herman

New Member
Thank you @Windows_Security for posting this tutorial.
I was searching the web for information on SRP, stumbled over your post, read it and read it again until I grasped the idea.
Seems pretty clever to me, dank je wel ;-)

I followed your initial posts today to harden my W10 X64 Pro device.
It works like a charm.

One problem though....: OneDrive stops syncing.

In the event log I see an error 865, with the descriptive text:
Access to C:\Users\Herman\AppData\Local\Microsoft\OneDrive\OneDrive.exe has been restricted by your Administrator by the default software restriction policy level.

Apparently the executable file is stored in user space. I guess this is not how it should be, but it is how it is on my system.
Do you perhaps have a suggestion how to restore OneDrive to an operational state without creating a weak spot in the hardening?
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 48
Verified
Trusted
Content Creator
OneDrive is located in the User Space, so whitelisting is necessary.
Here are the whitelist rules for OneDrive in Windows 10 (incorporated in Hard_Configurator):
%LocalAppdata%\Microsoft\OneDrive\onedrive.exe
%LocalAppdata%\Microsoft\OneDrive\onedrivestandaloneupdater.exe
%LocalAppdata%\microsoft\onedrive\*\onedrivestandaloneupdater.exe
%LocalAppdata%\Microsoft\OneDrive\OneDrivePersonal.cmd
%LocalAppdata%\Microsoft\OneDrive\Update\OneDriveSetup.exe
%LocalAppdata%\Microsoft\OneDrive\*\*.dll
%LocalAppdata%\Microsoft\OneDrive\*\*\*.dll
If you want OneDrive only on the concrete account, the %LocalAppdata% has to be replaced by the explicit path, for example: C:\Users\My_Account\AppData\Local

Every whitelist rule in the User Space creates a weak spot in the hardening. Please read the posts #77 and #78 about whitelisting LNK files, and compromise between security and usability.
 
Last edited:
  • Like
Reactions: herman
5

509322

If you want OneDrive only on the concrete account, the %LocalAppdata% has to be replaced by the explicit path, for example: C:\Users\My_Account\AppData\Local
You meant if the user wants to whitelist only in a particular user account, then they must use the explicit file path.

This will whitelist it for that specific user account - "My_Account" above in the file path shown - and not any other user accounts.

For example, whitelist it for the limited Admin, but not any Standard Users.
 

herman

New Member
OneDrive is located in the User Space, so whitelisting is necessary.
Here are the whitelist rules for OneDrive in Windows 10 (incorporated in Hard_Configurator):
[....]
Please read the posts #77 and #78 about whitelisting LNK files, and compromise between security and usability.
Thank you for responding!
I have read this entire topic, I realize there are trade-offs to be made.
Why isn't life straight forward ....... <sigh> ...... ;)
 
This is a easy mitigation technique that alot of people should use.

I have a lab domain controller set up for when I need to play with things ( mostly GPO etc while i was in school but I built a policy for my PC and this is one of the features i enabled.

10/10 would suggest.
 
  • Like
Reactions: Andy Ful

Windows_Security

Level 23
Verified
Trusted
Content Creator
I really have no idea. Everyone doing a manual install just has to right-click-mouse "Run as Administrator" to install. All updates from UAC protected folders have to run elevated (otherwise they are not allowed to write to Windows and Program Files folders), so they are automatically allowed by this Basic User default SRP.
 
  • Like
Reactions: Andy Ful

Handsome Recluse

Level 21
Verified
I really have no idea. Everyone doing a manual install just has to right-click-mouse "Run as Administrator" to install. All updates from UAC protected folders have to run elevated (otherwise they are not allowed to write to Windows and Program Files folders), so they are automatically allowed by this Basic User default SRP.
Max UAC is already considered annoying. Right-clicking would also be unintuitive since basically all OS use left-click in some form to open both files and executables.
Additionally, don't you also block with ACL?
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 48
Verified
Trusted
Content Creator
...
Right-clicking would also be unintuitive since basically all OS use left-click in some form to open both files and executables.
...
Yes, people's habits may be the obstacle, here. :)
One has to learn: (1) checking/installing new files by right-clicking, (2) using already installed files by left-clicking, and (3) recognizing EXE, MSI installators from documents, photos, media files, etc.
 

Handsome Recluse

Level 21
Verified
Yes, people's habits may be the obstacle, here. :)
One has to learn: (1) checking/installing new files by right-clicking, (2) using already installed files by left-clicking, and (3) recognizing EXE, MSI installators from documents, photos, media files, etc.
We can't assume it's habits yet. All we know is they don't do that and they probably refuse to change.
 
  • Like
Reactions: Andy Ful

Andy Ful

Level 48
Verified
Trusted
Content Creator
The good news is that, there's no obligation to use SRP. Anyone can learn and choose what is best for him (her). :)
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Max UAC is already considered annoying. Right-clicking would also be unintuitive since basically all OS use left-click in some form to open both files and executables.
Additionally, don't you also block with ACL?
Yes I have set a deny "traverse folder/execute file" for Everyone in User folders except my Temp folder (and D:\ root on my Desktop otherwise windows image backup does not run and dot Net installations fail). All software software I use (except dotNet which installs from largest partition) update and install from temp folder.

For my wife I have UAC to elevate silently, blocking unsigned elevations. She runs this setup since 2010 without issues.