Windows_Security

Level 23
Content Creator
Trusted
Verified
LS,

For people owning a Pro/Business/Ultimate/Enterprise version of their Windows OS and not using the group policy editor to increase security with build in features, here is a simple 10 step tutorial to enable SRP (works for all Windows OS-ses with UAC, so Vista and higher).

SRP stands for Software Restriction Policies. As the name says it can be used to restrict software on your PC. It has basically three modes. This introduction describes how to use Basic User, because Basic User requires little tweaking and still allows to update/install software using Run as Administrator (make sure to create a restore point or have image as backup)

Run as administrator
With these "Basic User default" SRP rules, when you try to run a program in user folders, it will be blocked. You can still update/install software by using the "Run as Administrator" right click context menu in Windows Explorer. Microsoft Installer Packages don't run with elevated (admin) rights by default. Luckily Symantec has provided a registry tweak for that: download MSI "Run as administrator" Context Menu for Vista | Symantec Connect (MsiRunAsAdmin.zip)

Extract the zip file and double click it.

Enabling SRP using Basic User as default level
Click on Windows Start button and choose "Run". Enter secpol.msc and enter. Secpol.msc launches the Local Security Policy management console and follow the instructions on the picture below. Restart your computer when ready and your done.

upload_2016-8-1_8-25-39.png
 
Last edited:

Windows_Security

Level 23
Content Creator
Trusted
Verified
Why use Basic User default level and why allow local Administrators?
All programs updating to Windows or Program Files folders must run elevated (UAC). When you apply these rules except for Admin, these SRP rules don't interfere with regular program and OS updates. It is set and forget.


Programs in user space are blocked.
See link explains with picures how to add block rules. This link (step 9) on how to add an allow rule (Unrestricted security level). This setup does not mimic an anti-executable default deny setup, just prevents shoot in the foot errors and sneaky drive by infections. You determine what survives reboot by using "Run As Administrator"

upload_2016-8-1_8-52-6.png


Defending user space autoruns
Windows allows a few autorun locations in user space. This little nifty freeware program warns you when software wants to survive reboot by using user space autoruns: KC Softwares Startup Sentinel (thx Kyle). A "run once" is often used to clear entries after deïnstalling a program, a "run" when you install software (so only allow when you have deinstalled/installed a program yourself through Windows add/remove programs or Run as administrator).
 
Last edited:

DardiM

Level 26
Trusted
Malware Hunter
Verified
I need to master that tool,for my sake.Teaching users to benefit from this? Another issue,altogether...:rolleyes:
Just right click on the drive letter where you want to activate Bitlocker, and follow the instructions.
Very easy. Each time your PC start, BitLocked Drives are protected, no data seen / accessible.
You just have to right click on the BitLoked drive and choose "unlock", to access it.

Apart from my C: Drive, all my Drives are with BitLocker activated (D, E, F, G, H, I)
 
Last edited:

jamescv7

Level 61
Trusted
Verified
A right one to learn what is hardening mode is all about.

In such business landscape, limited user accounts is not enough but rather use the OS itself to configure for lockdown protection.

Very effective and less sacrifice on the resources; yes it needs technical analysis but the investment is good.
 

Windows_Security

Level 23
Content Creator
Trusted
Verified
No not when you set default level to BASIC USER. You have to remove lnk when you set DISALLOWED as default level. Disadvantage of disallowed, is that the RUN as ADMIN registry tweak from Symanatec for MSI files does not work.

:) Thx @Av Gurus for this excellent suggestion to add some file extensions (I was forgotten to mention it, apologize). See picture, please repeat for file extension mentioned by Av gurus: JSE, JAR, PS1, VBS, JS, SCT, VBE, WS, WSF, WSH)

upload_2016-8-19_0-34-49.png
 
Last edited:

Nikos751

Level 17
Verified
Great article!
Is Google Chrome update affected in any way (automatic or manual) after this configuration? Is an exception needed to be set? Chrome runs from the user folder in most home pc's and can be updated manually asking for admin priviledges (UAC) or automatically without asking anything.