Basic Security Windows_Security's Security Config

[Windows_Security]

Inspired on Joanna Rutkowska post.

Could not find the blog of her anymore, but soon after VISTA was introduced she posted a blog on how she used new mechanisms, it involved Running Applications under a different user, (as Basic USer) Access Control List restrictions on folders. I added UAC (block elevation of unsigned processes), replaced SRP with AppLocker and made it more granular and added Windows 7 Parental Control and MemProtect to the mix. Thanks to @ichito here is Joanna's blog: The Invisible Things Lab's blog: Running Vista Every Day! scroll down to "User Interface Privilege Isolation and some little Fun"

Added Basic (limited) User for:
- Secure_Surfer: Browsing with Firefox (completely sandboxed with Run as other user & AppLocker)
- Backup_User: Backup with Syncback Free (is only user allowed to touch Quick Backup Folders)

Hardening through Group Policy & registry tweaks:
- Windows Firewall rules locked in GPO
- Macro's, plugins etc disabled in Office and Office programs only allowed to open/save to Downloads and My Documents (data partition)
- disabled 16 bits, gadgets, IE and other stuff I don't need like remote access/assistance/desktop/sharing etcetera
- Disabled Windows Script (other script/shells locked down with AppLocker)
- UAC-tweak: only allow signed programs to elevate

Hardening with Access Control Lists (ACL)
- Only allow admins to add folders/files in root directories of SSD/HDD's
- Added a "Deny traverse folder/execute" to UAC-holes in %WINDOWS% (also blocked by AppLocker)
- Added a "Deny traverse folder/execute & append/write data" to (all users) Startup Folders
- Added a "Deny traverse folder/execute" in all user folders (and other partition subfolders)
- Added a "Deny traverse folder/execute" to all internet facing folders in AppData subfolders
- Only allow "Backup_User" to CWX (create write delete) my quick backup folders (ransomware protection)

ISP-version of F-SECURE
- exclude folders %WINDOWS% and %PROGRAMFILES% from virusscan and deepguard
- added all user folders to ransomware protection

AppLocker rules
- Allow Everyone in Windows & Program Files, except UAC holes an unused Microsoft programs
- Allow Admins to update Microsoft, Mozilla, Google and F-Secure signed from user folders
- Deny Everyone to execute in Windows Folder except Microsoft signed
- Deny Everyone to execute in Chrome Folder execept Google signed
- et cetera
- Sandbox limited/standard users (Backup_User only allow only SyncBack, Secure_Surfer only Firefox)
= Joanna's user privilege isolation idea

 

[Windows_Security]

Pitty Joanna Rutkowska does not visit this forum. Would have loved to hear her comment on her three level containment & isolation setup (proces execution, folder access and user) being ranked as basic. .By adding memprotect it even got a fourth isolation & containment dimension (memory access).

Ahh well: less is more

 

[JM Safe]

Good config.

Thanks for sharing.

 

[ichito]

Hi @Windows_Security
It is not this?
The irrelevance of Applocker / relevance of SAFE admin tweaks
The Invisible Things Lab's blog: Running Vista Every Day!

 

[Windows_Security]

Hi @Windows_Security
It is not this?
The irrelevance of Applocker / relevance of SAFE admin tweaks
The Invisible Things Lab's blog: Running Vista Every Day!

Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.

 

[maka]

An excellent configuration, bulletproof I would say .
Thanks for include the Joanna's blog post, a great info. Coincidentally I read her post a month or so ago. By the way, her new blog is Blog | The Invisible Things

 

[Deleted member 178]

For once, someone is using Applocker when they have it.

 

[HarborFront]

@Windows_Security

Just to check. Do I need MemProtect if I have ESET IS since the latter comes with Advanced Memory Scanner? If I have both will there be compatibility issues?

Technology

Also, does MemProtect protects against browser-based botnets and browser-based rootkits? Is it mentioned in MemProtect's literature?

The Reality of Browser-Based Botnets - TrendLabs Security Intelligence Blog
Browser Rootkits

 

[Deletedmessiah]

Isn't Memprotect paid tool?

 

[HarborFront]

Isn't Memprotect paid tool?

Its website says there's a demo version

MemProtect - Products | Excubits

 

[Deletedmessiah]

Its website says there's a demo version

MemProtect - Products | Excubits

Won't the demo time expire?
Edit: I misread, for private non commercial use demo doesn't have limits but its beta and can be buggy.

 

[HarborFront]

Won't the demo time expire?
Edit: I misread, for private non commercial use demo doesn't have limits but its beta and can be buggy.

Just try it first and if you are happy then buy it

As for me I'll wait for @Windows_Security to reply my questions first

 

[shmu26]

Won't the demo time expire?
Edit: I misread, for private non commercial use demo doesn't have limits but its beta and can be buggy.

It is not beta and is not buggy, but the config file does have a limit how many rules you are allowed to make. Otherwise, it functions like the paid version. I use the demo, it works great.

 

[Deletedmessiah]

It is not beta and is not buggy, but the config file does have a limit how many rules you are allowed to make. Otherwise, it functions like the paid version. I use the demo, it works great.

Is it the same for Pumpernickel?

 

[shmu26]

Is it the same for Pumpernickel?

Correct

 

[LDogg]

Have you also thought about using other extensions within FireFox as well? Such as ScriptSafe, Privacy Possum et al?

Also do you run any VPN applications?

~LDogg

 

[shmu26]

I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...

 

[Deleted member 178]

I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...

if you own any Windows with GP and Applocker, you won't need much more. MemProtect is used because Applocker is a basic SRP and doesn't protect memory.

 

[ichito]

Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.

My pleasure

 

[Windows_Security]

@ Umbra would not compare this setup with a basic SRP

e. g for Firefox
Allow Everyone to run executables in Program Files Folders
Deny Everyone to run executables in Mozilla Firefox except executables signed by Mozilla Corp

Run Firefox as Secure_Surfer (which is standard/limited user)
Set AppLocker Deny Secure_Surfer to run executables in PATH = Users\Secure_Surfer\* (and other data partitions)
Set an Access Control List DENY traverse folder/extecure file for Secure_Surfer of FOLDER Users\Secure_Surfer\*
Set parental control on Secure_Surfer to only run Firefox/Outlook/WMP (and FileZilla)
Set AppLocker Deny Secure_Surfer to run executables in PATH = WIndows\System32

For final touch set MemProtect isolation for Firefox to access only memory from own processes
priority ALLOW (!*\Mozilla Firefox\*>*\Mozilla Firefox\*
normal BOCK (*\Mozilla Firefox\*>*)
plus BLOCK on Mozilla Appdata folders for anyone (*\Mozilla\*>*)

Firefox (finally, two years after Chrome, three years after IE) has LOW Integrity Level rights renderer processes (low IL processes can''t change Medium IL), so that is an aditional bridge to cross for memory based malware (plus they don't have access to all build command/script shells because Secure_Surfer can't execute anything in Windows\System32).

This defence can't be broken with malware from regular exploitkits, to many road blocks from different angles (User, Process execution, Folder, Memory access and Integrity Level). Since I don't have any digital stuff which is interesting enough for a targetted hacker to obtain, I dare sat I am 100% protected.

Only infection in 10 years was a present from Avast (CCleaner), which I installed myself (which shows there is no defense against user stupidity )


Regards Kees