Latest Changes
Nov 11, 2018
Operating System
  • Windows 7 SP1
  • Windows Edition
    Enterprise
    System type
    32-bit operating system; x64-based processor
    Security Updates
    Automatic Updates (recommended)
    User Access Control
    Always Notify
    Network Security (Firewall)
    Windows Defender Firewall
    Device Security
  • Not available (Previous versions of Windows)
  • User Account
    Administrator
    Sign-in Accounts
    Malware Testing
    I do not participate in downloading malware samples
    Real-time Web & Malware Protection
    Windows Firewall also blocking outbound by default (rules locked by GPO)
    AppLocker with granular whitelist rules (only signed trusted vendors)
    F-Secure provided by my ISP (comes with broadband/internet subscription
    RTP - Custom security settings
  • Major changes for Increased security
  • Virus and Malware Removal Tools
    Only Process Explorer and Autoruns, because AppLocker only allows whitelisted vendors per folder (e.g. only allow Microsoft signed in Windows and only allow Google signed in Chrome, etc).
    Browsers and Extensions
    Firefox with Avira Browser Safety and Chrome with Bitdefender Trafficlight
    Privacy-focused Apps and Extensions
    Firefox with Avira Browser safety contains AdGuard and Privacy Possum
    Password Managers
  • Memory
  • Web Search
  • Startpage
  • System Utilities
    CleanMgr (dumped CCleaner)
    Data Backup
    Weekly NAS, during the day using Synback Free (quick) backup to additional harddisk to which only Business Documents and Mail is backed up running as different (basic user) called Backup_User. Only Backup_User has CWX-rights on quick backup disk (Syncback Free starts as another -basis- user).
    Frequency of Data backups
    Monthly
    System Backup
    Windows build in
    Frequency of System backups
    Rarely

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    Inspired on Joanna Rutkowska post.

    Could not find the blog of her anymore, but soon after VISTA was introduced she posted a blog on how she used new mechanisms, it involved Running Applications under a different user, (as Basic USer) Access Control List restrictions on folders. I added UAC (block elevation of unsigned processes), replaced SRP with AppLocker and made it more granular and added Windows 7 Parental Control and MemProtect to the mix. Thanks to @ichito here is Joanna's blog: The Invisible Things Lab's blog: Running Vista Every Day! scroll down to "User Interface Privilege Isolation and some little Fun"

    Added Basic (limited) User for:
    -
    Secure_Surfer: Browsing with Firefox (completely sandboxed with Run as other user & AppLocker)
    - Backup_User: Backup with Syncback Free (is only user allowed to touch Quick Backup Folders)

    Hardening through Group Policy & registry tweaks:
    - Windows Firewall rules locked in GPO
    - Macro's, plugins etc disabled in Office and Office programs only allowed to open/save to Downloads and My Documents (data partition)
    - disabled 16 bits, gadgets, IE and other stuff I don't need like remote access/assistance/desktop/sharing etcetera
    - Disabled Windows Script (other script/shells locked down with AppLocker)
    - UAC-tweak: only allow signed programs to elevate

    Hardening with Access Control Lists (ACL)
    - Only allow admins to add folders/files in root directories of SSD/HDD's
    - Added a "Deny traverse folder/execute" to UAC-holes in %WINDOWS% (also blocked by AppLocker)
    - Added a "Deny traverse folder/execute & append/write data" to (all users) Startup Folders
    - Added a "Deny traverse folder/execute" in all user folders (and other partition subfolders)
    - Added a "Deny traverse folder/execute" to all internet facing folders in AppData subfolders
    - Only allow "Backup_User" to CWX (create write delete) my quick backup folders (ransomware protection)

    ISP-version of F-SECURE
    -
    exclude folders %WINDOWS% and %PROGRAMFILES% from virusscan and deepguard
    - added all user folders to ransomware protection

    AppLocker rules
    - Allow Everyone in Windows & Program Files, except UAC holes an unused Microsoft programs
    - Allow Admins to update Microsoft, Mozilla, Google and F-Secure signed from user folders
    - Deny Everyone to execute in Windows Folder except Microsoft signed
    - Deny Everyone to execute in Chrome Folder execept Google signed
    - et cetera
    - Sandbox limited/standard users (Backup_User only allow only SyncBack, Secure_Surfer only Firefox)
    = Joanna's user privilege isolation idea
     
    Last edited:

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    Pitty Joanna Rutkowska does not visit this forum. Would have loved to hear her comment on her three level containment & isolation setup (proces execution, folder access and user) being ranked as basic. .By adding memprotect it even got a fourth isolation & containment dimension (memory access).

    Ahh well: less is more :)
     

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

    The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
     
    Last edited:

    HarborFront

    Level 47
    Verified
    Content Creator
    Last edited:

    LDogg

    Level 30
    Verified
    Have you also thought about using other extensions within FireFox as well? Such as ScriptSafe, Privacy Possum et al?

    Also do you run any VPN applications?

    ~LDogg
     
    • Like
    Reactions: oldschool

    shmu26

    Level 83
    Verified
    Trusted
    Content Creator
    I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
     
    D

    Deleted member 178

    I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
    if you own any Windows with GP and Applocker, you won't need much more. MemProtect is used because Applocker is a basic SRP and doesn't protect memory.
     

    ichito

    Level 6
    Verified
    Content Creator
    Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

    The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
    My pleasure :)
     

    Windows_Security

    Level 23
    Verified
    Trusted
    Content Creator
    @ Umbra would not compare this setup with a basic SRP :)

    e. g for Firefox
    Allow Everyone to run executables in Program Files Folders
    Deny Everyone to run executables in Mozilla Firefox except executables signed by Mozilla Corp

    Run Firefox as Secure_Surfer (which is standard/limited user)
    Set AppLocker Deny Secure_Surfer to run executables in PATH = Users\Secure_Surfer\* (and other data partitions)
    Set an Access Control List DENY traverse folder/extecure file for Secure_Surfer of FOLDER Users\Secure_Surfer\*
    Set parental control on Secure_Surfer to only run Firefox/Outlook/WMP (and FileZilla)
    Set AppLocker Deny Secure_Surfer to run executables in PATH = WIndows\System32

    For final touch set MemProtect isolation for Firefox to access only memory from own processes
    priority ALLOW (!*\Mozilla Firefox\*>*\Mozilla Firefox\*
    normal BOCK (*\Mozilla Firefox\*>*)
    plus BLOCK on Mozilla Appdata folders for anyone (*\Mozilla\*>*)

    Firefox (finally, two years after Chrome, three years after IE) has LOW Integrity Level rights renderer processes (low IL processes can''t change Medium IL), so that is an aditional bridge to cross for memory based malware (plus they don't have access to all build command/script shells because Secure_Surfer can't execute anything in Windows\System32).

    This defence can't be broken with malware from regular exploitkits, to many road blocks from different angles (User, Process execution, Folder, Memory access and Integrity Level). Since I don't have any digital stuff which is interesting enough for a targetted hacker to obtain, I dare sat I am 100% protected.

    Only infection in 10 years was a present from Avast (CCleaner), which I installed myself (which shows there is no defense against user stupidity :cautious: )


    Regards Kees
     
    Last edited: