegorov
    • Like
Serious Discussion I kid you not. This actually happened to my PC
Replies
13
Views
1,054
General Security Discussions
roger_m
R
vtqhtr413
    • Like
    • Wow
Technology Microsoft plans to lock down Windows DNS like never before
Replies
4
Views
829
Technology News
TairikuOkami
TairikuOkami

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top