Basic Security Windows_Security's Security Config

Last updated
Nov 11, 2018
Windows Edition
Enterprise
Security updates
Allow security updates and latest features
User Access Control
Always notify
Real-time security
Windows Firewall also blocking outbound by default (rules locked by GPO)
AppLocker with granular whitelist rules (only signed trusted vendors)
F-Secure provided by my ISP (comes with broadband/internet subscription
Firewall security
Microsoft Defender Firewall
Periodic malware scanners
Only Process Explorer and Autoruns, because AppLocker only allows whitelisted vendors per folder (e.g. only allow Microsoft signed in Windows and only allow Google signed in Chrome, etc).
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Firefox with Avira Browser Safety and Chrome with Bitdefender Trafficlight
Maintenance tools
CleanMgr (dumped CCleaner)
File and Photo backup
Weekly NAS, during the day using Synback Free (quick) backup to additional harddisk to which only Business Documents and Mail is backed up running as different (basic user) called Backup_User. Only Backup_User has CWX-rights on quick backup disk (Syncback Free starts as another -basis- user).
System recovery
Windows build in

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Inspired on Joanna Rutkowska post.

Could not find the blog of her anymore, but soon after VISTA was introduced she posted a blog on how she used new mechanisms, it involved Running Applications under a different user, (as Basic USer) Access Control List restrictions on folders. I added UAC (block elevation of unsigned processes), replaced SRP with AppLocker and made it more granular and added Windows 7 Parental Control and MemProtect to the mix. Thanks to @ichito here is Joanna's blog: The Invisible Things Lab's blog: Running Vista Every Day! scroll down to "User Interface Privilege Isolation and some little Fun"

Added Basic (limited) User for:
-
Secure_Surfer: Browsing with Firefox (completely sandboxed with Run as other user & AppLocker)
- Backup_User: Backup with Syncback Free (is only user allowed to touch Quick Backup Folders)

Hardening through Group Policy & registry tweaks:
- Windows Firewall rules locked in GPO
- Macro's, plugins etc disabled in Office and Office programs only allowed to open/save to Downloads and My Documents (data partition)
- disabled 16 bits, gadgets, IE and other stuff I don't need like remote access/assistance/desktop/sharing etcetera
- Disabled Windows Script (other script/shells locked down with AppLocker)
- UAC-tweak: only allow signed programs to elevate

Hardening with Access Control Lists (ACL)
- Only allow admins to add folders/files in root directories of SSD/HDD's
- Added a "Deny traverse folder/execute" to UAC-holes in %WINDOWS% (also blocked by AppLocker)
- Added a "Deny traverse folder/execute & append/write data" to (all users) Startup Folders
- Added a "Deny traverse folder/execute" in all user folders (and other partition subfolders)
- Added a "Deny traverse folder/execute" to all internet facing folders in AppData subfolders
- Only allow "Backup_User" to CWX (create write delete) my quick backup folders (ransomware protection)

ISP-version of F-SECURE
-
exclude folders %WINDOWS% and %PROGRAMFILES% from virusscan and deepguard
- added all user folders to ransomware protection

AppLocker rules
- Allow Everyone in Windows & Program Files, except UAC holes an unused Microsoft programs
- Allow Admins to update Microsoft, Mozilla, Google and F-Secure signed from user folders
- Deny Everyone to execute in Windows Folder except Microsoft signed
- Deny Everyone to execute in Chrome Folder execept Google signed
- et cetera
- Sandbox limited/standard users (Backup_User only allow only SyncBack, Secure_Surfer only Firefox)
= Joanna's user privilege isolation idea
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Pitty Joanna Rutkowska does not visit this forum. Would have loved to hear her comment on her three level containment & isolation setup (proces execution, folder access and user) being ranked as basic. .By adding memprotect it even got a fourth isolation & containment dimension (memory access).

Ahh well: less is more :)
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298

Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Won't the demo time expire?
Edit: I misread, for private non commercial use demo doesn't have limits but its beta and can be buggy.
It is not beta and is not buggy, but the config file does have a limit how many rules you are allowed to make. Otherwise, it functions like the paid version. I use the demo, it works great.
 

LDogg

Level 33
Verified
Top Poster
Well-known
May 4, 2018
2,261
Have you also thought about using other extensions within FireFox as well? Such as ScriptSafe, Privacy Possum et al?

Also do you run any VPN applications?

~LDogg
 
  • Like
Reactions: oldschool

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
 
D

Deleted member 178

I must say this is the most interesting security config I ever saw. If I understood it correctly, the only security software running is memprotect demo version. And on Windows 7 32 bit. Never saw anything like it...
if you own any Windows with GP and Applocker, you won't need much more. MemProtect is used because Applocker is a basic SRP and doesn't protect memory.
 

ichito

Level 11
Verified
Top Poster
Content Creator
Well-known
Dec 12, 2013
541
Good man you found it, and it was on Vista. Good find :emoji_ok_hand::emoji_fingers_crossed:

The title (iirelevance) was only to gain attention and stirr up the discussion (see this post in same thread). I still dislike the 0.3 sec delay AppLocker has on my G3240 pentium compared to SRP, but SSD made it bareable. Other reason is that AppLocker is in kernel and offeres greater flexibility with running as other (basic user) with AppLocker rules on user.
My pleasure :)
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
@ Umbra would not compare this setup with a basic SRP :)

e. g for Firefox
Allow Everyone to run executables in Program Files Folders
Deny Everyone to run executables in Mozilla Firefox except executables signed by Mozilla Corp

Run Firefox as Secure_Surfer (which is standard/limited user)
Set AppLocker Deny Secure_Surfer to run executables in PATH = Users\Secure_Surfer\* (and other data partitions)
Set an Access Control List DENY traverse folder/extecure file for Secure_Surfer of FOLDER Users\Secure_Surfer\*
Set parental control on Secure_Surfer to only run Firefox/Outlook/WMP (and FileZilla)
Set AppLocker Deny Secure_Surfer to run executables in PATH = WIndows\System32

For final touch set MemProtect isolation for Firefox to access only memory from own processes
priority ALLOW (!*\Mozilla Firefox\*>*\Mozilla Firefox\*
normal BOCK (*\Mozilla Firefox\*>*)
plus BLOCK on Mozilla Appdata folders for anyone (*\Mozilla\*>*)

Firefox (finally, two years after Chrome, three years after IE) has LOW Integrity Level rights renderer processes (low IL processes can''t change Medium IL), so that is an aditional bridge to cross for memory based malware (plus they don't have access to all build command/script shells because Secure_Surfer can't execute anything in Windows\System32).

This defence can't be broken with malware from regular exploitkits, to many road blocks from different angles (User, Process execution, Folder, Memory access and Integrity Level). Since I don't have any digital stuff which is interesting enough for a targetted hacker to obtain, I dare sat I am 100% protected.

Only infection in 10 years was a present from Avast (CCleaner), which I installed myself (which shows there is no defense against user stupidity :cautious: )


Regards Kees
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top