Hardening Windows Applications/User permissions

Discussion in 'other software & services' started by Gijs007, Nov 2, 2017.

  1. Gijs007

    Gijs007 Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    4
    I'm looking for a tutorial/guide or book which explains how to harden the Windows Operating system.
    Specifically I'm looking to run certain applications in hardened user accounts, for example by setting their NTFS permissions so that they only have access to what they should.

    I'm still learning about hardening Windows. l'm currently looking for abilities to:
    • Find effective permissions for a certain user on a partition, including all folders and subfolders. (To get a list of folders a user has access to)
    • What's causing the user to have these permissions (e.g. groups, default permissions of a user)
    • Other settings which can be used to harden the user account, application or OS.
    I've found a book called Windows Hardening, but it's 10 years old ans based on Windows XP/Server 2003. I'm looking for something which is up to date and can be used on Windows Server 2016.
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    Still the first and best step is using a standard account + Software Restriction Policy (SRP). Use this excellent guide which also contains a section (step 6) about closing loopholes regarding specific folders.

    If you're using Windows 10 Fall Creators Update there are additional hardening options covered, e.g., in articles on gHacks - see here and here and here. There have also been discussions in this forum.
     
    Last edited: Nov 2, 2017
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    You can find good guide about hardening Windows 10 on this link: http://www.hardenwindows10forsecurity.com/
    Some of it can be applied to Server 2016, but you should check and test what will work and what not.
     
  4. Gijs007

    Gijs007 Registered Member

    Joined:
    Apr 22, 2008
    Posts:
    4
    Thanks, I'll look into these.

    Are there any specific guides for applications? My current goal is to run MySQL as a service in limited user account, to prevent exploits from tampering with the rest of the system. (By default MySQL runs under the network service user account, which doesn't have specific permissions for MySQL.)
     
    Last edited: Nov 2, 2017
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I never run any service under LUA, so I don't know how that would go for MySQL. You can probably run into all sorts of problems if it needs higher privileges to run correctly.
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    NTFS permissions haven't changed much since Xp but setting them gets more complicated with each new edition of Windows as does the default ACL structure that Microsoft sets up. The default ACLs have gotten more sensible and you will find that system ACLs don't automatically have full control anymore if you go spelunking in Windows 10's permissions.

    Even in the vastly more simple world of Xp, setting effective permissions required a bit of trial and error so the best thing I can recommend is just trying something and seeing if it works. Having backup images or using Shadow Defender would be a good idea. I have apps that launch services in a LUA but I've never set it up manually. The service might have a file, folder, or registry key that will need to have permissions set for user access.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.