Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3

Author Topic: Microsoft Windows and Security Considerations  (Read 10584 times)

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Microsoft Windows and Security Considerations
« Reply #15 on: March 29, 2020, 09:10:04 AM »

You need to do a lot more than that because the standard file system ACLs are too lax. And users can install exes in their own file system tree. With SRP such exes (and wherever I say exe I include dlls) cannot run, not even if they’re copied/downloaded into the user’s own directories to which she/he must have write perms. I took me some thought to design the necessary 100% bombproof  config.

@Weaver, I think the thing here is that we are referring to home PCs, not ones on a corporate network that could bring the whole company down if bad things happen. The level of security needs to be proportionate to the use case of the machines in question. You say (later post) that fully secured machines are zero hassle, but how can that possibly be? My work laptop is extremely well secured and causes no end of annoyance. I can't even make simple changes like choosing a desktop wallpaper that I like. A couple of days ago the team I work in needed to participate in a Webex conference - we had to do that on our personal equipment because the firms kit won't allow it to run. I understand why they block such things, but to say it is zero hassle is just not true I'm afraid. And before you say that I could have just contacted an Admin to make things right, I can assure you that the answer would have been an unmovable 'No'.
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Microsoft Windows and Security Considerations
« Reply #16 on: March 29, 2020, 10:00:18 AM »

My older brother (he's a computer programmer)  partner's locked down business laptop causes him no end of problems as he tries to make her franchised business run smoother.

You really shouldn't be advising people to use any MS browsers, if IIRC the IE range of browsers was full of security hole's, Firefox and Chrome are much more secure.

Weaver after you've hacked some games trying playing them, I'm sure the anti cheat systems would not be happy that you've altered things.

I've been using Windows since the early 90's and I wouldn't have a clue how to do a lot of what you've said, and I don't want to either, it's hard enough to keep all our PC's up to date.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Microsoft Windows and Security Considerations
« Reply #17 on: March 29, 2020, 10:48:39 AM »

...

I've been using Windows since the early 90's and I wouldn't have a clue how to do a lot of what you've said, and I don't want to either, it's hard enough to keep all our PC's up to date.

Quite agree Ronski. I too have been using Microsoft products for a long time - since before Windows was even around in fact (MS-DOS 3.2 anyone!) I can say that I have had few issues with them. They are far from perfect (same applies to all OS) but on the whole if you wait a bit before upgrading to the 'latest and greatest' they have been generally ok. I must admit I never went near Windows ME or Vista - hence the 'wait a bit'.
I always ensure I have up-to-date AV installed and am always mindful about where I get software from.
I want a PC I can use and not one that stops me from doing things. I suppose it depends how risk averse you are, and I'm happy to balance some risk against usability.
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Microsoft Windows and Security Considerations
« Reply #18 on: March 29, 2020, 11:14:03 AM »

I totally agree with tubaman's sentiments, it's the way I've also done things.

I noticed the other day my PC at work actually has a Windows ME key sticker still attached to it, but it's only the case that's 20 years old, actually I do wonder if the power supply is (I'll have to check). I also used Vista, and actually liked it, barely used Windows 8 though, just had that on my laptop.

My older brother certainly worked a lot with DOS, and I used to write machine code on the ZX Spectrum, can't remember when I switched to Windows or what version it was, it was November 1995 I bought my first PC from Mesh Computers (£1566 ouch!) , and I certainly had Windows 95, 98, ME, XP, Vista, 7, 8, and finally 10.

Looking through my MS Money history there's certainly been a lot of money spent on the 'Computer' category over the last 24 years.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Microsoft Windows and Security Considerations
« Reply #19 on: March 29, 2020, 11:21:45 AM »

Ronski,
Windows 8 was rather hilarious - they first thing I had to Google was how to turn it off as it was far from obvious! Once it moved to 8.1 and was no longer a 'one size fits no one' OS (ie didn't really fit tablet or PC properly) I actually got to quite like it. My home desktop started as Windows 8 and has been upgraded to 8.1 and then every version of 10. I suspect it would benefit from a clean rebuild, but while it still works fine I'm leaving it alone.
 :)
« Last Edit: March 29, 2020, 11:23:56 AM by tubaman »
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Microsoft Windows and Security Considerations
« Reply #20 on: March 29, 2020, 12:32:35 PM »

I believe I had Start8 installed on the laptop, which fixed a lot of problems with Windows 8.

With regard to a fresh install, if you ever go down that route just check what drivers are available for your hardware prior to committing. I have a Cannon Lide scanner and there are no Windows 10 drivers available for that model, when Windows updated it kept using the old drivers so works fine, I think there is a way around it, but it just makes things harder.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

Weaver

  • Senior Kitizen
  • ******
  • Posts: 11459
  • Retd s/w dev; A&A; 4x7km ADSL2 lines; Firebrick
Re: Microsoft Windows and Security Considerations
« Reply #21 on: March 29, 2020, 05:49:42 PM »

How can that be, you asked. Well because I just arranged it that way. I did a very good job because it was my living and I spent a long time researching and refining techniques. That doesn’t mean that other sysadmins have done the same. If you’ve used a locked down machine in a library say, it was probably horrible. That’s because they are clueless cheap staff designing and implementing the policies.

As I said before I did this to my own personal machine as well as to all my customers’ users. You can choose not to believe me and I can’t convince you. If done properly there’s zero hassle apart from the occasional switch user for maintenance. If games are a problem then you run them in a VM or you use runas and make an exception for them. And there are the other techniques I described. On my own machine I had no compromise security. If you’re unhappy with ever having to use switch user or runas for app maintenance then use a vm or get two machines or live without full security.

It isn’t just my opinion that there’s zero hassle the way I designed things; as I said all my users had to be happy otherwise I had not done my job, and as I said none of them ever noticed there was anything unusual going on. They all got a little bit of casual training in security awareness basics too.

Your brother’s partner’s laptop could be said to be typical, but that’s a different story. That’s not me and if you are securing a machine fully, have a clue and don’t make the end result a pain obviously. Her sysadmins don’t know what they’re doing If they’ve made her unhappy, on that I’m sure we agree.

I fully recommend internet explorer as the most advanced security architecture in my day, but now chrome may have risen to an equivalent level. As for browser bugs, they’re irrelevant because you are doing automatic patching aren’t you? one of the pillars. It’s an unpopular opinion but nit one arrived at lightly, but due to research and reading. Things have changed greatly and my opinions are now out of date. The question of whether Chrome has caught up with the likes of IE and Edge, I leave to others. In my day Chrome was showing very promising signs of advancement. Look into it and read up on Chrome, looking for integrity levels, low privilege, split privilege design.

These are my professional opinions, but I will warn you I am long retired.
Logged

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Microsoft Windows and Security Considerations
« Reply #22 on: March 29, 2020, 09:06:19 PM »

Weaver,
I'm afraid that constantly having to switch users or use 'run as' isn't sounding very 'hassle free' to me. Having to use a VM or second machine is even worse. I think we're going to have to agree to differ on this one.
 :) 
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: Microsoft Windows and Security Considerations
« Reply #23 on: March 29, 2020, 10:19:05 PM »

I came to the same conclusion tubaman, I mean fancy trying to run a demanding game in a VM at home.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

g3uiss

  • Kitizen
  • ****
  • Posts: 1151
  • You never too old to learn but soon I may be
    • Midas Solutions
Re: Microsoft Windows and Security Considerations
« Reply #24 on: March 30, 2020, 04:20:23 PM »

Quite agree Ronski. I too have been using Microsoft products for a long time - since before Windows was even around in fact (MS-DOS 3.2 anyone!)
Well I can remember using Cp/m that was around before DOS I think !
Logged
Cerebus FTTP 500/70 Draytec 2927 VOXI 4G fallback.

tubaman

  • Senior Kitizen
  • ******
  • Posts: 12507
Re: Microsoft Windows and Security Considerations
« Reply #25 on: March 30, 2020, 04:52:43 PM »

Well I can remember using Cp/m that was around before DOS I think !

Same here - on a DEC Rainbow I believe. Seem to remember that I had CP/M and Wordstar on one 5.25" disk and saved my files to the other. It was a proper computer!
I also used to look after PDP11 based circuit testing machines - Marconi 800X, Genrad 2271 and 2275 - they were real beasts.
 :)
Logged
BT FTTC 55/10 Huawei Cab - Zyxel VMG8924-B10A

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Microsoft Windows and Security Considerations
« Reply #26 on: March 31, 2020, 01:20:21 AM »

I will soon finally succumb to windows 10, its advanced enough now that it has significant security advantages over windows 8 (wasnt the case when it launched), but to me the only sane way of using it is, on windows 10 enterprise LTSC.  Using an OS with a EOL of 18 months is just insanity.  Forced feature updates almost every year? no thank you sir.

Then after that making sure automatic updates are disabled as well as deferred updates for the updates that are available due to their quality control going down the pan.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Microsoft Windows and Security Considerations
« Reply #27 on: March 31, 2020, 01:27:01 AM »

You need to do a lot more than that because the standard file system ACLs are too lax. And users can install exes in their own file system tree. With SRP such exes (and wherever I say exe I include dlls) cannot run, not even if they’re copied/downloaded into the user’s own directories to which she/he must have write perms. I took me some thought to design the necessary 100% bombproof  config.

Microsoft have missed so many opportunities to improve their basic install configuration.

UAC was launched with vista, and it was supposed to be temporary, and was a means of encouraging app developers to not require admin privileges.  With the end game to be that standard user accounts would become the default, with UAC escalation been used for admin tasks only.
Instead many years later, admin accounts are still the default, and UAC not even needing a password in its default configuration to elevate, plus whitelisted binaries avoiding UAC prompts altogether.  Convenience over security.

SRP is no longer even supported by microsoft anymore, yet consumers who want restricted exe security have to use it because they locked down applocker to enterprise/server only, and they have failed to provide a SRP configuration in a default enabled state, which I consider in this day and age absolutely bonkers.
Likewise we now have windows defender that supports things like control flow guard, yet its disabled by default, whats the point?

They still use insecure svchost, rundll etc. which are security nightmares.  So malware can pose as svchost e.g. which would be likely whitelisted in firewall and a/v software.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: Microsoft Windows and Security Considerations
« Reply #28 on: February 15, 2021, 02:36:44 PM »

Having now migrated all my machines to windows 10, I will get to work on the wiki I was planning ages ago, the security scene is constantly in transition but hopefully i can get something out (using free software and internal windows features) that remains relevant.
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: Microsoft Windows and Security Considerations
« Reply #29 on: June 26, 2021, 12:22:41 AM »

I read this thread just in time for Windows 11.

The level of restrictions mentioned in the initial posts runs a huge risk of impairing functionality, causing users to be careless, and is well beyond anything I've had in a professional situation.

I can download and run executables on my work machine.

However it does have a more modern and scalable solution due to an endpoint agent. Executables are monitored first time they run to ensure they aren't showing interesting behaviour. Some are outright blacklisted.

Static configuration on Windows doesn't really work beyond a handful of nodes and managing policies can become an issue when they're so specific.

That's enterprise. At home very few are going to manually configure file system ACLs.

Windows Home is fine. The paranoid just shouldn't run Windows but an operating system with mandatory controls that defaults to least privilege - ideally running everything containerised, and each container hosting a type 2 hypervisor for the really paranoid  :)

Our home PCs have no hardening to speak of, however the valuable data is hosted on a server.
Logged
Pages: 1 [2] 3
 

anything