SECURE: Basic Windows_Security's Security Config

Most recent changes
Jul 1, 2018
Operating System
Windows 7 SP1
Windows Edition
Starter or Ultimate (Windows 7, Vista)
System type
32-bit OS
Security Updates
Automatic Updates - All security and feature updates
User Access Control
Always Notify - For App installs, Modify system & User settings
Device Firewall
Windows Firewall - Network security provided by Microsoft
Device Security
Not applicable (Windows 7, Vista)
User Account
Administrator - User has complete control over the device
Recent Security Incidents
Malware Testing
None - No Malware on host PC or VM
Real-time Web & Malware Protection
MemProtect Free
Security Protection settings
Custom - Major changes for Better Performance
Virus and Malware Removal Tools
Process Explorer and Autoruns
Browsers and Extensions
Firefox with Temporary Containers, AdGuard and Comodo Online Security
Web Privacy
Temporary Containers, AdGuard and Comodo Online Security
Password Management
Memory
Default Web Search
Startpage
System Utilities collection
CleanMgr (dumped CCleaner)
Data Backup
Weekly NAS, during the day using Synback Free (quick) backup to third harddisk to which only Busienss Documents and Mail is backed up running as different (basic user) called Backup_User. Only Backup_User has CWX-rights on quick backup disk
Frequency of Data backups
Weekly
System Backup
Windows build in
Frequency of System backups
Rarely

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#1
Inspired on Joanna Rutkowska post.

Could not find the blog of her anymore, but soon after Windows 7 VISTA was introduced she posted a blog on how she used new mechanisms, it involved Running Applications under a different user, (as Basic USer) Access Control List restrictions on folders. I added UAC (block elevation of unsigned processes), replaced SRP with AppLocker and made it more granular and added Windows 7 Parental Control and MemProtect to the mix. Thanks to @ichito here is Joanna's blog: The Invisible Things Lab's blog: Running Vista Every Day! scroll down to "User Interface Privilege Isolation and some little Fun"


Group Policy hardening: a lot, to mention a few
- Macro's, plugins etc disabled in Office and Office programs only allowed to opn/save to Downloads and My Documents (data partition)
- disabled 16 bits, gadgets, IE and other stuff I don't need like remote access/assistance/desktop/sharing etcetera
- Windows Firewall rules locked in GPO

AppLocker setup (only for executables, to show you the 'containment/isolation' idea's of Joanna)
1. Everyone is allowed to run Windows (with UAC write folders blocked) and Program Files folders
2. Administrator is allowed only to install signed Microsoft executables system wide
3. Power Users are allowed to install from User\Kees\Data\Temp (User kees is added to Power User Group),
all users are denied to install from this Temp folder except some trusted signatures (e.g. Microsoft and Mozilla)
4. Within Program Files folders additional DENY rules are added to allow execution of specific signers only (to narrow down execution in these Program Files subfolders to programs signed by that vendor only), e.g.
Deny all for path *\Microsoft Office\* except executables signed by Microsoft
Deny all for path *\Mozilla Firefox\* except executables signed by Mozilla
etc,
5. Deny execute for Secure_Surfer on all user folders
Secure_Surfer is the user under which I run Firefox, Outlook, Windows Media Playe and Filezilla) with "Run as Command"
(make a short cut with C:\Windows\System32\runas.exe /user:Secure_Surfer /savecred "C:\Program Files\Mozilla Firefox\firefox.exe"). This effectively puts them in a Basic User container, isolating access to User Kees folders

Secure_Surfer als has a DENY traverse folder/execute file for user folders and only has Create/Write/Delete access to its own User Folders (plus Kees\Downloads)
Secure_Surfer user is under parental control and is only allowed to execute Office Programs, FireFox, Windows Media Player and FileZilla only. Secure_Surfer has an additional AppLocker rule, denying it ro run any executable in Windows folder - (add this as lasts when everything works fine :), because you won't be able to log-on anymore via change user, remove Applocker rule and you are able to logon again in Secure_Surfer). So Secure_Surfer is not allowed to execute much.

6. Deny execute in Document folders of Kees (who is also Power User) and of user named Backup_User.

In all user folders containing valuable data, SYSTEM has no CWX-rights (nor allowed to take ownership or change permission. This tip I implemented thx to thisforum (forgot which member told me). Ransomware always tries to grab highest rights possible, this easy trick uses their greed for power to block them encrypting my data.
SyncbackFree is the only program allowed for Backup_user (parental control) and only user with full access to quick backup harddisk.

7. Deny execute for Users for Powershell folder, mshta.exe, cscript and wscript)

Using REG.file to switch on-off CMD and SCRIPT execution

8. Deny for everyone in public user folder and document, mail, media folders of user Kees and in 2nd/3rd harddisk

These AppLocker DENY executates are backed up with simular ACL's DENY traverse folder/execute file for Everyon in those folders


Installed MemProtect Free using Joanna's containment/isolation idea

[LETHAL]
[#LOGGING]
[#INSTALLMODE]
[DEFAULTALLOW]
[#MODULEFILTER]

[WHITELIST]
# allow risky programs access to own installation folder
!*\Microsoft Office\*>*\Microsoft Office\*
!*\Mozilla Firefox\*>*\Mozilla Firefox\*
!*\Windows Media Player\*>*\Windows Media Player\*
!*\FileZilla\*>*\FileZilla\*

[BLACKLIST]
# Isolate risky programs
*\Microsoft Office\*>*
*\Mozilla Firefox\*>*
*\Windows Media Player\*>*
*\FileZilla\*>*

# Isolate user folders of restricted users
*\C:\Users\Secure_Surfer\*>*
*\C:\Users\Backup_User\*>*
*\C:\Users\Public\*>*

# Isolate Internet facing folders
*\Temporary Internet Files\*>*
*\Windows\Temporary\*>*
*\Windows\Caches\*>*
*\Downloads\*>*
*\Mozilla\*>*

[MODULEWHITELIST]
[MODULEBLACKLIST]

[EOF]
 
Last edited:

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#2
Pitty Joanna Rutkowska does not visit this forum. Would have loved to hear her comment on her three level containment & isolation setup (proces execution, folder access and user) being ranked as basic. .By adding memprotect it even got a fourth isolation & containment dimension (memory access).

Ahh well: less is more :)
 

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#5
Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
 
Last edited:

HarborFront

Level 41
Content Creator
Verified
Joined
Oct 9, 2016
Messages
3,054
#8
Last edited:

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,649
OS
Windows 10
#13
Won't the demo time expire?
Edit: I misread, for private non commercial use demo doesn't have limits but its beta and can be buggy.
It is not beta and is not buggy, but the config file does have a limit how many rules you are allowed to make. Otherwise, it functions like the paid version. I use the demo, it works great.
 

LDogg

Level 17
Verified
Joined
May 4, 2018
Messages
833
#16
Have you also thought about using other extensions within FireFox as well? Such as ScriptSafe, Privacy Possum et al?

Also do you run any VPN applications?

~LDogg
 
Likes: oldschool

shmu26

Level 67
Content Creator
Verified
Joined
Jul 3, 2015
Messages
5,649
OS
Windows 10
#17
I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
 

Umbra

Level 85
Content Creator
Verified
Joined
May 16, 2011
Messages
18,425
OS
Windows 10
Antivirus
Default-Deny
#18
I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
if you own any Windows with GP and Applocker, you won't need much more. MemProtect is used because Applocker is a basic SRP and doesn't protect memory.
 

ichito

Level 4
Verified
Joined
Dec 12, 2013
Messages
153
#19
Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
My pleasure :)
 

Windows_Security

Level 18
Content Creator
Verified
Joined
Mar 13, 2016
Messages
893
OS
Windows 7
#20
@ Umbra would not compare this setup with a basic SRP :)

e. g for Firefox
Allow Everyone to run executables in Program Files Folders
Deny Everyone to run executables in Mozilla Firefox except executables signed by Mozilla Corp

Run Firefox as Secure_Surfer (which is standard/limited user)
Set AppLocker Deny Secure_Surfer to run executables in PATH = Users\Secure_Surfer\* (and other data partitions)
Set an Access Control List DENY traverse folder/extecure file for Secure_Surfer of FOLDER Users\Secure_Surfer\*
Set parental control on Secure_Surfer to only run Firefox/Outlook/WMP (and FileZilla)
Set AppLocker Deny Secure_Surfer to run executables in PATH = WIndows\System32

For final touch set MemProtect isolation for Firefox to access only memory from own processes
priority ALLOW (!*\Mozilla Firefox\*>*\Mozilla Firefox\*
normal BOCK (*\Mozilla Firefox\*>*)
plus BLOCK on Mozilla Appdata folders for anyone (*\Mozilla\*>*)

Firefox (finally, two years after Chrome, three years after IE) has LOW Integrity Level rights renderer processes (low IL processes can''t change Medium IL), so that is an aditional bridge to cross for memory based malware (plus they don't have access to all build command/script shells because Secure_Surfer can't execute anything in Windows\System32).

This defence can't be broken with malware from regular exploitkits, to many road blocks from different angles (User, Process execution, Folder, Memory access and Integrity Level). Since I don't have any digital stuff which is interesting enough for a targetted hacker to obtain, I dare sat I am 100% protected.

Only infection in 10 years was a present from Avast (CCleaner), which I installed myself (which shows there is no defense against user stupidity :cautious: )


Regards Kees
 
Last edited:

Similar Threads

Similar Threads