starchturrets

joined 2 years ago
[–] starchturrets@feddit.de 4 points 1 year ago

Not really, WDAC doesn't usually just look at the filename. It can look at the certificate it was signed by, or fallback to using hashes.

[–] starchturrets@feddit.de 16 points 1 year ago

Windows has both WDAC and Applocker for allowlisting, not just for exes, but stuff such as powershell scripts and what drivers run in the kernel as well.

https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/

In it's strongest form (a signed WDAC policy) even admin access can't easily override it, and a well written policy can even enforce stuff such as downgrade protection (example: only allow firefox.exe signed by Mozilla at or above a certain version) which prevents an attacker from loading older versions of an executable.

The problem is that it's not so easy to use in practice - an installer will often drop loads of unsigned files. Tor Browser ironically enough is a prime example, and any WDAC policies allowing it have to fallback on hash rules, which are fragile and must be regenerated every update, or filepath rules which are not so robust.

Microsoft is trying to make allowlisting more accessible with Smart App Control, which runs WDAC under the hood. It does save the hassle of managing one's own policies (and also blocks certain filetypes like lnks commonly used for malware), but it is not very customizable.

[–] starchturrets@feddit.de 6 points 1 year ago* (last edited 1 year ago)

If I remember correctly, Pro should give you access to group policies (making configuration a tad less painful compared to fiddling in the registry), stuff such as Windows Sandbox/MDAG (basically, throwaway VMs you can run executables/Edge in), as well as Bitlocker encryption.

You cannot turn off required diagnostics on Windows 11 Home or Pro. You can see it yourself by firing up a Windows Pro or Home VM, editing the relevant setting in the registry or group policy, then taking a look at wireshark traffic - you should still see traffic to telemetry endpoints that Microsoft has listed in their documentation. This confirms what their documentation already says about this setting:

This is only available on Windows Server, Windows Enterprise, and Windows Education editions.

This also applies to many third party tools which claim to stop windows telemetry. Since I'm reasonably sure they work by editing the registry, they would be no more effective than simply turning off optional diagnostics in the GUI. So you end up giving yet another random app admin access for no real gain.

That being said, imo the required OS diagnostics Windows collects tends to be pretty basic in comparison to all the FUD that's spread about it being a literal backdoor. You can see for yourself by opening the diagnostic data viewer app and seeing what info is there.

The other main problems (at least from my fiddling around in a VM with mitmproxy and wireshark as well as reading various articles) are:

  • Windows Spotlight sending back similar data compared to required diagnostics - but if you're on Home/Pro where you can't turn it off anyways, this is irrelevant.

  • Forced Microsoft Login with a lot of cloud syncing stuff opted in by default - bypassable, but is somewhat troublesome. You can also just select the domain join option when installing Windows Pro to get around this.

  • Bing start menu search (needs a group policy or regedit to disable).

  • Edge's optional features and Windows Security's Smartscreen constantly leaking stuff such as browsing history (these can be disabled easily enough, fwiw).

Edit: I just realized you were talking about 10 and not 11, still, a lot of what I wrote about diagnostic data is applicable to both of them.

[–] starchturrets@feddit.de 2 points 1 year ago

I think the reason it caused such an outcry was that it was a little more advanced than simply checking a hash, which could be defeated by cropping it or something similar.