The irrelevance of Applocker / relevance of SAFE admin tweaks

[acr1965]

Quote:

Originally Posted by Rmus

Why not Applocker to set up basic default-deny rules? Free and already on board.

Also, check to see if the free version of Returnil has execution protection.

----
rich

Anyone able to set up rules for the scripts white list? I can't even get Microsoft Word to function properly with applocker implemented. What a pain. I'm about ready to ditch applocker and try something else, maybe MD or Comodo D+.

[acr1965]

Quote:

Originally Posted by dw426
Will do, Kees. Now, a couple of questions for any of you really.

1. UAC, at SOME level, is LUA, true or false?

2. LUA, if there is no rational argument for NOT using it, what do you all say to those that tell you software either won't work properly or not at all under LUA? Is that not a rational argument? Also, I'd like to know, is it really possible to turn my now admin account into LUA without losing files I already have (these are files not included in my backup)?

3. Anti-executable software. I'm on Win 7 64, and I just will not go the HIPS route, and can't at this time shell out near 50 dollars for AE. Are there any free alternatives available that will do the job?

Quote:

Originally Posted by Kees1958

Ad 1
Yes, that is true, but there is one difference. Being the Admin you are automatically the owner/creator (same applies to a wrong setup LUA), this makes the user - admin space a cloudy or muddy border. Others argue because UAC prompts when a program request elevation, UAC is no security frontier, opposed to LUA. Also from XP on you can set the LUA user to prompt for admin credentials, which is sort of simular to UAC only with UAC the changes are in the environment/context of the current user. So this 'hard' border depends on policy settings. On my wife's LUA, I have set this enabled. So hardliners would say I changed the LUA - ADMIN brick wall into a butter soft border. She wanted a backdoor, because it was her PC. E.g. when she is with out with her friends and they decide view something of a camcorder. When they stick in the camcorder, and it needs admin credentials to install/load a driver then she will be prompted automatically for admin credentials.

2.
When you turn your current LUA down to Admin, the LUA user is the owner creator. But you would be certain you keep access to all your files (so you need to give a new user Admin rights). Flip side is this is an example of a not well setup LUA user (since the LUA user is the owner/creator of everything).
Most commercial program run perfectly under LUA, some security applications don't. But the thing is you need way less security running LUA.

3.
Yes SAFE and your Windows Ultimate, but let's do thay through PM

Regards Kees

So if I have UAC at Max settings and scripting disabled in my web browser I am safe from 99% (more or less) malware and my programs will function properly?

I can say whole-heartedly that trying to set up any sort of viable internet security program or strategy has caused me more misery and aggravation than every malware hit I have taken combined. I just don't understand it I guess- maybe it's the paranoia of malware combined with the desire to try out new security programs. It seems the average security set up causes system instability, programs to not function properly, high resource load, constant pop ups with unclear yet highly important warnings. It's almost the same as being infected.

I am thinking to run just LUA at max and maybe some internet browser security of some type and just say to hell with all the extra stuff. It's just too big of a pain in the you know what. If I get infected then so be it. I really don't care any longer.

[dw426]

I'm the same way, I'm so tired of getting mixed ideas about all this stuff. People get on me because I use an AV, AS, and try to configure my browser properly, while they use their SRP/LUA, Default this and that. Look, I don't know about anyone else, but anytime I start restricting things and my system starts telling me "no", I don't put up with that. When securing my system makes it harder to use my system, I don't put up with that. My AV and AS never say a word unless they find something that needs my attention. THAT is how to run security in my eyes.

Now, as to UAC, some are going to tell you full UAC is a limited user account, and some will not, some will say SRP is the way to security happiness, some will pipe up and tell you it can fail. Me, I'm sick of security, truly, seriously sick of it. The minute I think I got all my bases covered, someone comes along to tell me I'm either wasting my time by having too much, or my doors are still wide open. Such and such is the easy way, not this and that. God, I no longer care. I'm tired of worrying over POCs, 0-days, sandbox busters, limited this, restriction that. I pick programs that are well-regarded here and either free or affordable, and I move on.

[Sully]

Quote:

Originally Posted by acr1965

I can say whole-heartedly that trying to set up any sort of viable internet security program or strategy has caused me more misery and aggravation than every malware hit I have taken combined. I just don't understand it I guess- maybe it's the paranoia of malware combined with the desire to try out new security programs. It seems the average security set up causes system instability, programs to not function properly, high resource load, constant pop ups with unclear yet highly important warnings. It's almost the same as being infected.

I am thinking to run just LUA at max and maybe some internet browser security of some type and just say to hell with all the extra stuff. It's just too big of a pain in the you know what. If I get infected then so be it. I really don't care any longer.

I hear you loud and clear. I might be in a bit different boat because I have had no problem using many different security schemes, they don't cause misery and aggravation. I found them to always be fun and interesting because I learned something with every scheme I put in place.

For me it came down to attempting to do as much as possible with what is on hand in the OS and being somewhat choosy about 3rd party tools. I don't personally want a default-deny, but I don't really want to give everything carte-blanche rights either.

On XP my favorite solution was to use SRP as an Admin to reduce browsers etc to Users rights, modify how and where I download files and use Sandboxie as my main mechanism to keep things segregated. On win7, it is a bit different matter. UAC can be of benefit, but only if you can trust what you allow. I seem to be gravitating towards a little of what Kees puts forth, but not to the degree he has laid out. I will likely incorporate about half of these methods myself, in conjunction with Sandboxie and some common sense approaches. The last thing I personally want is to have to right click on things to be able to use them, or see a UAC prompt every time either. Somewhere there is a compromise that allows me to administer my system (which is pretty much all that I do anymore) freely in common ways, yet also have specific areas that require a little more focus (such as denying execution or setting integrity levels).

I suggest that if you really don't want the headaches of securing your system, find some middle ground in LUA if you can, and live with elevating when needed. For you maybe that won't be too often and it won't make a difference.

@dw426

My take on it is very similar. I am not sweating it now, and have not truly for quite some time. I used to rely on ghost images, but now with macrium and how convenient it is for me, I just make sure my data is backed up, that my macrium images are updated periodically, and then I apply as little as possible to stay reasonably secure. I will remain an Admin as long as I am dorking with the internals, and I will never be truly safe. Odds are I wouldn't anyway. If and when I do get bitten, I will restore my image. If I change things, I will restore my image, make those changes and create a new image with those changes. It is my safety net now, on all computers in my house. I don't even start VM as much as I used to. If SBIE doesn't do it, I might use VM or I might just back things up quickly and see what happens.

I am very curious to see how some of this stuff Kees is bringing forth might fit into what I want. I am hoping some of it will close a few gaps I feel are more glaring than others. Time will tell.

Sul.

Quote:

Originally Posted by Sully

For me it came down to attempting to do as much as possible with what is on hand in the OS and being somewhat choosy about 3rd party tools.

Recently the way I've approached it as well.

Quote:

...now with macrium and how convenient it is for me, I just make sure my data is backed up, that my macrium images are updated periodically, and then I apply as little as possible to stay reasonably secure.

Quote:

If and when I do get bitten, I will restore my image. If I change things, I will restore my image, make those changes and create a new image with those changes. It is my safety net now, on all computers in my house.

The beauty of being proficient with imaging and restoring when needed is the confidence it instills in you knowing you can do whatever you please to your system with the least little concern whatsoever, because a recent backup is ready on hand just in case. Ahh, it scares me how good I've become at this In fact, I now want to become a crusader, a kind of troll if you will, extolling the virtues of learning to use with utmost proficiency image/restore software. Just think about how little it matters if something goes wrong, whether it be user-induced, 3rd party-induced or malware-induced to your machine, as you laugh in the face of adversity, viewing it as nothing more than a trifling inconvenience, because a restore in only a matter of minutes to a recent, pristine image is waiting faithfully on hand. This is an area of security that people don't seem to focus enough on.

[Sully]

Quote:

Originally Posted by wat0114

The beauty of being proficient with imaging and restoring when needed is the confidence it instills in you knowing you can do whatever you please to your system with the least little concern whatsoever.

They say birds of a feather flock together.. an apt saying on this subject if you ask me. I crusade for it as well, but get very little interest outside of a place like this. I consider it a much lighter subject than firewalls and hips, but even so, eyes glaze over fairly fast

Sul.

[ParadigmShift]

Quote:

Kees1958 said:
Because Applocker can be tricky to setup...

It's a piece of cake.

[Windchild]

Quote:

Originally Posted by wat0114

The beauty of being proficient with imaging and restoring when needed is the confidence it instills in you knowing you can do whatever you please to your system with the least little concern whatsoever, because a recent backup is ready on hand just in case. Ahh, it scares me how good I've become at this In fact, I now want to become a crusader, a kind of troll if you will, extolling the virtues of learning to use with utmost proficiency image/restore software. Just think about how little it matters if something goes wrong, whether it be user-induced, 3rd party-induced or malware-induced to your machine, as you laugh in the face of adversity, viewing it as nothing more than a trifling inconvenience, because a restore in only a matter of minutes to a recent, pristine image is waiting faithfully on hand. This is an area of security that people don't seem to focus enough on.

Maybe you ought to write a tutorial for imaging and restoring, then. That kind of stuff could be helpful to folks.

And yeah, that's all I'm going to say even remotely on the subject of this thread. I guess my opinion would be pretty obvious without me saying it.

[acr1965]

I've been reading articles across the internet and the more I read the more confused I get. But would someone give a clear answer to this question?:

if a person runs as admin will running applocker make any difference? Or does running applocker mean a person has to run in a standard account for applocker to be effective?

PS- I have tried running as standard and it's a pain. If applocker does not make a difference when running as admin then I just need to find something else or some other strategy- maybe just some disk imaging or something like that...along with a behavior blocker, disable scripting in my internet browser and have some on demand scanners.

I am not interested in registry tweaks because those almost have some negative effects somewhere down the road. And while we are at it- I hate sandboxes too. They are nearly a worse pain as running as a limited/standard user.

So there I said it- I hate limited user accounts and I hate sandboxes. I'm sure some internet security guru's have their head spinning circles like they just heard words from the devil himself.

I was just hoping applocker will run fine and give my system some security in an admin account.

Quote:

Originally Posted by acr1965

if a person runs as admin will running applocker make any difference?

It could make a difference, given the proper configuration of rules, which would have to exclude the default "Allow all files" for administrators. I would also recommend UAC set to maximim.

Quote:

Or does running applocker mean a person has to run in a standard account for applocker to be effective?

This is definitely prefered.

Quote:

So there I said it- I hate limited user accounts and I hate sandboxes.

What I think should work:

1. First make sure your system is malware free.
2. Auto generate executable rules for all files in Program Files (including Program Files (x86) ), and Windows directories.
3. Delete the default allow all files rules for administrators.
4. Repeat the above for installers and scripts
5. Don't bother with DLL's.
6. Set UAC to maximum.

What I can do is some testing in my VM and I'll let you know, probably in a day or two.

[acr1965]

OK thanks. Is the reasoning behind not worrying about DLL's that if malware cannot execute in the first place it will not be able to load/install a DLL?

You know I see lots of videos on youtube about security programs being tested against malware but I can not find any videos where an OS has the system configured pretty tight- such as applocker configured and uac maxed out. I wish I could see such a system on youtube being tested against rogue downloads and malicious installs just to see. Maybe the video would be boring to some but would be interesting for a lot of people I bet. I have asked some of the regular youtube video makers for such a video but never got any response.

[Sully]

Quote:

Originally Posted by acr1965

I am not interested in registry tweaks because those almost have some negative effects somewhere down the road. And while we are at it- I hate sandboxes too. They are nearly a worse pain as running as a limited/standard user.

You have a misconception about the registry and what a tweak does. The only part of the statement above that is true is that some tweaks might cause an issue, but most do not, at least in relations to the security tweaks. Maybe you lump all tweaks in with service and system performance tweaks, where a wrong setting can manifest into problems.

Quote:

So there I said it- I hate limited user accounts and I hate sandboxes. I'm sure some internet security guru's have their head spinning circles like they just heard words from the devil himself.

If you want to run as an Admin, you will have to make a concession somewhere. You can either create a blacklist that needs managed, a white list that needs managed, use a HIPS that needs managed, institute some form of Applocker or SRP that needs managed, try something like Kees approaches, still needs managed, use a sandbox, requires management, various other tools, which need managed.

Sorry, but I don't think you will find a method in Admin that won't require you to do something at least as bothersome as a sandbox. You already know the other option of LUA can be inconvenient if you do a lot of admin stuff.

What is it exactly that you want to have? A level of security that 'just works' and you don't have to be involved with? Your choises and likes are fine, we all have a different take. But since you want to stay an Admin (I assume) then you have to make a concession somewhere. And I am sure I speak for more than myself when I say I would be more than happy to help you figure out what that might be, if possible.

Sul.

[CloneRanger]

Quote:

Originally Posted bywat0114

Don't bother with DLL's.

What about dll.dll for eg ? - http://www.wilderssecurity.com/showthread.php?t=276994

[Kees1958]

Quote:

Originally Posted by ParadigmShift

It's a piece of cake.

Ha ha you take something out of its context. "Because setting up Applocker can be tricky, every tutorial warns you to not remove the Admins/Systems defaults within applocker." .

So tell me have you removed the system/admin defaults then?

Thx

[Kees1958]

Quote:

Originally Posted by wat0114

It could make a difference, given the proper configuration of rules, which would have to exclude the default "Allow all files" for administrators. I would also recommend UAC set to maximim.

Only for the brave hearted IMO (removing allow all for admins)

[Kees1958]

Quote:

Originally Posted by acr1965

I am not interested in registry tweaks because those almost have some negative effects somewhere down the road.

The tweaks mentioned can be set through Group Policy, only you would have to buy the ultimate versions. When you enable SEHOP through microsofts MSI, you are also changing regsitry values.

I realise I should not call them tweaks, but something like "changing settings you would otherwise have to pay extra for".

[Kees1958]

Quote:

Originally Posted by Windchild

Maybe you ought to write a tutorial for imaging and restoring, then. That kind of stuff could be helpful to folks.

And yeah, that's all I'm going to say even remotely on the subject of this thread. I guess my opinion would be pretty obvious without me saying it.

I know Applocker, Applocker, Applocker (repeat 997 times)

Quote:

Originally Posted by acr1965

is the reasoning behind not worrying about DLL's that if malware cannot execute in the first place it will not be able to load/install a DLL?

That's basically it; I see it as overkill and potentially grief-inducing.

Quote:

Originally Posted by Kees1958

I know Applocker, Applocker, Applocker (repeat 997 times)

Oh well, I had it coming, I guess

Quote:

Originally Posted by Kees1958

Only for the brave hearted IMO (removing allow all for admins)

That's why the VM allows me to dive in care free I don't necessarily like removing the allow all for admins, but don't forget it's only a default to get one going without locking themselves out before the custom rules are finalized. More later...

[Kees1958]

Quote:

Originally Posted by wat0114

That's why the VM allows me to dive in care free

Ahh well, a virtual braveheat then

[ParadigmShift]

Quote:

Kees1958 said:
"Because setting up Applocker can be tricky....

I didn't take it out of context, that's what you said. Setup has never been tricky for me or other IT Admin colleagues of mine.

Quote:

Then Kees1958 said:
So tell me have you removed the system/admin defaults then?

Why would I want to do that?

[MrBrian]

Quote:

Originally Posted by acr1965

if a person runs as admin will running applocker make any difference? Or does running applocker mean a person has to run in a standard account for applocker to be effective?

I'll answer your question at http://www.wilderssecurity.com/showthread.php?t=272761.

[acr1965]

Quote:

Originally Posted by MrBrian

I'll answer your question at http://www.wilderssecurity.com/showthread.php?t=272761.

thanks

[tlu]

Quote:

Originally Posted by acr1965

So there I said it- I hate limited user accounts

Sully has already given a good answer. I just want to add that I don't understand your statement at all.

All major browsers run flawlessly in a limited account,
all major email apps run flawlessly in a limited account,
all major office suites run flawlessly in a limited account,
all major AVs, HIPS and Personal Firewalls run flawlessly in a limited account
etc. etc.

Via UAC (or SuRun) you can even change your system settings or install new apps or update them from your limited account. Unless you're doing that umpteen times every single day, elevating your rights with UAC (or SuRun) is really not bothersome.

So again, as someone who's been running his system as a limited user for many years, I don't understand your statement - unless you have very specific reasons.

[Kees1958]

Quote:

Originally Posted by ParadigmShift

I didn't take it out of context, that's what you said. Setup has never been tricky for me or other IT Admin colleagues of mine.


Why would I want to do that?

The complete sentence was: Because Applocker can be tricky to setup, every tutorial advises to keep the default Admin/System rules.

When you take one part out (Because Applocker can be tricky to setup), I asked you on the other part (every tutorial advises to keep the default Admin/System rules). Get it? When it is so easy to setup, you run no risk locking yourself out, would you?

Never mind, you proved my point anayway, stating that you and your collegue IT admins have no trouble at all

[Kees1958]

Quote:

Originally Posted by tlu

Sully has already given a good answer. I just want to add that I don't understand your statement at all.

All major browsers run flawlessly in a limited account,
all major email apps run flawlessly in a limited account,
all major office suites run flawlessly in a limited account,
all major AVs, HIPS and Personal Firewalls run flawlessly in a limited account
etc. etc.

Via UAC (or SuRun) you can even change your system settings or install new apps or update them from your limited account. Unless you're doing that umpteen times every single day, elevating your rights with UAC (or SuRun) is really not bothersome.

So again, as someone who's been running his system as a limited user for many years, I don't understand your statement - unless you have very specific reasons.

Thomas:

For 80% of the people, there is no rational for not using LUA