Tutorial Windows Pro owner? Use Software Restriction Policies!

herman

New Member
Mar 16, 2017
2
Thank you @Windows_Security for posting this tutorial.
I was searching the web for information on SRP, stumbled over your post, read it and read it again until I grasped the idea.
Seems pretty clever to me, dank je wel ;-)

I followed your initial posts today to harden my W10 X64 Pro device.
It works like a charm.

One problem though....: OneDrive stops syncing.

In the event log I see an error 865, with the descriptive text:
Access to C:\Users\Herman\AppData\Local\Microsoft\OneDrive\OneDrive.exe has been restricted by your Administrator by the default software restriction policy level.

Apparently the executable file is stored in user space. I guess this is not how it should be, but it is how it is on my system.
Do you perhaps have a suggestion how to restore OneDrive to an operational state without creating a weak spot in the hardening?
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
OneDrive is located in the User Space, so whitelisting is necessary.
Here are the whitelist rules for OneDrive in Windows 10 (incorporated in Hard_Configurator):
%LocalAppdata%\Microsoft\OneDrive\onedrive.exe
%LocalAppdata%\Microsoft\OneDrive\onedrivestandaloneupdater.exe
%LocalAppdata%\microsoft\onedrive\*\onedrivestandaloneupdater.exe
%LocalAppdata%\Microsoft\OneDrive\OneDrivePersonal.cmd
%LocalAppdata%\Microsoft\OneDrive\Update\OneDriveSetup.exe
%LocalAppdata%\Microsoft\OneDrive\*\*.dll
%LocalAppdata%\Microsoft\OneDrive\*\*\*.dll
If you want OneDrive only on the concrete account, the %LocalAppdata% has to be replaced by the explicit path, for example: C:\Users\My_Account\AppData\Local

Every whitelist rule in the User Space creates a weak spot in the hardening. Please read the posts #77 and #78 about whitelisting LNK files, and compromise between security and usability.
 
Last edited:
  • Like
Reactions: herman
5

509322

If you want OneDrive only on the concrete account, the %LocalAppdata% has to be replaced by the explicit path, for example: C:\Users\My_Account\AppData\Local

You meant if the user wants to whitelist only in a particular user account, then they must use the explicit file path.

This will whitelist it for that specific user account - "My_Account" above in the file path shown - and not any other user accounts.

For example, whitelist it for the limited Admin, but not any Standard Users.
 

herman

New Member
Mar 16, 2017
2
OneDrive is located in the User Space, so whitelisting is necessary.
Here are the whitelist rules for OneDrive in Windows 10 (incorporated in Hard_Configurator):
[....]
Please read the posts #77 and #78 about whitelisting LNK files, and compromise between security and usability.
Thank you for responding!
I have read this entire topic, I realize there are trade-offs to be made.
Why isn't life straight forward ....... <sigh> ...... ;)
 
Mar 10, 2017
103
This is a easy mitigation technique that alot of people should use.

I have a lab domain controller set up for when I need to play with things ( mostly GPO etc while i was in school but I built a policy for my PC and this is one of the features i enabled.

10/10 would suggest.
 
  • Like
Reactions: Andy Ful

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Mar 13, 2016
1,301
I really have no idea. Everyone doing a manual install just has to right-click-mouse "Run as Administrator" to install. All updates from UAC protected folders have to run elevated (otherwise they are not allowed to write to Windows and Program Files folders), so they are automatically allowed by this Basic User default SRP.
 
  • Like
Reactions: Andy Ful

Handsome Recluse

Level 23
Verified
Top poster
Well-known
Nov 17, 2016
1,261
I really have no idea. Everyone doing a manual install just has to right-click-mouse "Run as Administrator" to install. All updates from UAC protected folders have to run elevated (otherwise they are not allowed to write to Windows and Program Files folders), so they are automatically allowed by this Basic User default SRP.
Max UAC is already considered annoying. Right-clicking would also be unintuitive since basically all OS use left-click in some form to open both files and executables.
Additionally, don't you also block with ACL?
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
...
Right-clicking would also be unintuitive since basically all OS use left-click in some form to open both files and executables.
...
Yes, people's habits may be the obstacle, here. :)
One has to learn: (1) checking/installing new files by right-clicking, (2) using already installed files by left-clicking, and (3) recognizing EXE, MSI installators from documents, photos, media files, etc.
 

Handsome Recluse

Level 23
Verified
Top poster
Well-known
Nov 17, 2016
1,261
Yes, people's habits may be the obstacle, here. :)
One has to learn: (1) checking/installing new files by right-clicking, (2) using already installed files by left-clicking, and (3) recognizing EXE, MSI installators from documents, photos, media files, etc.
We can't assume it's habits yet. All we know is they don't do that and they probably refuse to change.
 
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
The good news is that, there's no obligation to use SRP. Anyone can learn and choose what is best for him (her). :)
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Mar 13, 2016
1,301
Max UAC is already considered annoying. Right-clicking would also be unintuitive since basically all OS use left-click in some form to open both files and executables.
Additionally, don't you also block with ACL?

Yes I have set a deny "traverse folder/execute file" for Everyone in User folders except my Temp folder (and D:\ root on my Desktop otherwise windows image backup does not run and dot Net installations fail). All software software I use (except dotNet which installs from largest partition) update and install from temp folder.

For my wife I have UAC to elevate silently, blocking unsigned elevations. She runs this setup since 2010 without issues.
 

oldschool

Level 70
Verified
Top poster
Well-known
Mar 29, 2018
5,998
@Andy Ful

The one issue I'm having with Disallowed is when I open Windows Security I get this:
Defender 2022-09-26 204737.png
I'm unable to access Virus & threat detection, etc. in SU or Admin account and get no WS notifications. Any ideas?
 
Last edited:
  • Like
Reactions: Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
@Andy Ful

The one issue I'm having with Disallowed is when I open Windows Security I get this:
View attachment 269569
I'm unable to access Virus & threat detection, etc. in SU or Admin account and get no WS notifications. Any ideas?
Yes. I solved this issue on H_C one year ago:
 

oldschool

Level 70
Verified
Top poster
Well-known
Mar 29, 2018
5,998
Yes. I solved this issue on H_C one year ago
Applying an unrestricted rule for the path you referenced did not solve the issue. I tried adding rules for other Windows Security executables with the same result.

After some initial research I discovered something that may be the culprit when using GPO:
It may be that 'Config lock' disables switchable components of Windows Security, including disabling notifications, when deploying SRP via GPO, though I cannot find a direct reference.

For example:
WindowsDefenderSecurityCenter/DisableAccountProtectionUI

The table below shows the applicability of Windows:

EditionWindows 10Windows 11
HomeYesYes
ProYesYes
Windows SENoYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes

Scope:

  • Device

Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
My SRP setup is fully functional otherwise. :LOL:

I read somewhere that SRP is tied to both WAC & WAG, both of which take precedence over SRP, and my guess is that something is changed in 22H2 where WAC/WAG silently affects SRP deployed via GPO, even though neither WAC nor WAG are enabled.
 
Last edited:
F

ForgottenSeer 95367

After some initial research I discovered something that may be the culprit when using GPO:
It may be that 'Config lock' disables switchable components of Windows Security, including disabling notifications, when deploying SRP via GPO, though I cannot find a direct reference.

System Requirements​

Config lock will be available for all Windows Professional and Enterprise Editions running on secured-core PCs. When the device isn't a secured-core PC, the Config lock won't apply.

Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on. Turn on config lock using Microsoft Endpoint Manager (Microsoft Intune).

Secured-core configuration lock (config lock) is a new secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC.

For general purpose laptops, tablets, 2-in-1’s, mobile workstations, and desktops, Microsoft recommends using Security baselines for optimal configuration. For more info, see Windows security baselines.

Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines.

We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This industry-standard configuration helps increase flexibility and reduce costs.

Baseline principles​

Our recommendations follow a streamlined and efficient approach to baseline definitions. The foundation of that approach is essentially:
  • The baselines are designed for well-managed, security-conscious organizations in which standard end users don't have administrative rights.
  • A baseline enforces a setting only if it mitigates a contemporary security threat and doesn't cause operational issues that are worse than the risks they mitigate.
  • A baseline enforces a default only if it's otherwise likely to be set to an insecure state by an authorized user:
    • If a non-administrator can set an insecure state, enforce the default.
    • If setting an insecure state requires administrative rights, enforce the default only if it's likely that a misinformed administrator will otherwise choose poorly.
You can download the security baselines from the Microsoft Download Center.

Microsoft Baselines:
  • Documentation (PDFs and Excel)
  • GPOs (xml)
  • Scripts (PowerShell)
  • Templates

1664346814429.png



1664347663274.png
 
Last edited by a moderator:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,245
@Andy Ful have you tested SRP in Goup Policy with the latest W11 build?
Yes. SRP (GPO or H_C) did not work on the clean installation of Windows 11 with the 2020 update (I used Virtual Box).
SRP with H_C settings works after the upgrade from Windows 10 Home to Windows 11 (real machine upgraded two days ago). The upgraded machine has come with SAC disabled.
 
Last edited:
Top