Protecting Users from Running Arbitrary Code on Windows

18 Feb, 2025

If you're worried about the safety of less tech-literate friends, family, or colleagues who might click before thinking, here's a practical way to protect them. Moving them to Linux isn’t always viable, so let's use Windows' powerful permissions system instead.

Steps to Secure the Downloads Directory:

1. Access Security Settings:

   • Right-click the Downloads directory, select Properties, go to the Security tab, and click Advanced.

2. Remove Inheritance:

   • Click Remove inheritance and then Remove.
   • If the username remains on the list, double-click it. If not, click Add, then Select a principal, Advanced, Find and select the username.

3. Set Permissions for Folders:

   • Change Applies to to This folder and subfolders.
   • Ensure Full control is checked and click OK.

4. Add New Permission for Files:

   • Click Add, select the user again, change Applies to to Files only.
   • Click Advanced, deselect Traverse folder / execute file, and click OK thrice.

Inform the User:

• Installation: They need to move downloaded installers to a different directory (e.g., Desktop) to run them.
• Security: Explain that if they can't open an invoice, invitation or any other such file from the downloads directory, it was an attack attempt that was just stopped, not a legitimate file and they should just remove it without trying to bypass that protection.

Important note:

This will not prevent vulnerabilities in document viewers from performing ACE, only stop vast list of known executable formats from being run, keeping software up to date and protecting the most important data other ways is still advisable.