Most recent changes
Nov 11, 2018
Operating System
Windows 7 SP1
Windows Edition
Enterprise
System type
32-bit OS
Security Updates
Automatic Updates - All security and feature updates
User Access Control
Always Notify - For App installs, Modify system & User settings
Device Firewall
Windows Firewall - Network security provided by Microsoft
Device Security
Not applicable (Windows 7, Vista)
User Account
Administrator - User has complete control over the device
Recent Security Incidents
No malware or privacy issues
Malware Testing
None - No Malware on host PC or VM
Real-time Web & Malware Protection
Windows Firewall also blocking outbound by default (rules locked by GPO)
AppLocker with granular whitelist rules (only signed trusted vendors)
F-Secure provided by my ISP (comes with broadband/internet subscription
Security Protection settings
Custom - Major changes for Increased Security
Virus and Malware Removal Tools
Only Process Explorer and Autoruns, because AppLocker only allows whitelisted vendors per folder (e.g. only allow Microsoft signed in Windows and only allow Google signed in Chrome, etc).
Browsers and Extensions
Firefox with Avira Browser Safety and Chrome with Bitdefender Trafficlight
Web Privacy
Firefox with Avira Browser safety contains AdGuard and Privacy Possum
Password Management
Memory
Default Web Search
Startpage
System Utilities collection
CleanMgr (dumped CCleaner)
Data Backup
Weekly NAS, during the day using Synback Free (quick) backup to additional harddisk to which only Business Documents and Mail is backed up running as different (basic user) called Backup_User. Only Backup_User has CWX-rights on quick backup disk (Syncback Free starts as another -basis- user).
Frequency of Data backups
Monthly
System Backup
Windows build in
Frequency of System backups
Rarely

Windows_Security

Level 19
Content Creator
Verified
Joined
Mar 13, 2016
Messages
930
Operating System
Windows 7
#1
Inspired on Joanna Rutkowska post.

Could not find the blog of her anymore, but soon after VISTA was introduced she posted a blog on how she used new mechanisms, it involved Running Applications under a different user, (as Basic USer) Access Control List restrictions on folders. I added UAC (block elevation of unsigned processes), replaced SRP with AppLocker and made it more granular and added Windows 7 Parental Control and MemProtect to the mix. Thanks to @ichito here is Joanna's blog: The Invisible Things Lab's blog: Running Vista Every Day! scroll down to "User Interface Privilege Isolation and some little Fun"

Added Basic (limited) User for:
-
Secure_Surfer: Browsing with Firefox (completely sandboxed with Run as other user & AppLocker)
- Backup_User: Backup with Syncback Free (is only user allowed to touch Quick Backup Folders)

Hardening through Group Policy & registry tweaks:
- Windows Firewall rules locked in GPO
- Macro's, plugins etc disabled in Office and Office programs only allowed to open/save to Downloads and My Documents (data partition)
- disabled 16 bits, gadgets, IE and other stuff I don't need like remote access/assistance/desktop/sharing etcetera
- Disabled Windows Script (other script/shells locked down with AppLocker)
- UAC-tweak: only allow signed programs to elevate

Hardening with Access Control Lists (ACL)
- Only allow admins to add folders/files in root directories of SSD/HDD's
- Added a "Deny traverse folder/execute" to UAC-holes in %WINDOWS% (also blocked by AppLocker)
- Added a "Deny traverse folder/execute & append/write data" to (all users) Startup Folders
- Added a "Deny traverse folder/execute" in all user folders (and other partition subfolders)
- Added a "Deny traverse folder/execute" to all internet facing folders in AppData subfolders
- Only allow "Backup_User" to CWX (create write delete) my quick backup folders (ransomware protection)

ISP-version of F-SECURE
-
exclude folders %WINDOWS% and %PROGRAMFILES% from virusscan and deepguard
- added all user folders to ransomware protection

AppLocker rules
- Allow Everyone in Windows & Program Files, except UAC holes an unused Microsoft programs
- Allow Admins to update Microsoft, Mozilla, Google and F-Secure signed from user folders
- Deny Everyone to execute in Windows Folder except Microsoft signed
- Deny Everyone to execute in Chrome Folder execept Google signed
- et cetera
- Sandbox limited/standard users (Backup_User only allow only SyncBack, Secure_Surfer only Firefox)
= Joanna's user privilege isolation idea
 
Last edited:

Windows_Security

Level 19
Content Creator
Verified
Joined
Mar 13, 2016
Messages
930
Operating System
Windows 7
#2
Pitty Joanna Rutkowska does not visit this forum. Would have loved to hear her comment on her three level containment & isolation setup (proces execution, folder access and user) being ranked as basic. .By adding memprotect it even got a fourth isolation & containment dimension (memory access).

Ahh well: less is more :)
 

Windows_Security

Level 19
Content Creator
Verified
Joined
Mar 13, 2016
Messages
930
Operating System
Windows 7
#5
Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
 
Last edited:

HarborFront

Level 43
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,222
#8
Last edited:

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,025
Operating System
Windows 10
#13
Won't the demo time expire?
Edit: I misread, for private non commercial use demo doesn't have limits but its beta and can be buggy.
It is not beta and is not buggy, but the config file does have a limit how many rules you are allowed to make. Otherwise, it functions like the paid version. I use the demo, it works great.
 

LDogg

Level 21
Verified
Joined
May 4, 2018
Messages
1,070
#16
Have you also thought about using other extensions within FireFox as well? Such as ScriptSafe, Privacy Possum et al?

Also do you run any VPN applications?

~LDogg
 
Likes: oldschool

shmu26

Level 71
Content Creator
Verified
Joined
Jul 3, 2015
Messages
6,025
Operating System
Windows 10
#17
I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,741
Operating System
Windows 10
Antivirus
#18
I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
if you own any Windows with GP and Applocker, you won't need much more. MemProtect is used because Applocker is a basic SRP and doesn't protect memory.
 

ichito

Level 4
Verified
Joined
Dec 12, 2013
Messages
180
#19
Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
My pleasure :)
 

Windows_Security

Level 19
Content Creator
Verified
Joined
Mar 13, 2016
Messages
930
Operating System
Windows 7
#20
@ Umbra would not compare this setup with a basic SRP :)

e. g for Firefox
Allow Everyone to run executables in Program Files Folders
Deny Everyone to run executables in Mozilla Firefox except executables signed by Mozilla Corp

Run Firefox as Secure_Surfer (which is standard/limited user)
Set AppLocker Deny Secure_Surfer to run executables in PATH = Users\Secure_Surfer\* (and other data partitions)
Set an Access Control List DENY traverse folder/extecure file for Secure_Surfer of FOLDER Users\Secure_Surfer\*
Set parental control on Secure_Surfer to only run Firefox/Outlook/WMP (and FileZilla)
Set AppLocker Deny Secure_Surfer to run executables in PATH = WIndows\System32

For final touch set MemProtect isolation for Firefox to access only memory from own processes
priority ALLOW (!*\Mozilla Firefox\*>*\Mozilla Firefox\*
normal BOCK (*\Mozilla Firefox\*>*)
plus BLOCK on Mozilla Appdata folders for anyone (*\Mozilla\*>*)

Firefox (finally, two years after Chrome, three years after IE) has LOW Integrity Level rights renderer processes (low IL processes can''t change Medium IL), so that is an aditional bridge to cross for memory based malware (plus they don't have access to all build command/script shells because Secure_Surfer can't execute anything in Windows\System32).

This defence can't be broken with malware from regular exploitkits, to many road blocks from different angles (User, Process execution, Folder, Memory access and Integrity Level). Since I don't have any digital stuff which is interesting enough for a targetted hacker to obtain, I dare sat I am 100% protected.

Only infection in 10 years was a present from Avast (CCleaner), which I installed myself (which shows there is no defense against user stupidity :cautious: )


Regards Kees
 
Last edited: