= has on the fly switch ON/OFF flexibilityĪ look at this thread alone should explain why most people run Admin (myself included) and don't have their systems on lockdown, lol. = uses less CPU cycles than Applocker (internally Applocker uses simular principles as certificates of SRP, just try using SRP certificates and see what warning you are faced "Are you sure, it will reduce performance") SAFE admin = enjoy LUA/ACL deny execute protection with ADMIN priviledges = Best Of Both worlds Watch for the announcement of SULLY when he launches SAFE admin EMET will provide more mitigation in the future Nice thing of Chrome is that you force it to download to a specific directory, so you are encapsulating the sandbox of Chrome in a second deny-execute folder.Ĭ) b) Applying a registry tweak to allways check executables downloaded by browser or e-mailĪ) Applying a registry tweak to prompt for non-signed driver installĭ) Applying EMET on internet facing aps. With right click on properties this block can be removed before installing a program.ī) Remove the right to execute in specific user folders like the download folder of your browser and the folders where your e-mail is stored. Depending on your browser (IE disables download of executables, FF downloads a null file, Chrome downloads the file, but explorer blocks execution). Establisk a deny execute/download of external code. Reduce the risk of drive by through selective deny-executeĪ) Apply the 1806 trick through registry tweak. Microsoft Update will still update Windows and other Microsoft application (windows update uses the browser, so you have to upgrade your updating mechansime).Ģ. Ergo reducing unintentional allows on elevation prompts. To install something a right click 'run as admin' is nessecary.ī) Giving internet facing applications Medium level rights (=LUA), when integrity level is set to medium, UAC won't auto elevate these aps. Reduce UAC elevation prompts to reduce user errorsĪ) Tweaking registry to disable UAC's ability to recognise installlers outside Windows and Program Files directories (the established 'safe' area). SAFE admin, coming soon by Sully is based on the following principlesġ. As a result, 80 percent of the Windows versions sold are home versions, so Applocker is really something for the priveledge ultimate owners. Microsoft disencouraged home users also, with their pricing scheme of the different Vista/Windows 7 versions. Nobody wants to be limited on the things they OWN, so the same question for Admin and Limited User, gets a 80% response in favour of Admin (after clarification what is admin). When I ask a friend/relative whether he/she want to be the driver or the mechanic of their PC they all choose driver. Rationally this is true, because of the lousy marketing of the LUA concept most PC owners run Admin, half of them switch UAC off. When people are running LUA on company PC's without problems, why can't they run as LUA on their private PC also? So for every day Joe/Jane Applocker makes only sense when when you are running LUA. Some statements to spice up the launch of SAFE adminĪpplocker is the improved implementation of Software Restriction Policies, since it is based on white listing and security wise ends the weak path based rules setup of SRP.īecause Applocker can be tricky to setup, in every tutorial you get a warning in capitals to NOT remove the grant Admin/System full rights.
0 Comments
Leave a Reply. |