Windows XP 21 Times More Likely to be Exploited Than Windows 8

In XP then I pretty much agree. But if I might know, what would you say about SRP in Vista and above?

Any security mechanism will fail if we're talking about social engineering.

On the side note, what would you suggest to be the best protection for Windows OSes (be it XP or older or newer)? Windows isn't secure out of the box, so we must find ways to protect it/them. What would be the most effective method?

 

Social engineering only works if the user has too much control.

 

A user that is under LUA most of the time, got a suggestion from his friend to install a new cool media player. That user wants to try it and finally managed to get the installer. He logged in as an admin, installed that unknown media player, and BAM! Infection occurred.

My point was, if the user consciously do what s/he intended to do, then the user will disable the protections no matter how powerful they might be. It doesn't have to be HIPS, the user can ignore the warning of his/her AV or install the program outside of the sandbox or Shadow Mode.

 

That's not really locked down, they shouldn't be even be able to have admin privileges. Limit/remove/virtualize their access/execute/write permissions as well. Then password-protect BIOS, physically lock/weld the machine shut, and document proof of ownership.

 

Do I really care?...not, really!

"Double, double toil and trouble; Fire burn, and cauldron bubble." Macbeth Quote (Act IV, Scene I).

 

You make the separation of kernel and user space to sound more complicated than it should.

I hope I said that right.

 

First of all, a disclaimer: I am not an expert. I am in the IT business, but I haven't been in it for very long, so please don't take what I say as given.

Anyway...

Maybe useful in a limited account in practice, but again not really trustworthy, because it does its work in userspace. AppLocker is probably better, though I've heard it also has holes.

I'm thinking more that HIPS with paranoid settings will basically make any payload-based attack into a social engineering attack. This is good if alert popups are rare, and bad if they're common enough that you automatically click "Allow."

IMO, the most effective method would be a balanced one, rather than one that relies too much on the quirks and flaws of common malware. I think you're pretty safe on Vista/7/8 if you have a system of defenses that complement each other. e.g.

Windows firewall
EMET
Chrome (with sandbox)
Some antivirus or other
Macrium Reflect

or

Windows firewall
EMET
Firefox + Noscript
Antivirus
Clonezilla

My thought here is that you don't want the antivirus software to bare the brunt of potential attacks. Noscript can prevent exploits from occurring, EMET can cut them short in the compromised program's memory space, and Chrome's sandbox seriously limits their scope; but the antivirus only kicks in when a process is fully compromised and attempts to execute a payload. Ideally you don't want an exploit attempt to get that far.

So yeah, use a realtime AV. But don't use it as your first line of defense; use it as an insurance policy. And remember to keep backups in case things go pear-shaped.

That would be my 2c.

Edit: and for XP I really can't say. But suffice to say I would no longer consider the OS trustworthy for dealing with sensitive information.

Edit 2: for a more detailed look at the "layers" involved in client-side software security, see here:

http://0xdabbad00.com/2013/04/28/exploit-mitigation-kill-chain/

 

Even with UAC always notify? I'm talking about admin account BTW. But yeah, AppLocker works in the kernel level while SRP, as you said, works in user space. There is a hotfix from Microsoft to patch the certain hole of SRP/AppLocker. Problem is, AppLocker is only available in the Enterprise edition of Windows 8.

True enough, but you still have a chance to block CryptoLocker to read/modify your documents even if you allowed it to write in Program Files folder.

Agree with this. Not even EMET will help much.