Maximising the power of Windows7 for security when running as ADMIN

Intended for Vista/Windows Lazy Admin Users who want to get maximum protection against minimal system load and third party software.


Using Windows FW
1. See Stems excellent post : https://www.wilderssecurity.com/showpost.php?p=1449570&postcount=1
2. When you are behind a router/FW and not that tech savvy, only use Windows FW as an outbound application filter (and inbound protocol filter off course). By allowing a program for ANY protocol and ANY port. Simply OMIT the steps STEM described at the Protocols and Ports TAB
3. MSE/Ms Defender will update through the windows update service (the outbound allow for svchost will handle this without any further actions)
4. Add your internet facing software (browser and e-mail) as outlined by Stem

Policy Management (UAC)
Set UAC to max (preferably) or keep at default. Now run REGEDIT and look what your settings are for this key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System and look at

"EnableSecureUIAPaths"
User Account Control: Only elevate UIAccess applications that are installed in secure locations (Windows and Program Files) 1 = ON (defaut), 0 = OFF
>> advice: keep this ON (value 1)
>> only elevates programs in Windows and Program Files

"EnableInstallerDetection"
User Account Control: Detect Application Installations and Prompt For Elevation 1 = ON (default), 0 = OFF
>> advice: set to OFF
>> when running a installer program Windows will NOT detect it is an installer and will NOT ask for consent. You have to explicitely run a program as administrator. This prevents 'shoot in the foot' errors to some degree.

Enhanced Mitigation
Enable DEP for all programs http://www.winvistaclub.com/f33.html Add SEHOP by running micorsoft's Fix http://support.microsoft.com/kb/956607#fixit4me

Now go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing
Add a regword (dword) "BehaviorOnFailedVerify" (0=Ignore, 1=Warn, 2=Block) with RegEdit
>> advice: set to Block
>> will block installation of unsigned drivers

Add heapspray protection to your browser and e-mail client through Microsofts EMET. Besides DEP and SEHOP this also adds Null Page protection (
this blocks attackers from being able to take advantage of NULL dereferences in user mode)
See https://www.wilderssecurity.com/showthread.php?t=277967. You can use the shortcut trick or Start>All Program>>Accessories>>Command Prompt, right click Run as Administrator (but copy paste in shortcut is easier, make a different shortcut for every program you mittigate).
IE and FF can be mittigated, Chrome does not allows enhanced mitigation (due to its own Sandbox), also add your e-mail client (outlook.exe or mail.exe)

Selective Drive by landing directory protection
For any browser take away the execute rights through ACL of your default Download directory, see https://www.wilderssecurity.com/showthread.php?t=278011 You can do the same for the directory where you have your e-mail stored.

Optional drive by protection in user space
Behaviour: IE does not allow to download exectables, FF downloads a null file, Chrome/Iron does allow to download but Explorer blocks execution. With the REG file (Block ON and Block OFF), you simply switch modes with IE/FF. Chrome and Iron have the most user friendly implementation (plus advantage of Chrome's excellent sandbox), simply right click and remove block. See https://www.wilderssecurity.com/showpost.php?p=1603237&postcount=1

Optional light freeware AV when you select to add optional user space drive by protection also
See https://www.wilderssecurity.com/showthread.php?t=263940 (don't forget to grand C:\Program Files\Avast5\Setup\avast.setup outbound connections). When you use Avast in stead of MSE, don't forget to disable Defender

Optional Browser advice
Iron updates less frequent than Chrome, but guys from Chrome want to issue an release every 6 weeks, so this lower update frequency of Iron becomes an advantage. Chrome's Sandbox IMO is superior to any browser currently available, when you compare security against loading/browsing speed. See https://www.wilderssecurity.com/showthread.php?t=277949 for cookie and flash settings. Allways start Iron/Chrome with --safe-plugins switch (sandboxing Adobe PDF Reader/Flash also).

Bottem Line
You get an old fashioned layered security (FW - IDS - AV) with minimal overhead:
- use Windows FW as an inbound filter and as an outbound application monitor
- apply UAC (for those stubborn lazy admins) with an extra threshold for accidental installation (explicte install as admin from user space)
- apply DEP, SEHOP for all programs and block unsigned driver installs by Users (explicit install as admin still possible)
- reduce risk of Null dereferences and heap spray attacks of Browser and Mail
- reduce risk of drive by through ACL deny execute in Download directory (Browser) and Directory where mails are stored (E-mail)

Optional you can add a deny execute (easy to de-block by right click) and a browser with internal sandbox
- reduce risk of drive by infection on user space (admin space is allready protected by UAC)
- optimise Avast on reduced attack surface and use OS to start Avast when downloaded file or mail is opened (extra select Avast option to scan when an USB stick is inserted)
- reduce web infection risk with internal Sandbox of Chrome see Quote. The policy management measures behind Chrome's Sandbox will act as 2nd safety net

 

Great post as usual Kees. I would like to suggest adding DefenseWall, eliminates the need to use LUA/SRP.

 

With DefenseWall you do not need to bother, it will provide better protection on x32, only DW is not available on x64, so this is more geared towards Lazy Admins wanting to get the maximum power out of their PC without sacrifying security.

 

Seems to work okay, is this all I really need (I am behind router/FW)? PC feels fast, but it seems so minimal

 

I kept PrevXSafeOnline freebie was strange with so few icons in system tray

 

Makes sense, however, how effective is it against real malware? Not being argumentative, I am genuinely interested if this is easily bypassed or holds strong.

 

mainly by the user him/herself otherwise malware will have hard time indeed to penetrate the above

 

how useful is DEP, still very much unsuported http://secunia.com/blog/105

 

So not a good solution for any of my "technically inexperienced" clients....got it.

 

Well my brother in-law uses this setup. He is techincally unexperienced and a PC security noob.

He knows
a) When I want to execute a downloaded program (with Iron), I have to right click the file and remove the block as shown with pic below (picture is made on my XP Pro machine). The warining reads "This file is from a different PC and is blocked to better protect your PC (= standard Windows warning)

b) move it from the download directory to the desktop (otherwise ACL will deny)

c) right click and choose run as admin (Windows does not recognise installers, only elevates from windows and Program Files directories)


So that are three user initiated actions to install something, before you can execute new code

 

Well..its sure an excelent try to give enhaned protection to many users that so far have been just disabling uac kees...your work and effor(time as well) are greatly appreciated..if one's i.q is over 70 and has a 10% knowledge of pc security nowadays they can be 80% ++ safe using just win 7 mechanics(or vista for that matter) , but alas, boredom an "oh-brother"ness have brought on heavier eclipses in computing world than any malware ever has (taking into consideration that something as simple as lua or any virtualization methord can provide that)

 

The above is enabled by default on Win 7 Pro and IE8 but unless I'm missing something, you don't have to select Unblock. When clicked, another warning appears saying that the file wants to run. Clicking OK allows it to run even though in the properties of the file, it still shows as being blocked. Is that normal or is there a setting that stops it from executing until the Unblock button has been applied?

 

Greg when you set the 1806 to 3 (default value 1) then it denies execution. With value 1806 at 1 it only warns.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003

Just download SWITCH_BLOCK_ON.txt view it with notepad, save it as ASCII file with extention .REG somewhere in the Program Files Directory. By adding shortcuts in the start menu, you can easily switch this block on or off.

Regards Kees

 

Yep, it is for lazy admins. My wife runs LUA + SRP + some GPEDIT hardening on her three year old laptop now with Win7 Ultimate. I would even say this protects her from 99% of the problems.

Regards Kees

 

Batch files for quick implementation of Kees method. Advantage of using reg add is the force switch, so you don't have to click OK twice using .reg files.

toggle to 1 (name .bat)

Code:

@echo off
reg add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1806 /t REG_DWORD /d 1 /f

toggle to 3 (name .bat)

Code:

@echo off
reg add "HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /v 1806 /t REG_DWORD /d 3 /f

You can also do it with autoit. Compile this and double click to toggle. You can also add either of these two methods to a context menu entry for your chosen type (* or directories or .exe or whatever suits you).

Code:

$rVal = RegRead("HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3","1806")

If $rVal = 1 Then
	RegWrite("HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3","1806","REG_DWORD",3)
ElseIf $rVal = 3 Then
	RegWrite("HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3","1806","REG_DWORD",1)
EndIf

Of course .vbs or any other script language is capable of doing the same thing. You can even use the For command in batch to do it, but that is a more twisted route

Sul.

EDIT: with a little creativity in Win7, it is possible to add to the context menu an icon on the left of an entry. The batch files or autoit script could then modify that icon to a different on within a dll, mabye a green check or red X to determine what state it is in. You know, this can just go on and on and on...

 

Thx Sul

 

I didn't know about putting this sort of stuff into PGS because I thought using PGS as an interface to this would be a bit cumbersome. What are the thoughts about having a context menu or very small interface to some of this type stuff for quick enable/disable? I can see it being of use to some, especially if there was a quick-n-convenient method to manage it.

Sul.

 

Well Sul,

I help friiends on the following principle. I can help you with better protection. Better protection in this context means you have to run something as an ADMIN (through right click) to install something explicitely. All other sneaky things downloaded in your user (space) directories will be prohibited to run unless you de-block it.

For a home version user the following benefits are valid when using PGS

When a program is guarded by PGS and runs as a limited user, Vista and Windows 7 do not elevate anymore. This reduces user errors allowing UAC consent prompts.

So to me something implementing 'running internet facing software as LUA permanently' the 1806 trick (with switch on/off) and a ACL deny execute for home users on Download directory and Mail directories would make it easy.

Another benefit of adding these extra's into a program, is that most people do not understand the registry and how ACL works. It is considered tacky to hack into the registry yourself or change ACL-permissions. Offering it through a program interface would create some more trust.

So I am in favour for some sort of automated mechanisme. Hope some Members will provide Sully with feedback (he wrote Pretty Good Security which is entirely based on your OS internals security mechanismes)

Maybe I could suggest the following right click options
a) Start/Stop running this application as Limited User with Medium Rights (through icacls.exe has same effect as PGS, only works in x64 as well)
b) Ehanced Security Mitigation for this program (with a build in check to only include the ones now listed as compatible with EMET by MicroSoft)
c) Enable/Disable DenyExecute for this directory for Home Users (make sure you do not allow this for WIndows/Program Files, this is the ACL-trick )
d) Enable/DIsable DriveBy protection for user space directories (the 1806 trick)
e) Stop/Start prompt UAC when installing from user space (with stop you need to explicitely run as Admin)


Regards Kees

Thx

 

This method is really nice:

https://www.wilderssecurity.com/showthread.php?t=278011

But i just found out that it does not seem to stop every exe file from executing when you double click it. I just downloaded this software;

https://www.wilderssecurity.com/showthread.php?t=278213

And it can be executed without being blocked. Now i think this could be because of what this program is designed to do, but still it is a exe file.

Or am i missing something here.

 

No I am missing something.


I posted the deny execute ACL with the explanation for running LUA, not Admin.

You als need to remove rights from current user (sorry ) then it works running as admin (under UAC)

 

Ah i see, thanks Kees.

 

"so this is more geared towards Lazy Admins...."

Lazy? Prudent.

 

Horse pooey, it actually works. I remember some time back you tried to help me enable this through Gpedit and it would not work correct for some reason. This way it does in fact work. Now I have to ask, why the option to toggle it on or off when the Unblock button works? Also, the other day I found in the registry where these files were listed that had been allowed execution by clicking the Unblock button. One particular entry that was allowed execution, I deleted it's listing from the registry and it placed the Unblock button back on the properties page for that file. Would you happen to know that location in the registry because I can't find it now?

OK, nevermind. I see the reason for the toggle now. The file is not allowed to be downloaded unless it's toggled off. I was under the impression that the Unblock button would be what's in control. In other words, download the file, try and execute, file will not run until the Unblock button is clicked. In a sense it is that way now but as mentioned in my other reply, after clicking OK from the warning dialog that pops up, the file is allowed to execute which I guess is kind of SRP's job.

 

See Breaking news https://www.wilderssecurity.com/showpost.php?p=1721923&postcount=9645

 

Applied most of this to my PC