The vast, barren wasteland of desktop security

I don't really agree with that, it is not as easy as using an administrator account but it certainly is usable. The problem is not Windows but 3rd party apps that don't play well with a LUA and need some ACL tweaking to work right which is not something most home users are able to do but a well trained sys admin should be able to handle it. In practice, that doesn't seem to happen much even on the corporate/institutional level.

I recently acquired several ex corporate computers which should have had no hard drive or a completely wiped drive. Not the case at all. In one, the the computer booted, I logged on and connected via the corporate VPN to the network of a small manufacturer. There were numerous accounts on the machine, all admin. I checked the group policy settings and there was almost nothing done to make the machine more secure. The security wasn't all that different from a typical home computer setup. The AV was Microsoft Endpoint Protection which is a corporate version of MSE. It also had Malwarebytes and that was it for security. There were several in house apps in addition to MS Office and some very expensive CAD applications so the company certainly wasn't lacking in budget or IT resources but the setup was just as vulnerable as Edna's.

I never set up a LUA for anybody that doesn't me ask me too and that has never happened so far. I usually make sure the machine is clean when it leaves my hands and install whatever 3rd party security software I think the user can deal with. Voodoo shield is on that list but even there, I've gotten some feedback that it wasn't that easy to deal with. What I do try to do is get them conscious of protecting and backing up their personal data and I might try to get them to use imaging software and buy and external backup drive if they don't already have one. If they run into problems, they usually get back to me and then I have a better idea of what sort of issues need to be dealt with. With users out in the wild, it is a total crapshoot. I've dealt with users who engage in all kinds of risky online behavior with lax security who don't get infected and some very conscientious and careful users who do.

 

Dan, my post was a general statement about educating Edna, no positive or negative comments about any program, so I really don't understand why you needed to reply to it with yet another post about VoodooShield, but I guess that is a great marketing opportunity isn't it.

Thanks.

 

Or you could simply lock the computer when it is at risk.

 

Exactly, I totally agree... "The problem is not Windows but 3rd party apps that don't play well with a LUA and need some ACL tweaking to work right which is not something most home users are able to do but a well trained sys admin should be able to handle it." Whatever the case may be, it is not that usable.

 

So the malware crisis is solved!

 

Cool, we can solve this. I need to take a break from Wilders for probably at least a week anyway... possibly indefinitely.

 

Can you post that tweak or web page where can I see how to do that?
I found something but not sure is that correct:
https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps

Tnx

 

@Djigi :

It's part of the UAC settings.

Here are official link with the Global Policy and registry settings :

https://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx

These also applies to Windows 10.

 

Tnx

So this have to be set to 1 (picture)?

 

@Djigi :

I'm on mobile right now and for some strange reason this forum won't show your picture in large format when on mobile.
So I can't see what's on your screenshot.

But you just need to set "ValidateAdminCodeSignatures" DWORD to 1

Then reboot.

 

I just go to this place in Registri (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System), found
"ValidateAdminCodeSignatures" and set it to 1.

Just testing it right now on Virtual PC and is working fine.
For files without signatures a get pop-up window "A referral was returned from server" (picture).

TNX

 

@Djigi :

That is correct.
And from your description I can hear that it's also working properly.
Perfect !

 

yes it is this one. this just one trick , stop 90% of malwares.

 

Happy clickers and beginners will always be infected whatever uber-solutions you will implement. If they don't like the solution's warning they will just turn it off.

It is unusable for lazy people; i always run my daily stuff under SUA; the only issues i have are most of the softwares devs not caring to implement settings options across users accounts. I must log and redo the same settings for each account, very few devs does it.
Except that SUA is far more secure than an Admin Account.

 

After reading 3 pages of people whining about Windows 10 security not being good enough I felt this needed repeating.

 

Is there an easy way to launch blocked programs without having to re-tweak registry?
Something like a "white list" or "exclusion files"?

 

a) You can have an elevated filemanager always running in the background. And if you need to elevate an unsigned file, you switch to your elevated filemanger and start the file with it to circumvent the "A referral was returned from server"-message.
b) You can sign the unsigned file with your own certificate (if you have one)
c) change the registry key

I use a combination of a) and b) but i have only a few files that are unsigned and needs to be elevated.

 

Can you show/explain how to do that a) solution?

 

1) start a filemanager elevated
2) navigate with it to the unsigned file you want to execute
3) now the program can be started without "A referral was returned from server"-message
But it's not really an "easy way" to launch blocked program, if you always have to navigate to the unsigned file. It can take time.
Changing the registry is sometimes quicker

 

For now I just add that reg tweak to Favorites so I can find it very quick & easy
TNX

 

Well, from casual observation, I would say desktop security has improved compared to the situation years ago. OS and browser vendors have been upping their game with better architecture and updates.

It's just the web that needs to be filtered for reduced exposure to the harmful.