Results of restricting Explorer!

Discussion in 'other firewalls' started by Escalader, Oct 23, 2012.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I've always blocked explorer.exe from Internet comms and never had a problem doing so. There should then be no reason to restrict its inter-process actions with HIPS because its actions are, after all, being contained within the pc.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Thanks, but what I'm not as confident as that about these inter-process NOT passing clip board data etc along to other executables that DO have www access.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Good point for sure, although I think you have to be careful not to overdo things, otherwise there's the risk of breaking required functionality. The MS explorer.exe that resides in %Windir% has to be considered, at least to considerable extent, a trusted process. If those restrictions you applied are working fine with no negative impact on the sytem, then all the better for you :)
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses

    Well, my plan has broken down! :oops:

    I can't get the control panel to activate!
     
  6. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    cant get it to activate? you mean open?
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'm not familiar with Outpost and how it stores its rules and settings or if it allows you to save, export, and import existing rulesets. Assuming that it does, I'd hope that:
    1, you made a backup of the starting ruleset before you began tightening explorer permissions.
    2, you have been at least documenting the details of the changes you're making or that you're saving rulesets as you go, last known good or similar.
    I'd also hope that you're making changes 1 or 2 at a time, then checking through your system to see if anything broke or if there's any adverse effects. If nothing else, make a full backup/image of the OS before you go in too deep. Tightening and experimenting are not only useful, they're good for teaching the details about how your system operates, as long as you have a way back if things go wrong.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Exactly! It opens then says explorer has stopped working.
     
  9. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    Explorer is an integral part of Windows. Restrict it too much and the OS starts to break down. I'm sure it's fun to see how far you can take it before it all crumbles. Kind of like taking a thumbscrew to ... well, never mind :argh:
     
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    I take this approach with everything on my setup, not just Explorer. What I'll do with it, as with everything else, is block it on a per case basis, and see if I'm still able to carry out the action. If not, then I'll do it again and grant it the access it needs that time and check the box to remember it. I've never had my system crash as a result.

    I have keyboard & computer monitor access blocked outright. Everything else is set to Ask, and only allowed on per case basis. Internet access blocked as well. And I haven't gotten an Explorer popup in quite some time.
     
  11. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    Impressive I must say. That's a tight ship you are running!
     
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    I can feel the heavy pain in setting this up... you must have some free time at disposal :eek:
     
  13. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    It's really not that difficult. You open control panel, or whatnot, and realize Explorer needs some type of access... you check the box to remember it. You never hear from it again. For about the first 2 weeks after a fresh install this happens the first time you run an app, you set the appropriate access, then it quiets down. Now I never hear a peep out of it.

    And for programs that are constantly reading/writing to/deleting new file names, like CCleaner for example, the popups would never end, so you simply allow it that type of access permanently.

    I'd love to be able to lie and say it was a lifetimes work on my part, like a house wife with a Betty Crocker cake that acted like she slaved in the kitchen all day... but it really didn't require much time/effort on my part at all. This whole notion that HIPS are some monumental (chatty) inconvenience is severely flawed, drudged up by people that really don't understand how to deploy them effectively.
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Good to hear its not a monumental pain :) :thumb:
     
  15. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's one of the better descriptions I've heard. Yes, explorer and other windows components are "trusted" as far as integrity is concerned, but the actions they're instructed to perform may not be when those instructions are passed to them from another potentially exploited application. Just because an executable is a windows component doesn't mean that it needs to be able to access everything, do anything. Applications, system components, individual services, etc should be restricted to being able to do only what they need to in order to function properly. Specifying these permissions isn't babysitting or some similar "high interaction required" setup. It's additional hardening, one component at a time. Unless I'm altering or adding something to my system or trying something different, my HIPS is also silent.
     
  16. Spiedbot

    Spiedbot Guest

    Salut,



    Whether to allow explorer.exe in the local network, otherwise windows does not like.

    When you sometimes open files in Explorer, explorer.exe may request access to the internet, often for updates of the file open, to allow once.


    Il faut autoriser explorer.exe dans le réseau local, sinon windows n'aime pas.

    Quand vous ouvrez parfois des fichiers dans l'explorateur, explorer.exe peut demander à accéder à internet, souvent pour des mises à jour du fichier ouvert, à autoriser UNE fois.
     
  17. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    yepperz
     
  18. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada

    How does the typical pc user know how to respond to the alerts of potentially 14 different types of actions explorer.exe might attempt to perform (screenshot examples)?

    If this is the case, then something broke down earlier in the security enforcement process, if indeed an application did get exploited; possibly the user made a wrong decision answering a HIPS alert, or allowed a malicious script to unleash through the web browser.
     

    Attached Files:

  19. Ring0

    Ring0 Registered Member

    Joined:
    Aug 9, 2010
    Posts:
    66
    No one knows, and it all ends with accepts/permit all, otherwise it may lose functionality of your PC.
    For this I find that HIPS/HOPS :argh: alert software is not usable for average user.
     
  20. Manny Carvalho

    Manny Carvalho Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    270
    No typical user would ever even think attempting this. Heck, they barely keep their AV updated. Clearly this is pretty close to the last inner circle of protection. It's certainly not the first thing in any security umbrella but something for somebody that wants to play around with a paranoid level security setup.

    It is, after all, an interesting experiment. That's how it should be viewed.
     
  21. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The typical PC user isn't going to be able to use HIPS effectively, especially with that fine grained level of control. That's one of the problems I have with bundling firewalls and HIPS together as security suites. The average user isn't going to use it properly.
    Applications also get exploited via weaknesses in their own code, independent of the user. If the HIPS is part of a security suite, the PC might not have any form of script control and the user was never asked. There's too many scenarios for a simple answer. Myself, I view all attack surface apps as vulnerable and potentially exploitable. No matter what kind of security-ware you use, it's not always possible to prevent an application from being successfully attacked. The HIPS comes into play by restricting that apps permissions and inter-process activities, and can prevent a compromised application from compromising the rest of the system.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I place lots of emphasis on the most common gateways for malware, especially the web browser.

    As long as the attacks are unsuccessful in delivering their payload, I'm not too concerned. For me eliminating or at least greatly reducing scripting attacks through the browser should take care of pretty much everything.

    True enough. It's just that I found them them to be high maintenance, in spite of what was suggested earlier in this thread. Even AppLocker with DLL enforcement enabled, where there are several hash rules in place (I like hash rules for non-protected directories) can and does require routine maintenance to keep the hash rules up to date when the file's hash changes or when hash rules are created for new applications.

    Apparmor in Linux is nice because it usually means exercising the profile via sudo aa-logprof to help in generating rules that may have been missed during the original profiling exercise. It's been very low maintenance for me so far.
     
  23. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It can be, depending on how you handle updating and how often you add new applications. For me, the OS changes very little, since there are no official updates for it any more and it's equipped the way I want it. With applications, I update them only when I feel it's necessary, definitely not every new version. Since my updating is done manually, and updates to rules and file hashes are done at the same time.
     
  24. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    They don't. A "typical user" doesn't belong anywhere near a HIPS in the first place though, rendering that point moot. A typical user in fact shouldn't use any kind of filtering whatsoever, other than the packet filtering their router/inbound FW provides automatically. Nor should they use any program that requires user input/decisions...

    because the "typical user" is an idiot.

    That shouldn't stop the rest of us from implementing the measures. There is nothing high maintenance about it whatsoever to me. It is set-&-forget protection for me now, and has been ever since those initial 2 weeks or so. It is now, as noone put it, hardening... completely invisible protection.
     
  25. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I only posed the question because in post #13 you stated it's really not difficult, so I thought you implied it's not difficult for anyone in particular.
     
Thread Status:
Not open for further replies.