ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Mis-understandings about Software Restriction Policies (SRP)

+10
Sadeghi85
Tranquility
Rico
noorismail
MrBrian
Ruhe
Hawkwind
wat0114
tnegjm
ssj100
14 posters

Page 2 of 4 Previous  1, 2, 3, 4  Next

Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 14/5/2010, 10:00

Thanks wat0114. You make some valid points, but I'm going to discuss this further in the context of my own security setup/approach:

"The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule."

This is indeed true for files only. However, as you can see, we're not talking about files - we're talking about folders and paths that are being denied execution from (the 7 folders/paths described in this thread for both Windows XP and 7). Therefore, in this context, there is nothing "less secure" about it.

My recommendation to specifically deny cmd.exe, wscript.exe etc execution only protects the system from external attacks. If a malicious user gained physical access to your system, it's all over anyway. Again, therefore, there is nothing "less secure" about it.

"Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path."

This is only true for certain specific scenarios. Allowing all programs to execute from C:\Program Files and C:\Windows, and denying execution from the 7 folders/paths described in this thread does not apply to any of these scenarios.

One specific scenario that would apply would be if you are trying to deny execution of a file. You add a deny path rule to the file C:\Windows\debug\WIA\wat0114.exe. Now an easy way to circumvent this would be to merely copy wat0114.exe from the original folder and place it in another folder that allows execution. Then, you can simply execute it!

However, you can see that if you are in a Standard User Account with SRP/AppLocker rules which only allow C:\Program Files and C:\Windows to execute from, and which deny execution from the 7 folders/paths, there is no way you could place wat0114.exe into a folder/path which allows both writing and execution.

So as you can see, this is some very bullet proof protection!
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by wat0114 17/5/2010, 01:01

ssj100 wrote:
This is indeed true for files only. However, as you can see, we're not talking about files - we're talking about folders and paths that are being denied execution from (the 7 folders/paths described in this thread for both Windows XP and 7). Therefore, in this context, there is nothing "less secure" about it.

You might have a point and I'm not really qualified to argue it, but in the quote it mentions file or folder path. Anyway, I need to spend some testing a couple different configurations in Applocker, then I'll post my findings. I have a decent understanding of it but not where I'd like to be Wink

*EDIT*

okay, it didn't me long to confirm what I suspected a few nights ago: it is better to use the Applocker Auto-generate feature using the order of Publisher->Hash->Path for at least the Executable rules, then all those extra deny rules under the windows directory are rendered redundant, because only the executables that were present when the Auto-generate scanned will be allowed to run. Nothing else will be authorized to execute, including those temp folders and such under the Windows directory. This does mean that when the admin installs a new program or updates one that has only a hash rule for it, the Auto-generate function will have to be run again, but I can confirm this is only a minor inconvenience, as it takes only mere seconds to complete.

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 17/5/2010, 10:18

wat0114 wrote:okay, it didn't me long to confirm what I suspected a few nights ago: it is better to use the Applocker Auto-generate feature using the order of Publisher->Hash->Path for at least the Executable rules, then all those extra deny rules under the windows directory are rendered redundant, because only the executables that were present when the Auto-generate scanned will be allowed to run. Nothing else will be authorized to execute, including those temp folders and such under the Windows directory. This does mean that when the admin installs a new program or updates one that has only a hash rule for it, the Auto-generate function will have to be run again, but I can confirm this is only a minor inconvenience, as it takes only mere seconds to complete.

Not sure if it is better, but it is certainly another secure way to set up your AppLocker.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by wat0114 17/5/2010, 21:18

ssj100 wrote:

Not sure if it is better, but it is certainly another secure way to set up your AppLocker.

Yeah, there's more than one way to skin a cat Smile I'm in a bit of a debate with a technical heavyweight (MrBrian) at Wilders here:

http://www.wilderssecurity.com/showthread.php?t=272761

His approach I agree is fine, but I see nothing wrong with my approach and feel it's still better. But to each their own Wink

wat0114
Advanced Member
Advanced Member

Posts : 152
Join date : 2010-05-11

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 18/5/2010, 00:23

wat0114 wrote:
ssj100 wrote:

Not sure if it is better, but it is certainly another secure way to set up your AppLocker.

Yeah, there's more than one way to skin a cat Smile I'm in a bit of a debate with a technical heavyweight (MrBrian) at Wilders here:

http://www.wilderssecurity.com/showthread.php?t=272761

His approach I agree is fine, but I see nothing wrong with my approach and feel it's still better. But to each their own Wink

I don't understand why there's a debate at all really. Both approaches are fine. MrBrian's approach is the one I'd use myself if I was using Windows 7 Ultimate today on my REAL machine. This is the good thing about trying out Windows 7 Ultimate in my VM only - I get plenty of time to watch other people making mistakes and learning from them! Notice how tlu only came up with a decent approach for LUA + SuRun about 7 years after Windows XP was released haha.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Hawkwind 30/6/2010, 01:12

OK ssj100 you have convinced me to try your approach.

Windows 7 Ultimate x86, SUA, SRP, DEP for all programs and services, SEOP and Applocker using MrBrians configuration.

One question (to start with at least) I use First Defense-ISR where everything is installed in C:\$ISR which is not an "SRP-approved" location.
Is step 5 from http://www.mechbgon.com/srp/ the best/only way to make FD-ISR exempt from SRP?
I am sure if there is another or better way then you if anyone will know.
I also use Roboform and store all Roboform data on my "D drive" so i would assume step 5 would also be necessary in this instance as well.
My reason for storing Roboform data on the d drive is so as i can use and update Roboform from all of my FD-ISR snapshots.
Hawkwind
Hawkwind
Member
Member

Posts : 29
Join date : 2010-04-24

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 30/6/2010, 01:51

Hi Hawkwind, thanks for your post. Just a few pointers:

1. I pretty much know as much as you (or the average person who's interested in SRP/AppLocker) on this matter haha. The fact is, it is not hard to set up and I am not a computer expert by any stretch of the imagination.

2. If you're using AppLocker, there's no need to use SRP. In fact, I don't think you can use both SRP and AppLocker - from what I understand, if you enable AppLocker, it takes over SRP automatically.

3. I am unaware of any "better" way of doing step 5. I would highly recommend you use AppLocker and experiment with its rules. It sounds like you are well on to it as you mention you are "using MrBrians configuration". That configuration, in my opinion, works very well. You simply need to add more rules to AppLocker if there are any folders/areas of your computer you want to allow execution.

4. For every area of your computer that you allow execution, ensure those folders do NOT have writing access to a Standard User (hopefully you understand why conceptually...if not, please ask for clarification). I don't know how often you use FD-ISR or how often FD-ISR writes to C:\$ISR (it shouldn't be very often or not often at all if it is programmed well). Worse come to worse, you only need to enter the admin password to allow any action anyway.

5. I am not familiar with "Roboform data" at all. However, step 5 (or adding more rules to AppLocker) should not be necessary unless this "data" requires to be executed using executables not in the AppLocker's white-list (ie. not in C:\Program Files etc). It sounds like you are running the Roboform program (and therefore the executable) itself from your "D drive", and so it sounds like you will need to add the appropriate rules to your AppLocker - I would suggest using a "white-listing" approach with Publisher rules rather than Path rules (again, please ask for clarification if uncertain about this concept).

Hope that helps a bit. AppLocker certainly makes things much easier to configure rules more tightly and with more precision (compared to SRP). I'm sure wat0114 etc will chip in to help more if he/they see your post. Cheers mate.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Hawkwind 30/6/2010, 02:20

Thanks ssj100 Smile
I will boot into the snapshot and disable SRP tommorow, getting a bit late here now for me.

Yes FD-ISR only ever needs to be used if copy/updating snapshots/archives or booting to another snapshot via the gui.

The Roboform Data folder only contains passcard data etc, Roboform is installed in C:\Program Files.
I like to keep all data, music, pictures etc on a seperate partition from my C drive, i dont know if this will cause any problems with this set up or leave any security holes.

There is still a lot i need to understand but the more i read about your ideas and set up alongside Sandboxie, the more i like it.
Hawkwind
Hawkwind
Member
Member

Posts : 29
Join date : 2010-04-24

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 30/6/2010, 02:28

Hawkwind wrote:I like to keep all data, music, pictures etc on a seperate partition from my C drive, i dont know if this will cause any problems with this set up or leave any security holes.

If you set up the rules well, there should not be any security holes at all. Remember, the idea with SUA + AppLocker (or LUA + SRP on Windows XP) is that where you can execute, you can't write, and where you can write, you can't execute.

So it doesn't matter where you place your data (eg. on separate partitions, on your desktop, in "My Documents" etc etc) - as long as your setup obeys the above rules, you have incredibly powerful protection.

And yes, I find Sandboxie (particularly when configured well) is the ideal application to complement LUA/SUA + SRP/AppLocker.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Ruhe 30/6/2010, 02:41

ssj100 wrote:Remember, the idea with SUA + AppLocker (or LUA + SRP on Windows XP) is that where you can execute, you can't write, and where you can write, you can't execute.
A very short but meaningful summary!
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Hawkwind 1/7/2010, 01:32

I think i have been reading too many different configurations and ended up only confusing my self.

So for now what i have done is set default rules for executable, windows installer, script and dll rules, then added MrBrians exceptions where he states to put them.
I take it with this set up then i dont have to generate any other rules or whitelists when installing new programs as the rule is now in place, assuming of course that programs are installed in the program files folder.

I dont know if i am way off the mark here or not pale
Hawkwind
Hawkwind
Member
Member

Posts : 29
Join date : 2010-04-24

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 1/7/2010, 03:19

Hawkwind wrote:So for now what i have done is set default rules for executable, windows installer, script and dll rules, then added MrBrians exceptions where he states to put them.
I take it with this set up then i dont have to generate any other rules or whitelists when installing new programs as the rule is now in place, assuming of course that programs are installed in the program files folder.

That's exactly right. The default rules white-list according to Path. So anything in C:\Program Files and C:\Windows can execute (except for those folders in MrBrian's list).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by MrBrian 1/7/2010, 12:57

ssj100 wrote:Good spotting MrBrian haha. However, I suspect he has mis-understood how Windows' own protective mechanism works.

Certainly even in Windows XP, limited users (LUA) are seemingly allowed to write to certain folders in C:\Windows. However, even with the default SRP rules (which allow execution in C:\Windows and C:\Program Files), you are unable to execute anything from those folders! You can test it yourself. I wonder if MrBrian knows about this.

Hi folks Smile.

I don't have time to read this whole thread now, and so I'll reply further tomorrow, but I would like to add that I indeed was able to write and execute in either a newly created file or overwriting an existing file in each of the folders that I listed from a standard account on Windows 7 x64 - I didn't merely list those folders because of the tools that I used to discover them. In some cases, getting execution requires changing permissions, which in some cases requires taking ownership. Anyway, I'll have more to write tomorrow Smile.

MrBrian
Member
Member

Posts : 14
Join date : 2010-07-01

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 1/7/2010, 13:01

MrBrian wrote:
ssj100 wrote:Good spotting MrBrian haha. However, I suspect he has mis-understood how Windows' own protective mechanism works.

Certainly even in Windows XP, limited users (LUA) are seemingly allowed to write to certain folders in C:\Windows. However, even with the default SRP rules (which allow execution in C:\Windows and C:\Program Files), you are unable to execute anything from those folders! You can test it yourself. I wonder if MrBrian knows about this.

Hi folks Smile.

I don't have time to read this whole thread now, and so I'll reply further tomorrow, but I would like to add that I indeed was able to write and execute in either a newly created file or overwriting an existing file in each of the folders that I listed from a standard account on Windows 7 x64 - I didn't merely list those folders because of the tools that I used to discover them. In some cases, getting execution requires changing permissions, which in some cases requires taking ownership. Anyway, I'll have more to write tomorrow Smile.

Welcome to the forums MrBrian! And yes, if you read through this entire thread (it can be confusing sorry) I actually (eventually) agreed with you haha.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Hawkwind 1/7/2010, 15:15

It certainly confused me lol.

That's exactly right. The default rules white-list according to Path. So anything in C:\Program Files and C:\Windows can execute (except for those folders in MrBrian's list).

Thanks for confirming mate Smile

One more question.
As i said i like to keep my data seperate from my c drive.
When using Mediamonkey, my music is stored on my D:\Music folder, do i need to create anymore rules or exceptions to Applocker or do my current rules and exceptions to cover any potential risks.

Thanks again.

And welcome MrBrian Smile
Hawkwind
Hawkwind
Member
Member

Posts : 29
Join date : 2010-04-24

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 1/7/2010, 15:26

It should be fine. Your music should just be data files, not primary executables. The actual executable (the media player) associated with the music data files will most likely be stored in C:\Program Files (eg. winamp.exe) and this will be allowed to run by your default AppLocker rules.

Don't worry about getting confused. Once you understand how it works, you won't look back!
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Ruhe 1/7/2010, 15:37

AppLocker: If you have portable apps (outside of C:\Program Files and C:\Windows) you have to add rules of course - but, as the folder of the portable apps (C:\Portable in my case) is not protected by the operating system every application can write and run in the portable folder. Therefore hash rules (instead of path) should be used in such cases.
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Hawkwind 1/7/2010, 15:47

Thanks again mate.

I suppose the same applies then to where i store my executable files in my D:\ Programs folder.
Anyway with running a standard user account i cannot run any executable file from there without admin priviliges as it is.
It should be fine. Your music should just be data files, not primary executables. The actual executable (the media player) associated with the music data files will most likely be stored in C:\Program Files (eg. winamp.exe) and this will be allowed to run by your default AppLocker rules.

I suppose the same applies then to where i store my executable files in my D:\ Programs folder.
Anyway with running a standard user account i cannot run any executable file from there without admin priviliges as it is.

AppLocker: If you have portable apps (outside of C:\Program Files and C:\Windows) you have to add rules of course - but, as the folder of the portable apps (C:\Portable in my case) is not protected by the operating system every application can write and run in the portable folder. Therefore hash rules (instead of path) should be used in such cases.

Thanks Ruhe, i dont have any portable apps, but what if someone plugs a usb stick that is running either portable apps or maybe has a virus, what rules do i need to put in place to protect from a usb device?
I have Windows 7 so autorun is disabled.
Hawkwind
Hawkwind
Member
Member

Posts : 29
Join date : 2010-04-24

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Ruhe 1/7/2010, 15:50

Try to run a SFX archive or whatever outside of an AppLocker protected folder. Sure, it can't run. What to do? Right click and "Run as administrator" ... now the app can do everything and everywhere.
Where is my logical error?
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 1/7/2010, 15:56

Hawkwind wrote:...i dont have any portable apps, but what if someone plugs a usb stick that is running either portable apps or maybe has a virus, what rules do i need to put in place to protect from a usb device?
I have Windows 7 so autorun is disabled.

This is the beauty of SRP/AppLocker - it works by white-listing, so only specific paths/files/hash/etc etc are allowed to run. The contents in the USB device will not be in the SRP/AppLocker white-list. Therefore, no execution can take place from there unless you know the Admin password. And if it can't execute, it can't infect.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 1/7/2010, 15:58

Ruhe wrote:Try to run a SFX archive or whatever outside of an AppLocker protected folder. Sure, it can't run. What to do? Right click and "Run as administrator" ... now the app can do everything and everywhere.
Where is my logical error?

As I said, the security approach is arguably the most important of all. Intelligent handling of newly introduced files is very important - eg. only run files on your REAL system from trusted sources etc. Other files should be opened via eg. a sandboxed explorer.exe or in a full blown VM.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Ruhe 1/7/2010, 16:26

AppLocker is to blacklist apps in an companies environment. Or you can use it on your parents system, but for advanced users that install and want to use software its just time wasting overhead. This is never-ending tedious fiddling and will lead to more problems than it solves. SUA, ok, but SRP/AppLocker just blocks my method of working.
Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 1/7/2010, 16:40

Ruhe wrote:AppLocker is to blacklist apps in an companies environment. Or you can use it on your parents system, but for advanced users that install and want to use software its just time wasting overhead. This is never-ending tedious fiddling and will lead to more problems than it solves. SUA, ok, but SRP/AppLocker just blocks my method of working.

It actually white-lists. An important difference, and why it's a malware writer's worst nightmare.

Advanced users? Well, I consider myself an above average user and I do my testing in a VM in a limited user account with SRP enabled. No problems here at all. Also, I probably wouldn't call people who like to test applications "advanced users". In my opnion, they're either really bored, really curious, or they get paid to test apps haha. I've been there, done that (really bored and/or curious that is). Wasted hours doing it. Still willing to waste more hours though! But generally, I test things in a VM for fun only (and I don't do it very often nowadays). I've already got my security setup done and dusted.

Also the thing is that you generally can't install anything in a limited/standard user account anyway - you need to have admin rights to do so, and therefore SRP/AppLocker shouldn't make a difference at all - if you have admin rights, you completely bypass SRP/AppLocker. So I don't quite understand why it blocks your method of working?

But lets not kid ourselves. We could run as admins with absolutely no security software (and maybe just NoScript) and we'd never get infected by malware. That's the whole problem. Those that have an excellent security setup don't need it, and many that don't, do need it.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Hawkwind 1/7/2010, 17:15

Thanks for the replies, i am assuming that MrBrians rules/exceptions should all be applied as "path" as the path rule allows everyone to execute the program in the directories allowed.
Hawkwind
Hawkwind
Member
Member

Posts : 29
Join date : 2010-04-24

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by ssj100 1/7/2010, 18:07

Hawkwind wrote:Thanks for the replies, i am assuming that MrBrians rules/exceptions should all be applied as "path" as the path rule allows everyone to execute the program in the directories allowed.

Yes that's right.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Mis-understandings about Software Restriction Policies (SRP) - Page 2 Empty Re: Mis-understandings about Software Restriction Policies (SRP)

Post by Sponsored content


Sponsored content


Back to top Go down

Page 2 of 4 Previous  1, 2, 3, 4  Next

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum