Results of restricting Explorer!

[Escalader]

http://www.outpostfirewall.com/forum...277#post202277


I have a question for MS.

Why is explorer so h.ll bent for leather to access screens, clipboards and keystrokes?

I've done the restraints (any user with a firewall can) and I can still do everything I need to do on the www.

[wat0114]

I've always blocked explorer.exe from Internet comms and never had a problem doing so. There should then be no reason to restrict its inter-process actions with HIPS because its actions are, after all, being contained within the pc.

[Escalader]

Quote:

Originally Posted by wat0114

I've always blocked explorer.exe from Internet comms and never had a problem doing so. There should then be no reason to restrict its inter-process actions with HIPS because its actions are, after all, being contained within the pc.

Thanks, but what I'm not as confident as that about these inter-process NOT passing clip board data etc along to other executables that DO have www access.

[wat0114]

Quote:

Originally Posted by Escalader

Thanks, but what I'm not as confident as that about these inter-process NOT passing clip board data etc along to other executables that DO have www access.

Good point for sure, although I think you have to be careful not to overdo things, otherwise there's the risk of breaking required functionality. The MS explorer.exe that resides in %Windir% has to be considered, at least to considerable extent, a trusted process. If those restrictions you applied are working fine with no negative impact on the sytem, then all the better for you

[Escalader]

Quote:

Originally Posted by wat0114

Good point for sure, although I think you have to be careful not to overdo things, otherwise there's the risk of breaking required functionality. The MS explorer.exe that resides in %Windir% has to be considered, at least to considerable extent, a trusted process. If those restrictions you applied are working fine with no negative impact on the sytem, then all the better for you

Well, my plan has broken down!

I can't get the control panel to activate!

[adrenaline7]

cant get it to activate? you mean open?

[noone_particular]

I'm not familiar with Outpost and how it stores its rules and settings or if it allows you to save, export, and import existing rulesets. Assuming that it does, I'd hope that:
1, you made a backup of the starting ruleset before you began tightening explorer permissions.
2, you have been at least documenting the details of the changes you're making or that you're saving rulesets as you go, last known good or similar.
I'd also hope that you're making changes 1 or 2 at a time, then checking through your system to see if anything broke or if there's any adverse effects. If nothing else, make a full backup/image of the OS before you go in too deep. Tightening and experimenting are not only useful, they're good for teaching the details about how your system operates, as long as you have a way back if things go wrong.

[Escalader]

Quote:

Originally Posted by adrenaline7

cant get it to activate? you mean open?

Exactly! It opens then says explorer has stopped working.

[Manny Carvalho]

Explorer is an integral part of Windows. Restrict it too much and the OS starts to break down. I'm sure it's fun to see how far you can take it before it all crumbles. Kind of like taking a thumbscrew to ... well, never mind

[luciddream]

I take this approach with everything on my setup, not just Explorer. What I'll do with it, as with everything else, is block it on a per case basis, and see if I'm still able to carry out the action. If not, then I'll do it again and grant it the access it needs that time and check the box to remember it. I've never had my system crash as a result.

I have keyboard & computer monitor access blocked outright. Everything else is set to Ask, and only allowed on per case basis. Internet access blocked as well. And I haven't gotten an Explorer popup in quite some time.

[Manny Carvalho]

Impressive I must say. That's a tight ship you are running!

[fax]

I can feel the heavy pain in setting this up... you must have some free time at disposal

[luciddream]

It's really not that difficult. You open control panel, or whatnot, and realize Explorer needs some type of access... you check the box to remember it. You never hear from it again. For about the first 2 weeks after a fresh install this happens the first time you run an app, you set the appropriate access, then it quiets down. Now I never hear a peep out of it.

And for programs that are constantly reading/writing to/deleting new file names, like CCleaner for example, the popups would never end, so you simply allow it that type of access permanently.

I'd love to be able to lie and say it was a lifetimes work on my part, like a house wife with a Betty Crocker cake that acted like she slaved in the kitchen all day... but it really didn't require much time/effort on my part at all. This whole notion that HIPS are some monumental (chatty) inconvenience is severely flawed, drudged up by people that really don't understand how to deploy them effectively.

[fax]

Good to hear its not a monumental pain

[noone_particular]

Quote:

I'd love to be able to lie and say it was a lifetimes work on my part, like a house wife with a Betty Crocker cake that acted like she slaved in the kitchen all day... but it really didn't require much time/effort on my part at all. This whole notion that HIPS are some monumental (chatty) inconvenience is severely flawed, drudged up by people that really don't understand how to deploy them effectively.

That's one of the better descriptions I've heard. Yes, explorer and other windows components are "trusted" as far as integrity is concerned, but the actions they're instructed to perform may not be when those instructions are passed to them from another potentially exploited application. Just because an executable is a windows component doesn't mean that it needs to be able to access everything, do anything. Applications, system components, individual services, etc should be restricted to being able to do only what they need to in order to function properly. Specifying these permissions isn't babysitting or some similar "high interaction required" setup. It's additional hardening, one component at a time. Unless I'm altering or adding something to my system or trying something different, my HIPS is also silent.

Salut,



Whether to allow explorer.exe in the local network, otherwise windows does not like.

When you sometimes open files in Explorer, explorer.exe may request access to the internet, often for updates of the file open, to allow once.


Il faut autoriser explorer.exe dans le réseau local, sinon windows n'aime pas.

Quand vous ouvrez parfois des fichiers dans l'explorateur, explorer.exe peut demander à accéder à internet, souvent pour des mises à jour du fichier ouvert, à autoriser UNE fois.

[luciddream]

Quote:

Originally Posted by noone_particular

That's one of the better descriptions I've heard. Yes, explorer and other windows components are "trusted" as far as integrity is concerned, but the actions they're instructed to perform may not be when those instructions are passed to them from another potentially exploited application. Just because an executable is a windows component doesn't mean that it needs to be able to access everything, do anything. Applications, system components, individual services, etc should be restricted to being able to do only what they need to in order to function properly. Specifying these permissions isn't babysitting or some similar "high interaction required" setup. It's additional hardening, one component at a time. Unless I'm altering or adding something to my system or trying something different, my HIPS is also silent.

yepperz

[wat0114]

Quote:

Originally Posted by luciddream

This whole notion that HIPS are some monumental (chatty) inconvenience is severely flawed, drudged up by people that really don't understand how to deploy them effectively.

How does the typical pc user know how to respond to the alerts of potentially 14 different types of actions explorer.exe might attempt to perform (screenshot examples)?

Quote:

Originally Posted by noone_particular

... but the actions they're instructed to perform may not be when those instructions are passed to them from another potentially exploited application.

If this is the case, then something broke down earlier in the security enforcement process, if indeed an application did get exploited; possibly the user made a wrong decision answering a HIPS alert, or allowed a malicious script to unleash through the web browser.

[Ring0]

Quote:

Originally Posted by wat0114

How does the typical pc user know how to respond to the alerts of potentially 14 different types of actions explorer.exe might attempt to perform (screenshot examples)?

No one knows, and it all ends with accepts/permit all, otherwise it may lose functionality of your PC.
For this I find that HIPS/HOPS alert software is not usable for average user.

[Manny Carvalho]

No typical user would ever even think attempting this. Heck, they barely keep their AV updated. Clearly this is pretty close to the last inner circle of protection. It's certainly not the first thing in any security umbrella but something for somebody that wants to play around with a paranoid level security setup.

It is, after all, an interesting experiment. That's how it should be viewed.

[noone_particular]

Quote:

How does the typical pc user know how to respond to the alerts of potentially 14 different types of actions explorer.exe might attempt to perform (screenshot examples)?

The typical PC user isn't going to be able to use HIPS effectively, especially with that fine grained level of control. That's one of the problems I have with bundling firewalls and HIPS together as security suites. The average user isn't going to use it properly.

Quote:

If this is the case, then something broke down earlier in the security enforcement process, if indeed an application did get exploited; possibly the user made a wrong decision answering a HIPS alert, or allowed a malicious script to unleash through the web browser.

Applications also get exploited via weaknesses in their own code, independent of the user. If the HIPS is part of a security suite, the PC might not have any form of script control and the user was never asked. There's too many scenarios for a simple answer. Myself, I view all attack surface apps as vulnerable and potentially exploitable. No matter what kind of security-ware you use, it's not always possible to prevent an application from being successfully attacked. The HIPS comes into play by restricting that apps permissions and inter-process activities, and can prevent a compromised application from compromising the rest of the system.

[wat0114]

Quote:

Originally Posted by noone_particular

There's too many scenarios for a simple answer. Myself, I view all attack surface apps as vulnerable and potentially exploitable.

I place lots of emphasis on the most common gateways for malware, especially the web browser.

Quote:

No matter what kind of security-ware you use, it's not always possible to prevent an application from being successfully attacked.

As long as the attacks are unsuccessful in delivering their payload, I'm not too concerned. For me eliminating or at least greatly reducing scripting attacks through the browser should take care of pretty much everything.

Quote:

The HIPS comes into play by restricting that apps permissions and inter-process activities, and can prevent a compromised application from compromising the rest of the system.

True enough. It's just that I found them them to be high maintenance, in spite of what was suggested earlier in this thread. Even AppLocker with DLL enforcement enabled, where there are several hash rules in place (I like hash rules for non-protected directories) can and does require routine maintenance to keep the hash rules up to date when the file's hash changes or when hash rules are created for new applications.

Apparmor in Linux is nice because it usually means exercising the profile via sudo aa-logprof to help in generating rules that may have been missed during the original profiling exercise. It's been very low maintenance for me so far.

[noone_particular]

Quote:

It's just that I found them them to be high maintenance, in spite of what was suggested earlier in this thread. Even AppLocker with DLL enforcement enabled, where there are several hash rules in place (I like hash rules for non-protected directories) can and does require routine maintenance to keep the hash rules up to date when the file's hash changes or when hash rules are created for new applications.

It can be, depending on how you handle updating and how often you add new applications. For me, the OS changes very little, since there are no official updates for it any more and it's equipped the way I want it. With applications, I update them only when I feel it's necessary, definitely not every new version. Since my updating is done manually, and updates to rules and file hashes are done at the same time.

[luciddream]

Quote:

Originally Posted by wat0114

How does the typical pc user know how to respond to the alerts of potentially 14 different types of actions explorer.exe might attempt to perform (screenshot examples)?

They don't. A "typical user" doesn't belong anywhere near a HIPS in the first place though, rendering that point moot. A typical user in fact shouldn't use any kind of filtering whatsoever, other than the packet filtering their router/inbound FW provides automatically. Nor should they use any program that requires user input/decisions...

because the "typical user" is an idiot.

That shouldn't stop the rest of us from implementing the measures. There is nothing high maintenance about it whatsoever to me. It is set-&-forget protection for me now, and has been ever since those initial 2 weeks or so. It is now, as noone put it, hardening... completely invisible protection.

[wat0114]

I only posed the question because in post #13 you stated it's really not difficult, so I thought you implied it's not difficult for anyone in particular.