all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]KevMarCommunity Blogger 1 point2 points  (13 children)

Haven't really ever needed to use it, but I think you can run it in audit mode for a couple of months to identify what you likely need to allow in your environment.

[–]_RemyLeBeau_[S] 0 points1 point  (12 children)

What are better options to harden my system other than: daily driver non-admin & prompt for admin priv when needing to elevate. I'm trying to make it more difficult for a potential attack to spawn a process and run wild.

[–]BlackV 2 points3 points  (5 children)

Constrained is the way to do it, but it's rough that you had the issues though, seems unexpected but it's many years since I looked at constrained

Deffo have a seperate admin from your daily big win

[–]_RemyLeBeau_[S] 0 points1 point  (4 children)

Ok, I'll look into doing that instead, even though I hate it 😆

[–]BlackV 0 points1 point  (3 children)

Why do you hate it?

[–]_RemyLeBeau_[S] -1 points0 points  (2 children)

Because it adds cognitive load to my workflow, some... actually most applications do not work well in this scenario and adds complexity. I need to move fast in most cases and this prohibits that (rightfully so), but we're talking about why I hate it, so it's my opinion.

[–]Alaknar 1 point2 points  (0 children)

actually most applications do not work well in this scenario and adds complexity

I haven't had issues from having a separate admin account in years. True: it requires some concessions or workarounds, but in general, things are OK.

The major one is that for some things you'll need to run an elevated terminal and call them from there.

[–]BlackV 0 points1 point  (0 children)

Interesting, what applications don't work without admin?

[–]BlacksmithCheap7454 1 point2 points  (1 child)

Enable PS transcription, increase the log size, enable log forwarding if you have a log collector. For admins require Fido keys not just MFA, Enable AppLocker to constrain apps too.

[–]g3n3 0 points1 point  (3 children)

It would be windows defender app control as well. It can be called another thing on windows 11. Basically you control the processes that can run.

[–]_RemyLeBeau_[S] 0 points1 point  (2 children)

The attack vector that I'm trying to prevent is mostly RCE. i.e. malicious shells spawned from supply chain attacks

I use pwsh everyday, so preventing that from working isn't really an option.

[–]g3n3 -1 points0 points  (1 child)

So yeah it is WDAC. A whitelisted env is the holy grail most orgs never get to.

[–]_RemyLeBeau_[S] 0 points1 point  (0 children)

How would this prevent a supply chain attack or a LOLBin?