You might study a bit on how most malware and exploits work. In a properly hardened system, no executables that aren't consciously permitted by the user are allowed to run.
I actually feel more secure in an Xp system in many ways. You can do things like reset the ACL permissions from the top down on a system partition, effectively whitelisting instead of blacklisting. It is much more difficult to do this in newer versions of windows. That is just one example. Yes for a typical Windows user who just runs it from an admin account, it is better to use newer versions of windows. For those of us who know how to harden a system and run everything from a hardened LUA, it is just as secure, or more secure, to keep using Xp. Especially in light of some of the recent privacy issues coming out in Windows 10 and extending to recent updates of Windows 7.
i never noticed any difference between XP Pro and Windows 7 Home Premium while settings ACL. and i had both running in a network (not domain). please give an example or some details. with Windows 8 Pro <> XP i also had no trouble. like this? https://www.ied.edu.hk/ocio/content/faq-how-share-files-windows-xp-access-control-list-acl those concern the microsoft services and software, in most cases combined with a live account. win7 and win8 here are not bundled to LIVE (ofc i can not use apps or their updates, i dont count on this crap). concerning windows 10 ms has some windows services to collect telemetry data to improve windows and to prefetch some websites (edge) or results (cortana). the critics are about enabling/disabling if possible. thats one reason i did not load the upgrade i loaded the LTSB version (no edge, no cortana, no apps, no other crap). nevertheless you can try hardening xp but at least this wont cover any vulnerability which are´much more basically than LUA or SRP. eg XP has an unpatched PNG security flaw. just read the security bulletins for win7/8 since may'14. there is no way to fix it. sorry. cheers.
Excuse me, I meant basic file permissions not network shares with ACL. They are very easy and fast and easy to set in Xp. Vista and later have UAC hoops to jump through and require you to take ownership of the system folder from "trusted installer" if you want to do it the way I do it in Xp. I replace default permissions in the Windows and Program files folders with a simpler and more effective set of permissions with less groups and overlayed permissions. I start at the top folder level and propagate permissions to all child objects and then manually make exceptions--a whitelisting approach. Only administrators can alter files in these folders. I do the same for the user folders with different permissions--read/write no execute. I've hardened Xp that way for over 10 years. I've never had an exploit or malware touch my systems. It is not an attempt to harden Xp, it is an effective way of doing it learned from experience and experimentation. Basic premise is that read/write and execute permissions are mutually exclusive for non administrators throughout the system and all volumes connected to it. On top of that LUA file permission foundation, SRP and other Group Policy tweaks can be overlayed to make it even harder.
Found a nice article regarding hardening Windows 10, albeit its titled for Windows 8.1 its still very relevant for W10 and W7. http://hardenwindows8forsecurity.com/Harden Windows 8.1 64bit Home.html regards.
Who says malware needs to run from a dropped executable? (I'm repeating myself since the point seems lost on you so far)
Yes you are repeating yourself and not clarifying anything with examples. Are you talking about scripting? I am referring to the the most common practice of dropping a payload in a folder it can execute in. Hardening Windows means locking down these folders so it can't execute. That prevents a lot of drive by malware from working. It doesn't stop every possibility, especially if the end user clicks on the wrong thing or says yes to the wrong UAC prompt or doesn't notice the PUPs in a program being installed.
ofc this is new, but no problem at all. i'll had to delete the trusted installer and took over all rights to gain access to special folders. with no disadvantages that far - done in win7 and win8. the trusted installer is a control mechanism over the top and admin. but the regular user do not notice it and the advanced user just kicks it. sadly you can not add the trusted installer when deleted - but the truth: it makes no difference. trust me that point. just upgrade concerning telemetry and windows 7 i found a message: there are now optional updates -> KB3022345, KB3068708, KB3075249 and KB3080149 optional updates are not marked by default. and i always investigate in new optional updates. in most cases not needed, only for trouble shooting. BTW i am malware free since 21 years now, no srp, no gpo. some antivirus in the past but for 6 years now i dont have them in background running. kicked. HTH
Your first reply to me changed the original goalpost from "LUA" to "LUA and anti-executable": 1. Anti-executable doesn't prevent exploits themselves; 2. Exploit kits don't require dropped executables to run malware or to achieve persistence; 3. LUA has enough privilege to steal important information, to commandeer the CPU, and to encrypt important user files; 4. LUA doesn't prevent privilege escalation. For an exploit kit to drop and execute malware, it means it has already compromised a running process. That compromised process can then be made to do anything the malware author desires, which is quite a lot. An exploit kit doesn't need to drop malware, that's just simpler and more convenient for the malware author for persistence. Really, LUA isn't even necessary in the partial approach to security you describe, when modern browsers don't even run with full privileges. Even on my XP machine I run applications - not my account - as untrusted. My approach to Windows hardening is to look at the attack surface first - particularly network and browser. Years ago I used to use Sandboxie to alter the read/write access and network permissions of processes (in preparation for fileless malware), but now I just use either Software Policy (http://iwrconsultancy.co.uk/softwarepolicy) or CryptoPrevent for convenience. It's not worth my time using anything heavier, since I've never had a single challenge to my approach. Using default-deny in this way is a sane, light-weight choice - but it shouldn't be viewed as the primary defence since it's pretty far down the chain of compromise. Exactly, it won't stop every possibility - and those other possibilities are becoming more common. Look at Angler and variants of Crypto malware. Look at phase and powerlik. An obvious approach to hardening Windows then is to block access to Windows Powershell when you're not using it.
Not necessarily true, that is where layered redundant security is effective. The compromised process is running in in the the OS and its structure. If the security is good it is in a hostile environment that has many possible check points. Not having permission to execute where it commonly can expect to can stop many exploit processes. Attempts at privilege escalation are not always successful. In a well locked down system, an exploit might just as well trigger a system failure and reboot as deliver a payload. Usually it doesn't even get that far, just a file access error message or UAC prompt. In a locked down system, an exploit process might get control of a session but it has much less possibility of persistence and won't survive a reboot.
The exploit has already long occurred for a legitimate process to be taken over. This occurs in memory, not from the disk. If that legitimate process has read and write access to user folders, then so too does the malware.
thats what RJK3 wrote about the "payload free" exploit kits --> pls read http:// malware .dontneedcoffee. com/ Same here, i have forced some special folders for browser into the box. it does not prevent reading out data or encrypt files, last cant get out of the box and destroy my system. thats the regular method with DEP and ASLR (not available for XP), that's like adobe normally run flash or pdf in acrobat/reader ("sandbox") my attempt is to catch the ball in front, not grab afterwards on the goal line - without lots of restrictions or manipulate a system. or i set up a kiosk mode in guest account Cheers
It occurs in memory, and will try to escalate privileges and will fail to deliver it's payload. Simple as that. If the user runs EMET 5.2 (on Max security settings) along with running Firefox/Chrome/Opera/IE on Sandboxie, than most (if not all) exploits will fail miserably.
That is why the mutual exclusivity of read/write and execute permission is important. A binary dropped in a folder where it can't execute will do nothing. Even if the exploit uses scripting instead of dropping a binary, it still has to start a process and deal with privilege levels. It can also inject code into a running process but that is risky and could just as easily blue screen the system as do anything. If the disk is locked down, the only damage will be in transient memory and be gone on reboot.
I use default deny policies, both with SRP's and HIPS... with whatever I can really. Combine a default deny SRP policy with an LUA/Standard User acct., and tight folder permissions... strip/disable as much surface as you can without ruining essential functionality, and most malware/exploits can be averted with no 3'rd party software. Only have services running you absolutely need, or are useful for essential/wanted functionality. Disable vulnerable ones, like especially Remote Registry and SSDP Discovery Service. That said I like adding HIPS as well (also default deny). And Sandboxie is a must. Both are like policy sets themselves. Add anti-exploit to sure that up... MBAE for XP, EMET for Win7 and up. At least soft virtualization (Shadow Defender), if not a VM. And imaging (Macrium Reflect for XP), Win7's native one works well enough. Send new files introduced to your box, either via the browser or removable drive to a dedicated partition, that's sandboxed. Have a few on demand scanners and hit it up with them before moving them elsewhere/using them. VT Hash Check is the best for files 32 MB or less. For bigger files I do a shell scan with MBAM, or full scan with Hitman Pro. I agree with not using a real-time AV on XP. Though on Win7 I do (Emsisoft AM). Also in Local Policies go to > User Right Assignments. Allow only Admin & User accounts, plus anything in all CAPS (NETWORK SERVICE / LOCAL SERVICE / random string of numbers, like for "Deny logon locally" for example. Delete other accounts. And for "Allow logon through Terminal Services & Force shutdown from a remote system" delete all accounts. Also harden "Security Options". How you set it up depends on the user's needs, but especially make a point to turn on secure logon (Ctrl+Alt+Del), by disabling the option (since it says "not" to use it). Wipe the virtual memory pagefile at shutdown. "Do not allow anonymous enumeration of SAM accounts and shares" should be enabled. "Send unencrypted password to third party SMB servers" disabled. Do not cache logons. Use FIPS. "Digitally sign communications" settings all enabled. Under "Trusted Publishers" select "Local Computer Administrators" and check both boxes below (XP). It's similar in Win7. Create a second Admin acct. and disable the built in one, if it doesn't happen automatically when you set up Windows initially. This should pretty well cover you.
Its my first post so please bear with me please I'm not an expert everything I've said or used is on this website. For the past year I have been experimenting with the windows 10 preview on Virtualbox, not installing till near the end is up and will probably strip it with WinReducer. My goal to going antivirus less, just sick of for ever firefighting with antiviruses and especially becoming bloatware. So the first part of a malware attack is at the browser. Ok harden the browser, easy Umatrix, once setup right with default deny nothing will get through with the added bonus Adblocking, Cookies, User Agent Spoofing etc. Firewall even easier I've already got a good one Windows Firewall with Advanced Security. Used Windows Firewall Notifier to get the rules then turned it off. Now for the system hardening the hardest part. Since I dont have Applocker there were three choices (which I am still deciding on) Simple Software Restriction Policy, Cryptoprevent and Bouncer. Bouncer I found a bit difficult but has a tray icon to enable, disable to install software. Cryptoprevent can be set to default but usually needs pc reboot. Simple Software Restriction Policy easy to set policy has disable enable will protect system areas. Any mishaps, I have a weekly Recimage command line uses Windows Refresh and monthly Macrium image. There we are Keep It Safe an Simple and at a Total Cost =£0.00, so I can get on with something more productive and not worry about virus updates and firewall settings etc. I originally got the idea from an article Harden Windows 8.1 x64 http://hardenwindows8forsecurity.com/Harden Windows 8.1 64bit Home.html I thought you might also like these Youtube vids by Cruelsister1 https://www.youtube.com/user/cruelsister1 he basically uses Comodo Firewall 1.) Ransomeware Encrypters vs UAC and System Restore 2.) Crytoprevent Free vs Malware Encryptors I hope I explained myself properly and please look at the Vids Thanks
Sure, but the discussion (from my POV) was about the limitations of LUA and/or a software policy. I had originally suggested I didn't think too much of LUA, because threats to personal documents and to information security can easily occur in the userspace. Somehow SRP got mixed into things too, so under that context I discussed in-memory malware running in LUA. Why do you say that it will fail at delivering its fileless payload? I had wanted to wait to reply after I'd had a chance to find some exploit kits pushing fileless malware and to test on a machine with just a simple software policy in place, but unfortunately I've not had the time. I suppose I could learn to use PowerSploit and simulate it. We're definitely on the same page re: dropped binaries, but we're disagreeing with what happens when an exploit kit like Angler downloads a binary into memory and executes it from there. My expectation is that: 1. neither a software policy or LUA will prevent the malware process starting, and 2. that LUA won't prevent the loss of information from the userspace, the trojan spying on user activities, or documents from being encrypted. Obviously you are more than capable of using SRP to limit access to specific folders, but my original point was that many malware authors happily design their trojans to run in LUA since it doesn't necessarily prevent them from doing what they want to do. This has been something I've seen commented on in numerous security blogs earlier in the year, but I wasn't able to find those links when I wanted to find them.
Looks good, straightforward and simple. I like that you got what you wanted from WFN and then disabled the prompts. Only things I would add is EMET for general software (disable for browsers) and MBAE for browser. Let us know which of those 3 choices you went for re: SRP. I use IWRConsultancy's SSRP on some machines, but CryptoPrevent I found makes my main machine more usable.
A default Windows LUA is an improvement over running everything from an administrator account but it is still full of privilege/permission holes. It takes further tweaking to seal them. The more barriers there are, the more likely an exploit is to fail. That is where layered security is very effective. Exploits, like all software, have to execute a process. Blocking any step of the process will prevent it from fully executing. Javascript blocking at the browser level, hardened LUAs, SRP, App locker, emet, group policy tweaks, hosts files that block connections to malicious servers, are all good security measures and can be combined as part of a redundant layered approach that will mitigate most exploit attempts. If one layer doesn't succeed, there are many more for the exploit code to deal with.
Show me a malware/exploit, that would work on a hardened system, not in theory a real one. I have yet to find a single one, that would run on mine.
If this is directed at me, then I agree it's difficult. Even without hardening or an AV, a patched Windows system behind a simple default-deny firewall won't be vulnerable to worms or exploit kits most of the time - but that wasn't the point. Brummelchen and ropchain had discussed the singular role of LUA in either preventing infections and/or limiting damage - and then Windows_Security, myself and MisterB weighed in. It's necessary IMO to have an understanding of the limitations of any particular security layer, and that's how I approach most discussions. While it may be better to prevent a security challenge from occurring in the first place by limiting the attack surface, or to stop it early in the process with anti-exploit or HIPS - I think it's important to know what the other components will do at each stage, since in a worst case scenario these components will serve as contingencies. For this reason I prefer to challenge certain aspects of my setups to real exploit kits and malware, typically having to install vulnerable software on the test machine and disabling other security in order to explore a partial breach. It's still valid to use synthetic tests when assessing the response of single component to a specific action. In regards to LUA, I think it has limited relevance these days. In the past, malware was written with the assumption that it needed the highest level of access possible, but over time malware authors have realised that they can achieve their aims even with limited access. If Chrome can install and run in LUA, then so too do they have sufficient access to steal important data and encrypt user documents. In a properly hardened system, IMO there's negligible chance of LUA making any difference. I only make a limited user account if a guest is going to be using mine, as along with a software policy this is the easiest way to prevent them changing my settings or running unwanted software. The last time I neglected to do this, the machine was returned to me with McAfee Security Scan :/
Not true at all. System level malware is the the most dangerous of all. Once malware gets to that level, the game is over, your only choice is to restore the system if you've taken the precaution to image it or reinstall it if you haven't. With a hardened LUA, the damage will be minimal and the malware will be gone on reset in the worst case scenario. Only Windows operates with default privilege at so high a level. Linux and OS X have LUAs in place by default with good reason.
Windows can be reinstalled or reimaged, but one can't get their personal details back nor undo a major breach of confidentiality. Those without backups of personal documents often have little choice but to pay the ransom. Objectively and subjectively, breaches of information security are potentially far more damaging and expensive than the mere corruption of an installed OS. Modern browsers already run at medium integrity, and UAC on by default ideally will prompt for elevation of rights. With proper hardening, then no unwanted applications can run that LUA will have any influence over. Worst case scenario is some kind of successful kernel exploit, followed by the modification or corruption of firmware.
