Should I restrict execution permission in c:\windows\temp?

Hi all

In this thread https://www.wilderssecurity.com/showthread.php?t=262492 ronjor provides a link to a Microsoft Malware Protection Centre article which among other things lists the 7 most common locations for rootkits to be hidden on a disk.

I have recently begun running a Limited User Account and using a Software Restriction Policy (provided by PGS - thanks again Sully! ) to increase my security. This combination in its standard form prevents either write access or execution permission from all of the most common rootkit locations except one - c:\windows\temp.

My LUA allows write access to this location and my SRP allows execution from there. This would appear to be a hole in the protection provided by my LUA and SRP setup. Should I therefore be restricting execution permission for this folder for Limited Users, or does Windows XP require execution permission from this location in order to function properly?

Any advice from the LUA/SRP gurus would be apprecated.

Thanks

 

In short, it's a good idea to create a SRP disallow rule for Windows\Temp and any other folders where limited users have too much access for comfort. If one doesn't do that, it'll leave easy ways to walk right around the Software Restriction Policy. Windows doesn't need limited users to be able to execute files from temp folders to function just fine. What will break is any program that expects to be able to dump executables in temporary folders as a limited user and just execute them from there, which would be blocked by SRP.

 

Thanks Windchild, I suspected this was the case, but it is always nice to have a 2nd opinion.

However, I have been doing some more testing and it appears that an extra path rule denying execution from c:\windows\temp may not be neccessary after all. As a limited user Windows denies me access to this folder, even though I can write/copy files into it, and if I try to execute a file from there in a command prompt, it fails with the following message:

""filename.exe" not recognized as an internal or external command, operable program or batch file"

It seems the LUA itself maybe providing protection from nasties lurking in c:\windows\temp.

 

It seems like I do need a deny path rule for c:\windows\temp after all. I can still execute files from a command prompt in that folder, provided I am in another folder and specify the full path to the executable.