Maximising the power of Windows7 for security when running as ADMIN

Noob,

With A2 you can also see which processes go outbound. Matbe you use the FW of MD, this also has clues which programs go outbound. When you use windows FW as application filter only, you do not need to know which ports and protocols to allow. Although STEM would argue that leaves holes in your defense, A2's behavior blocker will track programs goinf outbound in a suspicious way, its IDS will also warn you for process modifications. This reduces the risk of an application filter only (with Windows FW) to IMO safe level.

With all the OS internsl protection plus IDS of A2, you culd drop MD and make your PC faster. Off course there is nothing wrong with your current setup, but you can go lighter with practically same protection using windows FW two way.

 

Looks interesting but i still want MD
Thanks for the info man!
BTW, this thread is bookmarked

 

A reason to choose MSE above Avast in this setup IMO https://www.wilderssecurity.com/showpost.php?p=1722669&postcount=1

 

^ I cant find this on my Windows 7 Professional.
I've already applied SEHOP fix.

 

Create the correct paths, then create a new dword key with the correct value. Log off, log on for the HKCU hive to be loaded.

My 7 ultimate does not have this either. If you are afraid to test it, I will get to that in time, after I am finished with the other more 'in-depth' stuff I am working with now.

Sul.

 

In XP Professional you can do this through Group Policy, Open the Group Policy Editor (click Start, click Run, and type gpedit.msc). Expand Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options: > Devices: Unsigned driver installation behavior

On Vista and later it appears that this has been removed but can be added back in

http://social.technet.microsoft.com...P/thread/086de0c4-7766-424d-aacd-56f8ab4c6c80

I don't have a clue as to whether the above works or not but I do know that on Win 7 Professional that the default is set to warn with a nice pretty dialog.

 

In Vista SP2 I don't see the key you refer to:

I do have:

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing

Also I have the following without Driver Signing:

Code:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT

 

I got lost between steps 1-6.
I don't see "Home Users" after clicking "find".
Maybe there should be some step 0 or step -1

 

Hmm. I have the Home Users group. You can check its existence in the groups dialog. I am on win7 Ultimate. Maybe you are admin and don't need to use the home user group.

If you want to deny users group from executing, you could use icacls

Code:

icacls.exe <path to directory/file> /deny Users:(OI,CI)(X)

This will add an ACE for the Users group to deny execution, and will propagate to child objects and containers of the target. If you want the inheritance to only be applied to files in the download directory, just use (OI) alone. The (X) denies the permission to Execute.

You can remove it like this (the d flags the removal of Explicit ACE, the ones you have created that were not inherited)

Code:

icacls.exe <path to director/file> /remove:d Users

This will remove the inheritance from all the child objects that the above line had instigated.

Remember that when you use icacls like this, the SID Administrator is a user, and the SID Administrators is a group. They both will give no error, but only one will do what you expect.

Sul.

 

This one achieves the same thing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing achives the same thing http://technet.microsoft.com/en-us/library/cc785800(WS.10).aspx

 

to block installation of unsigned drivers it will be a good idea to prevent malware now i wonder if it work for xp home?

 

yes it does jmonge

As an administrator, you may not want your users to be able to install unsigned drivers on your Windows XP systems. Fortunately, you can bump up the Driver Signature Checking tool's verification level so Windows XP will completely block the installation of unsigned drivers.

Follow these steps to set driver verification levels:

Press [Windows]Break to display the System Properties dialog box.
Select the Hardware tab and click the Driver Signing button in the Drivers panel.
Select the Block-Never Install Unsigned Driver Software button. (Verify that the Make This Action The System Default check box is selected.)
Click OK twice.
Now you can feel confident that your users aren't installing unsigned drivers on your network.

 

what about:

Disable Remote Connections to Computer
Firstly , go ahead and disable it. . To disable remote desktop, right-click on My Computer and choose Properties. Now click on the Remote tab.uncheck it to disable
invitations to connect to your pc

 

Kees,
I always followed your configuration.
I envy your knowledge in this field.

 

wait a few weeks and Sully will have Safe-Admin finished, see https://www.wilderssecurity.com/showpost.php?p=1736052&postcount=160

You do not have to do all the settings manually, but just click and select and Safe-admin will do the job. Thanks to Sul

 

Well it is mind game. I just have to inspire Sully and he will dive deep into the technical stuff and tells me how it is done. So he is the one who earns credits really.

Thanks anyway

 

Thanks! Excellent post!

 

Are you sure that's the right registry key? Wouldn't it be

Code:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1806"=dword:00000003

 

Yes, that is the default location in the registry. I think Kees location is a manually applied policy setting which is essentially the same. Personally, I've stuck with the default value. I'm warned about the download which I have to interact with. The downloaded file then can be executed which will give another warning I would have to interact with. I also never select to Unblock the file. If the downloaded file gets executed in the future, I would get the warning again.

 

The thing is, the entry Kees suggested, won't even be applied if I run the *.reg file or even the bat files, courtesy of Sully. Error message.

So, it is not accepting that entry. That was my wonder... if Kees had it right, or if made confusion of some sort.

 

What is the preferred location then? I have currently implemented

Code:

'HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3'

What is the advantage to either?

Sul.

 

the advantage is that you get anti-executable feature within the browser in real time

 

My first doubt had to do with the fact that when applied the batch file (you only provided the text lines, actually), the settings wouldn't be applied. It say the syntax wasn't right, though it was right. I also couldn't apply through .reg files.

Have you applied it manually?

Anyways, unless I'm misunderstanding what's here http://support.microsoft.com/kb/182569 , the key HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 would correspond by setting it via Group Policy, which then would apply to the user regardless of the machine he/she logs in (This would applied via User Configuration in Group Policy), while the one that is default (If I can call it that way! lol) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 would apply only to the user in the machine in use and not any other.

Again, I hope to have understood it correctly. If someone sees I'm wrong, then please correct me.

 

Correct, plus policies registry key is protected from tampering, see picture

Intersting reads regarding registry and hardening IE8
http://msdn.microsoft.com/en-us/library/ms537184(VS.85).aspx
http://msdn.microsoft.com/en-us/library/cc980058(PROT.10).aspx
http://msdn.microsoft.com/en-us/library/ms537178(v=VS.85).aspx

Feature controls which are interesting
FEATURE_BEHAVIORS
FEATURE_LOCAL_MACHINE_LOCKDOWN
FEATURE_MIME_SNIFFING
FEATURE_MIME_HANDLING
FEATURE_OBJECT_CACHING
FEATURE_WINDOW_RESTRICTION
FEATURE_ZONE-ELEVATION

Other interesting zone setings are mentioned in the picture

 

Yes, but my point was that, and as we know a standard user cannot write/modify such part of the registry HKEY_CURRENT_USER\Software\Policies.

So, you did it via Group Policy, haven't you? Otherwise, the only way would be to execute the reg file with administrative rights; but in this case it would only be applied to the Administrator account HKEY_CURRENT_USER\Software\Policies entry, and not to the account we wish it for.