Software Restriction policies examples????

  • Thread starter Thread starter Colin Nash [MVP]
  • Start date Start date
C

Colin Nash [MVP]

That would be a very restrictive policy. Is it really necessary? I can
tell you that most large enterprises don't take it to that level.

The more restrictive you make it, the more testing you will need to do.
 
Hi All,

I have just finished reading the documentation on microsoft involving
the software restriction policies.
Are there any security conscious people out there who also have
experimented with this and have compiled a list that doesn't break any
normal windows functionality?

One of my rules for instance is a path rule which denies all *.vbs
files from executing on my computer.
Is it for instance viable to allow only recognized exe's and deny all
others?

This would mean that I would have to know all standard exe's that
windows uses to start, logon, shutdown, logoff, internet,.....
Is there anyone out there who has such a rule to deny all exe's and
has configured a list of exe's that definitely should run?

Are there any registry rules that might be usefull to deny?

Anything that anyone could contribute would be very much appreciated
since I am only starting to learn how to use it.
Its just hard testing all the time and having to log of and on for
these rules to apply and then notice that you have broken windows and
having to start up in safe mode and deleting the rules that broke it.

On the net I until now havent found much information besides the
standard MS docs.

Sincerely,
J
 
Hi Colin

Well I'm sure most large enterprises don't but then again you can
hardly call me a large enterprise :-)

Don't tell me that only exec's from large enterprises would ever
consider implementing such a policy on a dedicated server. I am just a
normal home user trying to look at all options and trying to eduacate
myself on these matters.
I'm sure there are people out there who use dedicated servers that are
not in the IT business but just normal home users who want to be able
to built a stable and secure server for whatever purpose they desire,
be it a game server, an ftp server,....or whatever.

Sofware restriction policies can help in creating another barrier
hackers need to penetrate to take such a server offline.
I've been helping a friend of mine and I saw his computer in realtime
being hacked in under 5 minutes just because he had a fast server and
people were apparently very interested in hacking his comp to be able
to run their own software from it.

So what I don't need is people telling me that something isnt really
necessary just because in their opinion it isn't.
The question I actually posed albeit possibly not direct enough is
what standard exe's does XP or 2000 for that matter need to have
running to operate normally.
I'm talking about a lockdown policy that only allows normal windows
applications to run and disallow any others besides the ones I
specifically add.

Sincerely,
J
 
I have tried it a number of times. I would suggest you try setting the default rule
to disallowed and the exempting administrators in the enforcement rule and test from
there. When I tried the disallowed all it would let a user logon and not much more
until I created specific path rules to directories to allow user to run an
application. I also did test for instance a path rule to disallow all .exe and .com
files in the \windows\system32 directory that worked pretty well. You can lock a
machine down extremely well with SRP and you can use multiple rules that are general
and specific mixing path/hash/certificate. For instance if you create a general rule
to disallow all .exe files in a directory and then another one that allows a specific
..exe in that directory, then all .exe except the one will be disallowed. On a locked
down machine where a user can only write files to his profile, you can create a
disallowed path rule to the profile which will prevent him fron running executables
or installing software there. It takes a lot of experimenting but I think it is a
major reason to go with XP Pro. The link below is about the best one I have seen so
far, maybe you have already read it. --- Steve

http://www.microsoft.com/technet/tr...et/prodtechnol/winxppro/maintain/rstrplcy.asp
 
Hiya Steven,

In your reply you mentioned a path rule that disallows all exe's in the system folder...doesn't that
just break a system? I know many of the exe's in the system directory and alot are not used for
normal internet use or browsing but from looking at filenames things like logoff.exe, taskmgr.exe,
svchost.exe, userinit.exe, winlogon.exe and some others are I think defintely needed.
How could you get a user to login normally with these exe's on disallowed?

About the link, yep I read it but it doesn't get into detail as much as I would like, pretty much
most of what was covered in that document I already figured out for myself. What I need is lists of
software (exe's, dll's,...) that need to run and keep OS stability and functionality.

Geuss we'll have to wait until more people start using it or start making websites giving out more
and more detailed information on this.
I would like to see some hardcore guru's posting some real lockdown policies for different uses,
like for instance you want an internet kiosk machine which can only run a browser and lets users
browse the net but pretty much locks them out from harming or installing their own crappy software.

Me need more input :-)

Sincerely,
J
 
Hi J.

I tried it on a test box too see what would happen and I remember being surprised
that I could logon as test user and when I tried running executables such as ping,
ipconfig, netstat I was denied access. I am not recommending someone do such in a
production environment of course without thorough testing. I am going to try it again
soon.

Yes, detailed info would be great but I think the info they give is a good start
though I don't see much info outside of MS. You could use third party tools like
filemon and regmon from Sysinternals [free] to see where access is being denied if
you are trying to tweak a rule for an application. Building a kiosk should not be too
hard. I would start by changing ntfs permissions so that a user could only save files
to their profile and changing ntfs permissions on their desktop folder to be
read/list/execute so that they can not change the desktop. Then I would use a default
disallowed rule [exempting administrators] , an allowed path rule to IE folder and
maybe common files folder and then disallowed hash rules for some executables such as
cmd.exe, notepad, etc and also deny access to command prompt and registry editor in
Group Policy and use Group Policy to lock down Internet Explorer. Good luck. ---
Steve

Hiya Steven,

In your reply you mentioned a path rule that disallows all exe's in the system folder...doesn't that
just break a system? I know many of the exe's in the system directory and alot are not used for
normal internet use or browsing but from looking at filenames things like logoff.exe, taskmgr.exe,
svchost.exe, userinit.exe, winlogon.exe and some others are I think defintely needed.
How could you get a user to login normally with these exe's on disallowed?

About the link, yep I read it but it doesn't get into detail as much as I would like, pretty much
most of what was covered in that document I already figured out for myself. What I need is lists of
software (exe's, dll's,...) that need to run and keep OS stability and functionality.

Geuss we'll have to wait until more people start using it or start making websites giving out more
and more detailed information on this.
I would like to see some hardcore guru's posting some real lockdown policies for different uses,
like for instance you want an internet kiosk machine which can only run a browser and lets users
browse the net but pretty much locks them out from harming or installing their own crappy software.

Me need more input :-)

Sincerely,
J
Click to expand...
 
Hi again Steven,

I think its time I installed that virtual PC, that way I can test and break it over and over again
until I get it just the way I want :-)

Hehe, locking down is always the easy part, getting it to work correctly thereafter is ofcourse the
hardest.
I have some sort of idea what I'm gonna try but will need to set up my virtual PC first cause safe
moding all the time is getting tedious.
Here's hoping that some info starts flooding out about this topic cause I'd really like to have
input from various sources instead of relying on the basic info that was given out by MS.
If I find out some more maybe in the following days I will be posting it in this group under the
same heading as my initial post "Software Restriction policies examples".
Anyway thnx for the replies :-)

Sincerely,
J

Hi J.

I tried it on a test box too see what would happen and I remember being surprised
that I could logon as test user and when I tried running executables such as ping,
ipconfig, netstat I was denied access. I am not recommending someone do such in a
production environment of course without thorough testing. I am going to try it again
soon.

Yes, detailed info would be great but I think the info they give is a good start
though I don't see much info outside of MS. You could use third party tools like
filemon and regmon from Sysinternals [free] to see where access is being denied if
you are trying to tweak a rule for an application. Building a kiosk should not be too
hard. I would start by changing ntfs permissions so that a user could only save files
to their profile and changing ntfs permissions on their desktop folder to be
read/list/execute so that they can not change the desktop. Then I would use a default
disallowed rule [exempting administrators] , an allowed path rule to IE folder and
maybe common files folder and then disallowed hash rules for some executables such as
cmd.exe, notepad, etc and also deny access to command prompt and registry editor in
Group Policy and use Group Policy to lock down Internet Explorer. Good luck. ---
Steve
Click to expand...
 
Back
Top