HotCakeX
[Suggestion]: Don't require run as Administrator for importing MDE csv files
Are you sure the Security measure is not already implemented?
- [x] Yes, I have checked and the Security measure I'm suggesting to be implemented is not duplicate. 🫡
Please explain your new Security measure suggestion
Do not require run as admin to just import CSV logs from MDE
This is a Security app, and really decent and way better than Microsofts own tools. Any Application though as a security guy I am not typically going to trust as admin, let alone allow it to log into my security panel. However being able to export the logs out of MDE and then load them in and create policies is a great feature. However, I am not sure why i would ever need to be running the application as an administrator to just import these CSV's i downloaded. Also, you may have, and actually should have different people have different access to certain systems.
So for example, the security operator in defender can be querying those logs from defender advanced hunting and then export the CSV for the team managing Intune to deploy. They may not be the same people as this allows separation of duties.
To reproduce launch the application as a standard user not admin. The Click on MDE Advanced Hunting this instantly wants to run as admin. I didn't, I did launch it in a windows Sandbox as admin to see what was in there and yeah as Local and being able to load CSV exports is really an awesome feature. But not something you need to be running as admin for.
BTW Running the app as admin on a machine takes on the Admin profile. So You have to manually go load dark mode. etc.
As i mentioned in the other issue you filed, the documentation explains the reasons behind most of the workflows in the app: https://github.com/HotCakeX/Harden-Windows-Security/wiki/AppControl-Manager
I agree that MDE AH page shouldn't require Admin privilege because most of its features don't need it. It currently only needs it for securely storing and deploying the policy it creates, but I can offer options so you can store the policy somewhere else (and be responsible for any unelevated malware on your system modifying the policy before/during deployment due to no ACL protection).
I chose to be on the safe side and that's why the Admin privilege is required right now.
Yeah, I would rather not run as admin. Storing the files even under documents folder would be more secure. I would Assume before anyone is trying to block apps they at least turned on defender. Which defender and Attack surface reduction rules are going to be checking for scripts and virus and unauthorized software from editing software there. When someone is running an app as Admin you leave all kinds of other holes open.
Simple example, a person just simply using the app spills coffee they run to get towel or paper towel forgetting to lock their machine. Yeah user error is number one way people get hacked. They now have left their machine with an app running as admin.
You might not think that is bad.. While using your app, just go to Policy Editor > Select Policy File.... Now that Dialog is a standard windows dialog but now running under the context of administrator.
So now simply Browse to C:\Windows\System32 < See where you are in the heart of the OS, but you might be saying Ok I can not see any files. Simply type . (Doesn't show properly in github Simply type Asterix dot Asterix or star dot star wild cards) into the file name hit enter, this overrides your limit to XML and CIP. from here you can right click on any file or any folder. You can Edit its properties change permissions. Create new files new folders. Sky is the limit because your app is running as Admin. You can copy and paste in here, delete, read, write absolutely anything on any drive in any directory. Even create start up scripts and things that run as system user from this one little dialog box. Only takes a few seconds to get to one of those open file dialog boxes right click on the C Drive on the side and choose properties, Select security and give themselves Full Control over the entire C drive so they can come back later at their leisure. Heck with modifying the xml files for you app in program files.
If someone did have something malicious on their system Spyware or virus, before even applying this policy. They are sitting there waiting for file and folder dialogs. If they get one running as Admin the world is their oyster. This is just one simple way running an app as admin is bad.
As I said I am a security dude, not only that I am a security doing over an entire army of developers. Your App has a lot of potential. It is honestly one of the better ones I have seen for the Microsoft ecosystem. However, Also as a security dude the very second it told me I need to run the app as admin I about just uninstalled it. I mean yeah that's the number one signs of something getting ready to something bad. I am guessing a lot of people have done just that, download, run it prompted for admin said Nope and uninstalled it. I chose to put it in a sandbox environment and give it a whirl. I totally understand needing Admin to apply the policy, that's as it should be. But to read and create and store xml files. Do anything else in the app, it does not need to run with admin.
I would fix it by is the need to deploy the policy. I am guessing your just copying it into windows. Generate a quick batch script and launch and run from your app. This will copy the files where they need to go and terminate the process running as admin.