How to harden Windows

Discussion in 'other anti-malware software' started by Overkill, Aug 22, 2015.

  1. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Can you guys help me with hardening Windows using SRP and Applocker? I'm trying to learn this so I can help some friends of mine. What type of rules do I need to make to help block malware? Is it better or easier to just install CryptoPrevent since it creates alot of SRP rules?
    Is SRP/AL about the same from XP to 10?
     
  2. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    SRP is nothing for home-use, same for applocker (both since XP). those are known administrative tools for windows pro versions, not home. pro and up have the gpo editor, home need some cheats. and no, xp/vista behave different.
    https://technet.microsoft.com/en-us/library/ee791851.aspx

    come on, investigate a little bit more yourself, its not magic ;)

    btw CryptoPrevent is additional software, but not security.
    be aware that 92 per cent of all malware is defeated with a limited user account (LUA). from my view it makes no sense to fill that gap with srp or applocker or any other kernel vulnerable root kits like antivirus. windows itself has enough power for security. maybe you should lend or buy a windows compendium for administraitives?

    HTH
     
  3. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    Do you have a (recent) source claiming that percentage? Personally I expect that quite a bit of malware does not require admin privileges.
     
  4. Software Restriction Policy is real easy to setup

    1. Install run MSI as admin from symantec: http://www.symantec.com/connect/downloads/msi-run-administrator-context-menu-vista
    2. Run secpol.msc
    3. Add Software Restriction Policies
    4. Set BASIC USER as defeault level in SECURITY LEVELS
    5. Set ENFORCEMENT to ALL FILES, ALL USERS EXCEPT ADMIN
    6. Goto DESIGNED FILE TYPES, add VBS and PS1

    Your are done. Executables in user folders will be blocked. You install new programs by choosing RUN AS ADMIN (or RUN MSI AS ADMIN)

    Updates are allways elevated (they need to change UAC protected folders), so those will be auto allowed by excluding ADMINS from SRP

    That's all
     
  5. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    This works in all pro versions of windows from XP and up?
     
  6. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    How is it not security?
     
  7. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Tried it in a VM and everything works great! so no malware can bypass this? Why is VBS and PS1 added?
     
  8. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
  9. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    To begin with, this report is about vulnerabilities/exploits and not about malware, but thanks for the link, I have plenty of criticism on this report ;)

    tbh, this report is bull and only sells FUD. The writer clearly has no idea what he is talking about.

    1. An attacker does not need admin rights to do whatever he wants. If one is able to run a process with Medium integrity rights, then one could do everything that a normal user would be able to do.
    2. The writer does not seem to know how rights can impact (or not) an exploit because he misinterprets information from the MS Security Bulletins.

    One quote from the report:
    1. They are only using the Security Bulletins as information source without PoCs or working exploit code.
    2. They claim that a vulnerability can be mitigated when one does not have admin rights, which is something completely different then "could be less impacted". (Admin rights == more damage possible then with normal user account)
    3. Normal user processes of 'admin accounts' under Windows Vista and higher are not even running with High/SYSTEM integrity but simply as Medium Integrity processes...

    You don't have to take my words, but at least verify information given by dodgy companies. If you want to use information from public reports, please only use information from the large security vendors and/or Microsoft.
    (Yes, you may bash on my post :) That would mean that you think about the correctness of information presented to you ;))
     
    Last edited: Aug 24, 2015
  10. Yes for XP you have to add the level basic user (google for a reg.file which does the job)
     
  11. Because they are scripts, what Windows OS do you use?
     
  12. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Testing it in XP Pro in a VM, I use Win7 x86
     
  13. See http://dictionary.reference.com/browse/mitigate

    So let's just repeat your own advice :D
     
  14. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Not finding it
     
  15. On Win7 and up, this adds a real threshold, combine it with free exploit mitigation and chances of infection reduce considerably.
     
  16. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    I'm testing it with XP because some of my friends still use it. Thanks
     
  17. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    You're not getting the point, running without admin rights does not impact most exploits.
    And in the case of the definition of 'to mitigate' with regard to exploits: You get pwned or you don't get pwned, there no thing in between.
     
  18. First: you made the point that "mitigate was something different than coud be less impacted", which it is obviously not

    Second: although fuzzy logic is my field of expertise (being a strawman), your reply is fuzzy at the least (what is the point?)

    Be a sport, accept your own advice
     
  19. ropchain

    ropchain Registered Member

    Joined:
    Mar 26, 2015
    Posts:
    335
    With your own logic: you're just not putting enough effort into finding the meaning of 'most', let me help you with that: http://dictionary.reference.com/browse/most
    btw, did I remember you to the fact that you have a history of bashing people (like @Zoltan_MRG) without giving any concrete evidence or technical details?
     
    Last edited: Aug 24, 2015
  20. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,871
    well researched, my respect. one point i am not sure if to treat same: vulnerable vs malware. if something is vulnerable there exists malware to infect. ofc i admit there exist malware which dont need admin rights (or elevates itself), but the possibility to harm the complete system is much lower than to harm users profile.

    btw XP is dead for home users like the dinosaurs, the is no trick to fill the present vulnerabilities. they should upgrade to vista or better win7.
    or: does not make sense to saddle a dead horse.

    Cheers
     
  21. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    "Hardening" unusually defines reduction of ~attack surface area~. What is the usage here OP?
     
  22. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    ROPchain is correct that even malware running in a LUA can do a lot of damage, particularly to information security. Who cares about the semantics of mitigation.
     
  23. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Meaning?
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    A LUA and restricting executibles prevents malware from installing itself and running in the first place. If it does run, it has less possibilities of doing damage to a system. If you do it right, most malware won't be able to function fully even if it does manage to run and most exploits will fail due to lack of privilege.
     
  25. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Who says malware needs to run via a dropped executable, let alone be installed?

    How would you infect noone particular's XP setup for example?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.