Can you guys help me with hardening Windows using SRP and Applocker? I'm trying to learn this so I can help some friends of mine. What type of rules do I need to make to help block malware? Is it better or easier to just install CryptoPrevent since it creates alot of SRP rules? Is SRP/AL about the same from XP to 10?
SRP is nothing for home-use, same for applocker (both since XP). those are known administrative tools for windows pro versions, not home. pro and up have the gpo editor, home need some cheats. and no, xp/vista behave different. https://technet.microsoft.com/en-us/library/ee791851.aspx come on, investigate a little bit more yourself, its not magic btw CryptoPrevent is additional software, but not security. be aware that 92 per cent of all malware is defeated with a limited user account (LUA). from my view it makes no sense to fill that gap with srp or applocker or any other kernel vulnerable root kits like antivirus. windows itself has enough power for security. maybe you should lend or buy a windows compendium for administraitives? HTH
Do you have a (recent) source claiming that percentage? Personally I expect that quite a bit of malware does not require admin privileges.
Software Restriction Policy is real easy to setup 1. Install run MSI as admin from symantec: http://www.symantec.com/connect/downloads/msi-run-administrator-context-menu-vista 2. Run secpol.msc 3. Add Software Restriction Policies 4. Set BASIC USER as defeault level in SECURITY LEVELS 5. Set ENFORCEMENT to ALL FILES, ALL USERS EXCEPT ADMIN 6. Goto DESIGNED FILE TYPES, add VBS and PS1 Your are done. Executables in user folders will be blocked. You install new programs by choosing RUN AS ADMIN (or RUN MSI AS ADMIN) Updates are allways elevated (they need to change UAC protected folders), so those will be auto allowed by excluding ADMINS from SRP That's all
Tried it in a VM and everything works great! so no malware can bypass this? Why is VBS and PS1 added?
microsoft itself https://www.avecto.com/resources/reports/2013-microsoft-vulnerabilities-report unfortunately i lost the original text and source, it might somewhere in the ms blogs. and it was discussed here: https://www.wilderssecurity.com/thre...ting-risk-by-removing-user-privileges.360505/ HTH
To begin with, this report is about vulnerabilities/exploits and not about malware, but thanks for the link, I have plenty of criticism on this report tbh, this report is bull and only sells FUD. The writer clearly has no idea what he is talking about. 1. An attacker does not need admin rights to do whatever he wants. If one is able to run a process with Medium integrity rights, then one could do everything that a normal user would be able to do. 2. The writer does not seem to know how rights can impact (or not) an exploit because he misinterprets information from the MS Security Bulletins. One quote from the report: 1. They are only using the Security Bulletins as information source without PoCs or working exploit code. 2. They claim that a vulnerability can be mitigated when one does not have admin rights, which is something completely different then "could be less impacted". (Admin rights == more damage possible then with normal user account) 3. Normal user processes of 'admin accounts' under Windows Vista and higher are not even running with High/SYSTEM integrity but simply as Medium Integrity processes... You don't have to take my words, but at least verify information given by dodgy companies. If you want to use information from public reports, please only use information from the large security vendors and/or Microsoft. (Yes, you may bash on my post That would mean that you think about the correctness of information presented to you )
On Win7 and up, this adds a real threshold, combine it with free exploit mitigation and chances of infection reduce considerably.
You're not getting the point, running without admin rights does not impact most exploits. And in the case of the definition of 'to mitigate' with regard to exploits: You get pwned or you don't get pwned, there no thing in between.
First: you made the point that "mitigate was something different than coud be less impacted", which it is obviously not Second: although fuzzy logic is my field of expertise (being a strawman), your reply is fuzzy at the least (what is the point?) Be a sport, accept your own advice
With your own logic: you're just not putting enough effort into finding the meaning of 'most', let me help you with that: http://dictionary.reference.com/browse/most btw, did I remember you to the fact that you have a history of bashing people (like @Zoltan_MRG) without giving any concrete evidence or technical details?
well researched, my respect. one point i am not sure if to treat same: vulnerable vs malware. if something is vulnerable there exists malware to infect. ofc i admit there exist malware which dont need admin rights (or elevates itself), but the possibility to harm the complete system is much lower than to harm users profile. btw XP is dead for home users like the dinosaurs, the is no trick to fill the present vulnerabilities. they should upgrade to vista or better win7. or: does not make sense to saddle a dead horse. Cheers
ROPchain is correct that even malware running in a LUA can do a lot of damage, particularly to information security. Who cares about the semantics of mitigation.
A LUA and restricting executibles prevents malware from installing itself and running in the first place. If it does run, it has less possibilities of doing damage to a system. If you do it right, most malware won't be able to function fully even if it does manage to run and most exploits will fail due to lack of privilege.
Who says malware needs to run via a dropped executable, let alone be installed? How would you infect noone particular's XP setup for example?