Atlas-OS
[FEATURE] - restrict RPC and some hardening
What is your feature request regarding to?
Atlas Playbook
Is your feature request related to a problem? Please describe.
Atlas currently disables a bunch of auditing and security features, but does not clear settings that allow for remote access entirely. Like e.g.:
- "Access this computer from the network" (secpol > Local Policies > User rights Assignment) is not cleared
- "Allow log on through Remote Desktop Services" (if remote desktop is disabled)
- "Force shutdown from a remote system" is not cleared
- "Network access: Do not allow storage of passwords and credentials fro network authentication" probably should be set to Enabled, as we do not really want windows to keep the user password in memory after login.
- "Network access: Remotely accessible registry paths" probably should be cleared.
- "Network access: Remotely accessible registry paths and sub-paths" probably should be cleared.
- As MS accounts are disabled, so should evaluating related authentication requests "Network security: Allow PKU2U authentication requests to this computer to use online identities." without it, Azure will still be queried to see if someone with an MS account trying to establish a connection is allowed or not. This can at least introduce a privacy issue when used as a beacon (or just unnecessarily, when another windows client is in the same local network and tried to establish a connection erroneously).
Hardening related, I'm not sure if this is done by Atlas or if MS just documented the defaults incorrectly, but it is kinda odd:
- Non default value "Window Manager\Window Manager Group" is in "Increase scheduling priority".
- Non default value "Performance Log Users" is in "Log on as a batch job".
- Non default value "NT SERVICE\ALL SERVICES" is in "Log on as a service".
- Non default value "NT SERVICE\WdiServiceHost" is in "Profile system performance".
- Non default value "LOCAL SERVICE" is in "Change the time zone".
- "Devices: Prevent users from installing printer drivers" is set to "Enabled". Normally this is Disabled on workstations. And even though it is set to Enabled on servers, it enables installing vulnerable kernel drivers for all users without needing administrative rights. Therefore it is almost always disabled.
Describe the solution you would like.
modify secpol settings as listed above
Describe alternatives you have considered.
does not apply
Additional context.
No response
@Ast3risk-ops That only makes it more important to go over the suggested hardenings then. Esp. because most of the ones I suggested only are desirable because of changes Atlas makes.
Like the one regarding disabling validation of MS Accounts, it is only relevant because Atlas is disabling MS Accounts (or at least it is trying to do so). Therefore not disabling them for inbound requests is probably just an oversight to begin with anyway. We don't need that kind of attack surface if we intended to disable that entire feature to begin with...
Similarly, if a "normie" choose to disable remote desktop, we definitely don't need RPC to be accessible remotely either. But regardless of making that conclusion, what we definitely don't need when remote desktop is disabled are accounts that are allowed to use it. Again, that's just unnecessary attack surface for a feature we said we remove/disable entirely.
Edit: And wasn't there also a prompt related to network shares or something within the installer? So e.g. the one about the plaintext password staying in ram can just depend on what the user selected there. And for the rest (as well as general remote access, and "network exposure" of windows services and other hidden/undocumented shenanigans) could depend on a new "allow remote access to this computer" setting within the install wizard if necessary.
That means that hardening can't interfere with app functionality
Also atlas is going to allow Microsoft accounts next release, seeing as they work and the conversion is real confusing
That means that hardening can't interfere with app functionality
Also atlas is going to allow Microsoft accounts next release, seeing as they work and the conversion is real confusing
can you atleast not make an option which allows for all the topics OP suggested to be then applied? Like an option called: "More Security" or so, which on demand can be selected and then all the above will be applied, this would bequite need cause I dont need as many others, a MS account
Long Quote
That means that hardening can't interfere with app functionality
Also atlas is going to allow Microsoft accounts next release, seeing as they work and the conversion is real confusing.
can you atleast not make an option which allows for all the topics OP suggested to be then applied? Like an option called: "More Security" or so, which on demand can be selected and then all the above will be applied, this would bequite need cause I dont need as many others, a MS account
What if an idiot clicks on it and complains that his shit doesn't work anymore?
Long Quote
That means that hardening can't interfere with app functionality
Also atlas is going to allow Microsoft accounts next release, seeing as they work and the conversion is real confusing.
can you atleast not make an option which allows for all the topics OP suggested to be then applied? Like an option called: "More Security" or so, which on demand can be selected and then all the above will be applied, this would bequite need cause I dont need as many others, a MS account
What if an idiot clicks on it and complains that his shit doesn't work anymore?
AFAIK you already get an option to completly go UNSECURE by allowing the option to not install win-defender AND the Core isolation in the installer;
TL,DR; You cannot disallow stupidity in this world, and hence you cannot be taken into account for any damages they do by accepting options, the only thing you should then do is to write some decent half page text in what all is about to be disabled and make a big red warning that there can be sideeffects by doing so, the rest is up to the user! And for ppl needing this, it would be such a relief and even further senseful debloation! Please do consider it guys, based on my reasoning here!
EDIT: In case the said idiot did these things without understanding the potential risks of clicking said options, he still can reinstall windows fully I guess so either then its not a big deal?
Long Quote
That means that hardening can't interfere with app functionality Also atlas is going to allow Microsoft accounts next release, seeing as they work and the conversion is real confusing. can you atleast not make an option which allows for all the topics OP suggested to be then applied? Like an option called: "More Security" or so, which on demand can be selected and then all the above will be applied, this would bequite need cause I dont need as many others, a MS account
What if an idiot clicks on it and complains that his shit doesn't work anymore?
AFAIK you already get an option to completly go UNSECURE by allowing the option to not install win-defender AND the Core isolation in the installer;
TL,DR; You cannot disallow stupidity in this world, and hence you cannot be taken into account for any damages they do by accepting options, the only thing you should then do is to write some decent half page text in what all is about to be disabled and make a big red warning that there can be sideeffects by doing so, the rest is up to the user! And for ppl needing this, it would be such a relief and even further senseful debloation! Please do consider it guys, based on my reasoning here!
EDIT: In case the said idiot did these things without understanding the potential risks of clicking said options, he still can reinstall windows fully I guess so either then its not a big deal?
Any arguments on this? or what is planned in this regard? would be nice to hear.
Hi @CodingMadness @agowa, i'm here to answer the questions.
First of all, i am not a playbook dev and not responsible for the development of Atlas Playbooks, things i say may be incorrect. Just to note.
Like the one regarding disabling validation of MS Accounts, it is only relevant because Atlas is disabling MS Accounts (or at least it is trying to do so). Therefore not disabling them for inbound requests is probably just an oversight to begin with anyway. We don't need that kind of attack surface if we intended to disable that entire feature to begin with...
MS account features are not completely removed is because MS login stuff still exist. (e.g. for Xbox, Microsoft Store, etc.) We require users to use a standard account for User login, and that's all. If a user used a MS account, then they failed to follow the docs. Reason we did the conversion is because MS account users doesn't work with Atlas before but now it's compatiable, so we will be removing this conversion in the next release.
Similarly, if a "normie" choose to disable remote desktop, we definitely don't need RPC to be accessible remotely either. But regardless of making that conclusion, what we definitely don't need when remote desktop is disabled are accounts that are allowed to use it. Again, that's just unnecessary attack surface for a feature we said we remove/disable entirely.
I'm not sure about this, but i think we did not provide user a option to disable RDP. Correct me if i am wrong.
can you atleast not make an option which allows for all the topics OP suggested to be then applied? Like an option called: "More Security" or so, which on demand can be selected and then all the above will be applied, this would bequite need cause I dont need as many others, a MS account
I think @he3als can answer that. Also just to mention, our docs clearly mention using a standard user account instead of a Microsoft one, all users are suppose to have a standard account IF they folllowed our docs correctly.
AFAIK you already get an option to completly go UNSECURE by allowing the option to not install win-defender AND the Core isolation in the installer;
Quote from the docs:
Disabling security features is at your own risk, and you should only disable any security features if: 1. You know what it does, 2. You know how to keep yourself safe without it. Atlas is not responsible for any damages caused by disabling security features against our recommendations. Link
I can add this quote to the installation guide if that matches your need.
TL,DR; You cannot disallow stupidity in this world, and hence you cannot be taken into account for any damages they do by accepting options, the only thing you should then do is to write some decent half page text in what all is about to be disabled and make a big red warning that there can be sideeffects by doing so, the rest is up to the user! And for ppl needing this, it would be such a relief and even further senseful debloation! Please do consider it guys, based on my reasoning here!
EDIT: In case the said idiot did these things without understanding the potential risks of clicking said options, he still can reinstall windows fully I guess so either then its not a big deal?
We already have those in the Post-Install section of our docs. However, i can add some into the main Installlation guide if that matches your need.
lmk if there are more questions. -Pencil
It appears this issue has been solved as there has been no new comments as of recent. Due to that I will be closing this, if for any reason this must remain open, please comment as to why.
