[gptalk] Re: Opinion on my Software Restriction Policy

  • From: "Pankaj Bhakta" <bhakta@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 13 Jun 2008 22:26:45 +1200

Hi Darren,

Thanks for your reply.

 

I did not remove or change any of those 4 default Registry Path Rules but
your comment (quoted in bold) the earlier day gave me the idea of
disallowing all exe files.

Darren's Quote-

By using a Software Restriction Policy whitelist, you are saying to Windows
"don't allow execution of any code that is not explicitly allowed". This
means that no matter how you install something that is not in the allow
list, it will not run.

Unquote

 

a) Thus I added a path rule 

*exe - Disallowed 

 

This stopped all applications from running even if I invoked it through
Windows Explorer.

 

b) Then I created my Whitelist and I added the following path rules to test:

 

%ProgramFiles%\Microsoft Office\Office11\*.exe - Unrestricted

%ProgramFiles%\Adobe\Reader 8.0\Reader\*.exe - Unrestricted

 

Only the above programs started to run from Windows Explorer.

 

c) Added the following path rules to allow desktop shortcuts and Start Menu
Programs 

 

%allusersprofile%\desktop\*.lnk

%userprofile%\desktop\*.lnk

%userprofile%\Start Menu\Programs
%allusersprofile%\Start Menu\Programs

 

d) Implemented the following as per your suggestion:

 

Darren's Quote-

--Removing the ability for MSI packages to install outside of managed apps
(i.e. those deployed via GP) by enabling the policy at Computer
Configuration\Admin. Templates\Windows Components\Windows Installer\Disable
Windows Installer

Unquote- 

 

There are still lots to do but hope I am going in the right direction.

 

Kindly give your valued opinion. .

 

Thanks,

 

Pankaj

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Friday, June 13, 2008 1:38 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy

 

Pankaj-

I think what you are seeing are the effect of the 4 default Registry Path
Rules, which do allow apps from a number of locations to continue to run
even though the default level is Disallow. If you were to remove one or more
of these registry path rules, you would begin to see all applications stop
being able to execute, which may or may not be desirable, depending upon the
application. I would experiment with it in your own environment.


Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Pankaj Bhakta
Sent: Thursday, June 12, 2008 4:40 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy

 

Hi Darren,

Many thanks for your opinion and suggestion.

 

I have been reading number of blogs and finally you have suggested that the
best approach is Disallow all and then create a Whitelist for the
applications that I wish to allow.

 

With this approach I have setup a new GPO (shown below) to first of all
prevent all application from running:  

-----------------------------------------------------

Default Security Level - Disallowed

Enforcement Properties 

- All software files except libraries (such as DLLs)

- All users except Local Administrators

 

Designate File Types

-Default ie whatever present as default

 

Path rules

The 4 default rules kept intact.

----------------------------------------------------------------------------
------------

 

Various blogs on the net say that when you select Default Security Level -
Disallowed, it stops everything from running.

 

However my observation is that it definitely prevents everything from
running when your try to run applications from desktop shortcut or Start
Menu\Programs. But if we browse with Windows Explorer and invoke any
application such as Acrobat Reader, MS Word etc from the Programs folder,
then it runs without any prob. 

 

Is this the way SRP has been designed or am I missing something ie some
other configuration needs to be done to completely disallow everything.  

 

Once I can establish the above, I will start creating my Whitelist. 

 

Cheers, 

 

Pankaj

 

 

 

 

  _____  

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, June 12, 2008 1:08 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy

 

By using a Software Restriction Policy whitelist, you are saying to Windows
"don't allow execution of any code that is not explicitly allowed". This
means that no matter how you install something that is not in the allow
list, it will not run.

 

Darren

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of hans straat
Sent: Wednesday, June 11, 2008 6:03 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy

 

not to trow in any windows but how do you want to block portable
applications that don't need installation like firefox portable etc 

  _____  

From: darren@xxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Opinion on my Software Restriction Policy
Date: Wed, 11 Jun 2008 05:58:15 -0700

Pankaj-

Its nearly impossible to prevent any kind of software installation, simply
because software can be installed anywhere on the file system and its
impossible to prevent writes to every location on the local file system.
However, there are a series of things you can do to make it very difficult
for users to either install or execute unwanted code. Part of that is using
Software Restriction Policy-based whitelists (i.e. disallow all code as the
default rule and then allow only the apps below). Part of it is using other
measures including:

 

--Making sure users are not members of the local Administrators or Power
Users groups

--Removing the ability for MSI packages to install outside of managed apps
(i.e. those deployed via GP) by enabling the policy at Computer
Configuration\Admin. Templates\Windows Components\Windows Installer\Disable
Windows Installer

 

Again, I think it's a combination of several steps that you will need to
perform to ensure that only the code you want is executed.

 

Sincerely,

Darren

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Pankaj Bhakta
Sent: Tuesday, June 10, 2008 10:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Opinion on my Software Restriction Policy

 

Hi,

We are having a Win 2003 AD based Domain and users running Win XP SP2.

 

The following applications are installed by our IT department on every
workstation

*       MS Office 2003 Pro
*       IE and Firefox
*       Win Zip
*       Adobe Reader
*       Sonic Record Now Plus - for burning CD/DVDs
*       Cyberlink PowerDVD

I want to setup a Software Restriction Policy to achieve the following:

 

a) Do not permit Users to install any software
b) All the above mentioned applications to run smoothly

 

 

On a test domain I have setup a SRP as following ( User Configuration ):

 

Default Security Level - Disallowed

Enforcement Properties 

- All software files except libraries (such as DLLs)

- All users except Local Administrators

Designate File Types

-Removed the .LNK from the Designated File Types

 

Path rules

The 4 default rules kept intact.

 

Added the following

 

%userprofile%\Start Menu\Programs
%allusersprofile%\Start Menu\Programs
%temp%
%windir%
\\myserver\netlogon\*.bat - running login scripts
\\myserver\netlogon\*.vbs - running login scripts


Although I removed the .LNK from the Designated File Types but the shortcuts
on the desktop did not seem to work so added the following path rule.

 

%allusersprofile%\desktop\*.lnk

%userprofile%\desktop\*.lnk

Everything seems to be working as I wanted. All my applications that are
already installed are working fine. The applications that have desktop
shortcuts are working fine.

Also tested and found that the users cannot install any application. 

 

To me things seems to work alright but I would still request your valued
opinion & suggestion before I apply the policy on production domain. 

 


Cheers,

Pankajb

Other related posts: