search

AndyFul / Hard_Configurator

GUI to Manage Software Restriction Policies and harden Windows Home OS
Other
499 stars 43 forks source link

Not an issue, just a question #16

Closed Kees1958 closed 2 years ago

Kees1958 commented 2 years ago

Andy

I have an old laptop which due to driver issues would not update to latests Windows10. The Windows10 version I am using is 21H1 which reaches end of service in december.

You once mentioned (on MalwareTips) that you were also looking at Windows Application Control, but I have not seen this dripping through in one of your excellent free programs.

I used the WDAC policy toolkit on Github to create a WDAC "signed and reputable mode" policy and deployed it using Powershell. I also used SimpleWindowsHardening to block risky file extensions and added through a registry hack the Microsoft Recommended Block rules to SRP (not in WDAC, so they are blocked in user mode only).

Because Microsoft also mentioned in the media that they will not update Mocrosoft Defender on end-of-service Windows 10 OS versions, I switched to a free antivirus. When I run MSINFO32 I stll see that WDAC is applied (using another AV), so it seems to work ok with third-party AV's.

So here is my request to you

Would it be an option to include the most relaxed WDAC-policy (allow signed and reputable) to SimpleWindowsHardening?

I realize your time is limited, but I think above use-case is not exceptional, there must be more people having old hardware on which the latest Windows OS does not run.

As far as I understood the new 'Smart App Control' feature uses the same database as WDAC 'signed and reputable' policy, so it seems that Microsoft thinks it is ready for every day use.

Regards

Kees1958

AndyFul commented 2 years ago

Hi Kees,

We did not talk for a long time.:)

I am thinking about using WDAC in SWH for over a year, but the only useful way would be similar to BabySitter: https://malwaretips.com/threads/application-control-on-windows-10-home.89753/post-911371 I am waiting until Microsoft will improve path rules in WDAC.

Edit. For now, SAC is slightly different from ISG in WDAC. SAC is nicely integrated with SmartScreen and can produce fewer false positives. But still, it can be hardly useful for most users due to many DLL blocks and the lack of exclusions.

Kees1958 commented 2 years ago

Andy

Thanks for the reply. You triggered me. I think "oos-OS babysitter" is a good name for a separate product (where oos-OS stands for OUT OF SERVICE Operating System). This prevents overconfident users with an up-to-date OS from enabling this feature in SWH (and run into unwanted blocks which they can't exclude).

I read your babysitter posts. On my old laptop I only use Microsoft stuff plus Syncbackfree, that is the reason I probably did not run into unwanted blocks.

Thanks for answering, I will close issue