Becoming more security-aware

Topic

New Reply

ON SECURITY By Susan Bradley Windows 11 is now nearly a week old, and are we magically more secure? I’d argue not. An up-to-date operating system does
[See the full post at: Becoming more security-aware]

Susan Bradley Patch Lady/Prudent patcher

7 users thanked author for this post.

Fred, windbg, MHCLV941, lmacri, bbearren, DLivesInTexas, Alex5723

Reply | Quote

Replies

Thank you for this post. I use Norton Antivirus, not Microsoft Defender as my default AV. You said ” third-party antivirus solutions disable Defender — which in turn prevents ASR from being used”  Does that mean I am potentially less secure with NORTON or ASR is not a concern (ie, not a problem) to users of third party AV solutions?

Reply | Quote

Lately Norton has added crypto mining to their a/v suite and I’m honestly not a fan of Norton.  I think you are less secure, not more.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

DKThompson

Reply | Quote

You should point to the MS documentation page that lists and explains all the rule for reference.

Reply | Quote

I’m going to cover more of these ASR rules in the future. This one doesn’t cause any side effects in my use of it and I think it adds value and protection to the OS.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Fred, DLivesInTexas

Reply | Quote

Please provide a link to download Windows 11 via installation media.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

I am still using Office 2003 (I know it is out of support).

Does the Defender fix presented have any effect on child processes under Office 2003?

 

Reply | Quote

I also have a question about your statement ”third-party antivirus solutions disable Defender — which in turn prevents ASR from being used.”

I use McAfee AT&T Internet Security which my ISP provider offers to its customers. In addition, I have Settings|Windows Security|Virus & threat protection|Microsoft Defender Antivirus options|Period scanning turned on. Since I have GP=2 (notify download/install), each day I get 3 or 4 notifications that Windows Defender wants to do an update and so I agree to download and install. I also occasionally initiate Defender updates at Settings|Windows Security|Virus & threat protection|Virus & threat protection updates. I also occasionally initiate a Windows Defender Full scan at Settings|Windows Security}Virus & threat protection|Current threats|Scan options.

Since Windows Defender seems not to be disabled, even though McAfee AT&T Internet Security is the other antivirus provider, do the ASR rules work, if I use the group policy to set them?

Reply | Quote

Susan Bradley wrote:

Recommendations for Windows 10 Home
…
From the GitHub page linked above, click on C_D_3010_beta2.exe, and on the next page click the download button. Run the executable to install it.

Run the program and scroll down to the Exploit Guard section.

Just to clarify, Configure Defender is a portable app which doesn’t install; so when you run the downloaded executable you’re already running the program

Reply | Quote

Since Win 10 Version 1909 (which I installed in December of 2019), I have used the following attack surface reduction rules. They have not impacted my day-to-day computer use at all.

Powershell:

Set-MpPreference -EnableNetworkProtection Enabled
Add-MpPreference -AttackSurfaceReductionRules_Ids 3B576869-A4EC-4529-8536-B80A7769E899 -AttackSurfaceReductionRules_Actions Enable #Block Office applications from creating executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -AttackSurfaceReductionRules_Actions Enable #Block execution of potentially obfuscated scripts
Add-MpPreference -AttackSurfaceReductionRules_Ids 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -AttackSurfaceReductionRules_Actions Enable #Block Office applications from injecting code into other processes
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enable #Block Win32 API calls from Office macro
Add-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enable #Block executable content from email client and webmail
Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enable #Block JavaScript or VBScript from launching downloaded executable content
Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EfC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enable #Block all Office applications from creating child processes

The last of these is what Ms. Bradly recommends in her article. I personally find on unmanaged machines the use of Powershell to do this is easier than the group policy editor.

2 users thanked author for this post.

AlexEiffel, Rick Corbett

Reply | Quote

anonymous wrote:

Since Win 10 Version 1909 (which I installed in December of 2019), I have used the following attack surface reduction rules. They have not impacted my day-to-day computer use at all.

anonymous wrote:

The last of these is what Ms. Bradley recommends in her article. I personally find on unmanaged machines the use of Powershell to do this is easier than the group policy editor.

Thank you… that’s interesting info.

I understand this works from Windows 10 1709 onwards but only for Windows 10 Pro and Enterprise editions.

Have you subsequently noticed any Event ID 1126 entries in Windows Event logs to show Defender’s network protection *has* actually fired in block mode?

(PS – Could a mod please enclose the PowerShell code above in <pre> tags to make it more viewable. Many thanks.)

Reply | Quote

FTFY

1 user thanked author for this post.

Rick Corbett

Reply | Quote

I know that you folks run as admin all the time, but I think that’s a *horrible* practice.

For the cautious among us it’d be nice if you included that to get the gpedit to work you need to be admin-elevated.

1 user thanked author for this post.

bbearren

Reply | Quote

I know that you folks run as admin all the time, but I think that’s a *horrible* practice.

berniec: I agree with you; that is a horrible practice.  I can’t speak for anyone else, but for me personally I never login to my system as an Admin user, except for once a month or so when I’m actually doing Admin tasks (like installing updates).  Other times — which is like 95% of the time — I’m always logged in as a standard non-Admin user.  I suspect quite a lot of other AskWoody folks here do the same.

1 user thanked author for this post.

bbearren

Reply | Quote

I use Trend Micro Maximum Security on my desktop computer. If as you suggest that Windows Defender is much better along with the ASR. Providing that I convert to Windows Defender, what are the steps I should follow in order to do so?

Reply | Quote

Emails and links within are a self parity check nothing more, nothing less. Browser Extensions are another form of injection keep those up-to-date and check-up on them.
Keep security to bare essentials is my advice, don’t overkill as it’s known to have the entire opposite effect. Surplus non-essential security only creates vectors/traffic for miscreants to latch onto behind your back.

If debian is good enough for NASA...

2 users thanked author for this post.

bbearren, Noel Carboni

Reply | Quote

Indeed, becoming more security-aware is good, as a significantly weak link is the human mind. However, we cannot assume we can be and remain so aware as to never click on the best-matching Google link or will somehow just know not to react to important-sounding eMail or to not download software that provides functionality we need… To err is human, and what we need to know to make good decisions is often shrouded. We need our tech looking out for us and helping us where we are frail and stupid.

Something else to be mindful of… In modern times, consumer-directed talk of “security” often seems more a way for Marketing to try to make us want new things, by encouraging us to distrust the old things.

Why would newer software be more secure? Is it less complex, longer tested, or less capable than the versions it’s replacing? By contrast, does it introduce new ways to be exploited? Why do we have to have a whole new version every year that does essentially the same things as its predecessor?

There are tried and true approaches to keep malware away that already exist (and which do not decrease performance – such as managed, self-updating blacklists of bad online servers) through which our software could be MUCH more secure if that were actually the prime goal. Ask yourself “why are these things not built in?”, provided as easy-to-opt-in subsystems. We’ve had enough decades of experience to know that the “go ahead and let the malware in then try to stop it from doing bad things by making the computing environment more complex and restrictive” approach isn’t terribly effective, thought it does tend to make us crave new software…

-Noel

Reply | Quote

Noel Carboni wrote:

However, we cannot assume we can be and remain so aware as to never click on the best-matching Google link or will somehow just know not to react to important-sounding eMail or to not download software that provides functionality we need.

I learned (painfully) at a very young age to not touch a hot stove.  Through the years I have incorporated that early lesson into a general ‘hot stove’ rule in many facets of my life.  I don’t use Google, and I write very specific search terms in the search box of DuckDuckGo.  No email is so important that it does not bear scrutiny—it is, after all, only email, the least expensive of all forms of communication other than face-to-face speech.  An unexpected email with an attachment triggers an automatic delete; that is my first reaction.

The last functionality I downloaded was StartAllBack, from a developer I came to trust since the introduction of Windows 8.  The ‘functionality’ I downloaded prior to that was when I was running XP; I haven’t needed any additional functionality since then.

All that aside, I’ve found the best protection for any adverse circumstance to be a library of drive images safely stored offline.  I’ve used that to recover from a house fire which destroyed my two PC’s of the time.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

WSnonurban, Tom-R

Reply | Quote

Noel Carboni wrote:

There are tried and true approaches to keep malware away that already exist (and which do not decrease performance – such as managed, self-updating blacklists of bad online servers) through which our software could be MUCH more secure if that were actually the prime goal. Ask yourself “why are these things not built in?”, provided as easy-to-opt-in subsystems.

They are:

Microsoft Defender SmartScreen

What is SmartScreen and how can it help protect me?

1 user thanked author for this post.

Tom-R

Reply | Quote

Susan

 

You said after setting the Attack Surface Reduction (ASR) rules: “In my own testing, I’ve had no side effects after deploying this”. After doing this, every time I open Word or Excel I get a popup notice telling me “Action Blocked – Your administrator caused Windows security to block this action. Contact your help desk.” While it lets me open the file, this sounds like a side effect to me.

Thanks for your work

Dave D

Reply | Quote

What version of Office and do you have any plug ins or third party add ins?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I have V 2110 (the latest MS 365). The common addin is TurboPDF. After your question I  deactivated it and the problem went away. Since I know which application is the problem I’ll see if they have a fix.

Thanks for the help.

Reply | Quote

Thank you for the follow up!

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

I’m going to cover more of these ASR rules in the future. This one doesn’t cause any side effects in my use of it and I think it adds value and protection to the OS.

This is a higher league of hardening in Windows10+
Can you make a seperate chapter of this, please?

* _ ... _ *

Reply | Quote