On this thread someone mentioned an interest in knowing more about my crazy/stupid setup but as I’m not an older member or PRO user (yeah yeah I’m poor) I couldn’t share a TEMPORARY email address in my response for them to contact me at if they were actually interested?…I don’t agree with removing that bit (how is a temp address personal?) but it is your site so I’ll let it go for now (though I’ll likely mention it quite often going forward if I stick around just to spite yall :P)
That part out of the way, I took some time to create a generalized example of my setup (Yes, the crazy/stupid one mentioned in the above thread using a default super-admin account for increased security and usability)
It’s rather convoluted as I mentioned before but I expect I’ll I receive the same generic ‘promotions’ regardless so all I can ask you all to do is TRY to read through and understand this odd setup before responding with those default suggestions.
I’m not saying that I’m not willing to listen to appropriately stated suggestions but if you’re just re-stating something that you read once upon a time on this site or that without taking into account the rest, please save your breath (and my eyes).
So to start with, as stated in the previous thread. I’m a crazy person who uses the built-in Super-Administrator account (High Integrity) for every day use.
WHY? Well it started because I disliked UAC starting with Vista (I was one of those fools that stayed with XP for a long time). I am the sole user and Admin. I don’t want to be dealing with prompts up left and center. That’s not to say that I haven’t grown to appreciate the barrier. I just think MS got the prompts wrong.
At this point you’re all likely saying I’m crazy. That’s fair.
A bit more preamble: I’m currently using Windows 10 ENTERPRISE though some aspects of my setup started when I was still on Windows 7 ULTIMATE (grudgingly even then) and I currently have no plans to move to Windows 11 anytime soon so I’ll be less help there. Maybe in a few years when security updates aren’t a thing for Win 10 anymore…
How can you run as super-admin/builtin-admin (aka high integrity) without leaving yourself open to every hack or exploit? Simple answer is, I can’t. It’s exactly the same issue you deal with upon each UAC prompt. Are YOU actually reading those though? I likely wouldn’t be if I dealt with them so often… but once again that’s just me. Moving on, what can you do to protect yourself if you are stupid enough to run as Super-Admin/Built-In-Admin like me?
00.1: Most of what I use can be done with a simple PRO version of windows. If you are on a home version, sorry… I can’t help so you might as well stop reading now! (And likely every expert here will tell you, honestly, that you’d be crazy to consider such a setup and I won’t argue with them on that.)
00.5: Change the Built-in Administrator accounts name during the setup phase and password protect it so that you can use it daily.
01.0: Use Local Group Policy > Security Options> User Account Control Behavior of the elevation prompt for standard users = Automatically deny elevation requests [This is pretty important for my setup, see below]
02.0: Use SRP or AppLocker to BLOCK even your Built-in Administrator account from being able to launch from areas you designate. These should generally include EVERY drive [except C:\] by default (Even if you don’t have Z:\ etc attached yet) and places like “C:\Users”, %PROGRAMDATA%, %TEMP%, download folders (mine is not the default location thus I mentioned it here), etc ‘by default’ with additional rules that only allow specific things for certain users… for example DISM which runs from temp.
In my case these rules also include areas these standard user apps reside in (Let’s call it D:\Apps) to ensure I can’t accidentally launch them via admin (See below).
03.0 Using AppLocker (Less familiar with SRP but that’s an option for users who only have PRO) you can limit each user to only a specific file, file hash or folder to launch from. My admin user has ‘exemptions’ for the folder where such apps reside so that I can’t accidentally launch them as admin. In fact I cannot launch them as Admin if I tried without first changing the rules!
03.2 How can you use file associations? I actually don’t but recently set up a system for a friend and was able to create .regs that were added to the registry which in turn pointed to .bats that then opened said document as a standard user with no ability to ask for admin privileges (via GP) in a similar fashion as 03.5
03.5: I create shortcuts that point to scripts [bats] to launch each internet enabled application (and some non-internet enabled apps likely to be targets of malicious documents etc) as a standard user (see 01.0 & 3.0) [scripts located in an area not on the C:\ (Not absolute, just happenstance)] with NTFS permissions that only allow admins/system to read let alone write to the folder the scripts reside in] combined with a self-neutered version of psexec (no service) Each script is customized. I don’t actually install many programs on the live system. Instead I gather what I need and ‘insert’ this registry entry or that (via REGEDIT /S %PATH%.reg) and mklink here and there upon launch (testing via Hyper-V VMs these days). This takes quite a bit of work to isolate entries or create reg exports during the cleanup phase (to a data drive location in my case) if you want to save said entry. How does that help? If you leave them with carte blanche it wouldn’t help, but instead I create different script entries for each program. These include Launch and Cleanup phases. Each launch script does what I tell it to (eg insert this .reg, allow this user write permission in this HKLM key (if needed, rare), mklink /j here or mklink there etc)
03.6 How does your Cleanup script know when to trigger? This is another area that requires a PRO+ version of windows. I use the Advanced Audit Policy Configuration in LGPO (Audit Process Termination) along with a scheduled task that is triggered by said exe path/name exiting to run a check (bat) followed by cleanup. I say check because many programs may use multiple instances (browsers these days are a good example) and one might exit but the rest may not so the checks are to see if any expected program run by this user still exists via TASKLIST.
03.7 How does your script know what to do? Essentially it doesn’t though I have some basic potential error checking baked in (via subroutine bats I call to check or return this or that). I have to write both the launch and cleanup scripts manually (after monitoring said program) and occasionally have to make alterations after an update.
04.0 You are crazy, why do things that way? I won’t argue with that… it is a tad crazy at first glance. Here’s the clincher though… are you ready for it? Back in my Win7 days I used the FBWF. With Windows 10 I use the UWF. How does that make everything fall in place though? Honestly it doesn’t but I found myself with two options using each. Add exclusions to specific registry keys and files\folders or save then restore them manually. I chose the ladder option as it allows me to use the same data upon an OS Re-Install with minimal effort as it’s all stored externally in addition to giving me more control over what was retained. Does that mean that you can get away with this setup without having either FBWF or UWF? To a degree, yes. The point of using the FBWF or the UWF is to ensure that upon a reboot anything not covered by my scripts (including an exploit etc) can’t persist. The downside is, if you export and re-import the wrong area via such a script, it might also survive an OS reset.
04.5 But wait, even if 4.0 works as expected aren’t you exposed to an exploited app here and there? The short answer is yes but please read on.
05.0 Windows 10+ has Anti-Exploit options baked in and I test them extensively and use what makes sense for each. Even using all these won’t make you immune though. =(
06.0 Even while running as the Built-in-admin (High Integrity) some of the ‘issues’ (which MS does not view as issues) I noticed are that every standard user (this holds true for normal use as well not just my setup of script launches!) could still read the memory of other ‘standard users’ (Medium Integrity can read the memory of other Medium Integrity processes) along with grabbing the keystrokes from other medium-integrity programs. I get where they are coming from in a generic sense but I don’t think youtube running in my browser needs to be able to read the memory of work documents (not saying it does, just a bad example) I have loaded in office or what I’m typing there etc.
These are pretty big deals for me! As such I also use a third party program called HitmanPro.Alert to encrypt keystrokes of each ‘standard’ program and as a bonus it includes Anti-Exploit abilities and other protections of its own… but that leaves reading memory directly.
07.0 Sadly this one isn’t something anyone else can use and I suspect some people may call me a liar. Here it is anyway. I use a kernel level driver to control what exe can read/write to the memory of another. (It’s actually all or nothing atm, defaulting to NO so if there isn’t a rule it gets blocked [yes even windows processes/services(but no control with other drivers)] and even if a parent exe is allowed the child exe it launches gets suspended (if not already allowed by a rule) after it loads but before it actually runs ~ once again, even if it was available publicly, it wouldn’t be for everyone and would likely get false reports as a virus because people wouldn’t understand how it works claiming it just breaks things.)
08.0 I use LGPO to alter the default NTFS Permissions of what I consider ‘risky’ or even just ‘unwanted’ Windows components, sometimes removing all the default values and leaving only “NT Service\TrustedInstaller” so that windows updates continue to work and other times I just remove ‘User read’ permissions. (Can’t copy and launch what you can’t read [eg LoLBins] ) This is one aspect that I suspect most people won’t understand yet is also one of the largest reasons for my continued use of the high integrity admin account as it allows me to ‘not be included’ in such user exclusions in those cases I don’t limit them to just “NT Service\TrustedInstaller”. This list is quite extensive yet I won’t pretend mine is comprehensive either.
How does that work after each update where the default permissions are re-applied for altered files? I use files (GP bats) upon shutdown/logon to check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending and re-apply such permissions automatically after an update via LGPO infs but I also don’t use Online updates and instead grab them and install via the Windows Catalog when I choose to. Hi there, askwoody, love you for your info!
09.0 I have MANY standard (but sadly not all work as) svchost instances launched as “Protected Services”. This ‘protection’ is iffy and if anything malicious gets the ok to run as admin (eg can load a driver) then it’s game over. Yet then again we are back to how helpful is the prompt the standard gatekeeper (UAC) gives you even when running as Medium Integrity as it doesn’t tell you what it’s trying to do… it’s all or nothing.
09.1 All the above is just my first drunken pass at explaining my setup. That’s not *all* there is to it. Think of it as a vague explanation at this point. I do make use of other points and even control the Windows Firewall via GP (set to default block by default with ‘Apply local firewall rules’ = No, this allows silly programs like Steam and MS AppX’s to create whatever rules they want, they just don’t get used.)
09.2 I don’t claim that anyone SHOULD use a similar setup. Mine is based around me and my mostly static life online and dislike of prompts (and yes a bit of OCD). If you want auto-updates or can’t/won’t spend the time to figure out what is ‘normal\needed’ for each app, none of the above is for you!
I look forward to *constructive* criticism. (Please don’t just blahblahblah the normal lines though… I’ll admit they’re good for the everyday user but MS has been annoying me year after year choosing the wrong path, making things that should be simple so complicated to resolve… or maybe it’s just me after all? I mean what does that have to do with the stuff above?)
