The irrelevance of Applocker / relevance of SAFE admin tweaks

Sully

http://mrwoojoo.com/safe_admin/ACL_1.jpg

Text
Please check your example, It is either
C:\Windows = parent
C:\Windows\System32 = Child
C:\Windows\System32\Drives = Grant Child

Or
C:\Windows = parent
C:\Windows\regedit.exe = Child
C:\Windows\System32 = grand child
etc

please check

Could you also explain difference between user and home user. Also the difference between a real user and user group may be difficult to understand for some (like the rights accompanying a role).

Navigation:
Make the target file or folder something you can navigate to (Browse button)

Regards Kees

 

It depends on what object you try to set inheritance for. You can't set inheritance really on a file, only a directory.
Then c:\windows\regedit.exe and c:\windows\sytem32 are both children of the object that can give inheritance, which is c:\windows.

I will find the generic rights of user, home user and admins as an example of what each start with, as well as why and how you would use a deny ACE. The example of stopping execution in the download directory is a fine one, and applies well to the method. I might suggest another reason to use it, but will probably leave it up to the user to figure out if they need to do something like that. Since this would be an advanced feature, I must assume at some point that the user has an idea of why they want to use an advanced feature. I will just make it easy to use for when they want to use it.

I am cooking something up to make the whole process easier to use. I might use a browse button, not sure yet how it will develop.

Sul.

 

Here is a what the latest thought is. With a click on the help icon a brief explanation could be made similar to the one on the top of this:
http://mrwoojoo.com/safe_admin/ACL_1.jpg

but perhaps a layout like this:
http://mrwoojoo.com/safe_admin/ACL_2.jpg

might be better.

Rough process would be (after you understand what you are doing and why)
1. choose the user(s) this applies to
2. choose the permissions to allow/deny
3. drag and drop files or folders onto the correct area (allow or deny) and onto the correct icon for the type of inheritance you require

After the drag/drop, I was thinking maybe it would be best to show what rights are currently existing, along with an option to cancel. One could also either have an option on the UI that is is to be a "remove" request, or the "remove" could be an option after showing the current rights on what was dropped.

Not as compact as I thought it would be. Just a line of thought I had brewing.

What are opinions of this style layout?

Sul.

 

Keep the layout in screenshot number 1, IMHO Sully. It provides a detailed explanation of the settings and the settings themselves are very clean and understanable. In your second screenshot, I quickly ended up having to look twice at the icons to see exactly which one was which . My eyes may be weird, but everything there sort of "blended together". It didn't look very professional or as clean either. Again, just an opinion from a future user.

 

Thats why I posted, to get a feel for what is deemed "complicated and confusing" vs. "simplistic and easy".

Sul.

 

Yep DW is right. Also drag and drop requires another interface to undo things, while the text based version (with a navigate or browse button) allows reversing things.

 

RE http://mrwoojoo.com/safe_admin/drive-by-1.jpg

To much options complicates stuff, I would opt for

----

Since XP Service Pack 2, Microsoft has provided a driveby protection. This is enabled by default. When you try to run an executable downloaded by Internet Explorer or Mail (Outlook, Outlook Express, Winmail) you will get a warning looking like

PICTURE OF WARNING

Safe-Admins allows you to control this protection mechanism by

a).Using the default option, which warns you (default value which is good enough when you have applied all other safe-admin settings)
B) Using enhanced protection (depending on your browser provides extra protection)

Explanation on the enhanced protection depending on your browser

See picture

Possible usage of this enhanced protection:
Internet Explorer and Firefox
When you are doing risky browsing, you can temporarely set this option on for added protection against drive by downloads.

Chrome/Iron
You can set this on, for added protection (switch on and forget). When you encounter a prompt which says you are not allowed to execute thi sfile (see image below), simply right click the file and Choose [Reset Deny Execute]. This switches back the value to the default (before execution you will get the default windows warning).

[Opera]
Since Opera does not facilitate this protection, it is useless. When you want to use this option switch to another browser.

----

So IMO you would set it back to default in stead of removing it. Also option allways allow (without pop-up) and the allways deny (without pop-up) shoudl not be shown when in basic admin mode (only available to advanced users).

Regards Kees

 

sorry picture

 

Sul,

I have second thoughts on the user interface,

http://mrwoo1joo.com/safe_admin/grab_000.jpg = OKAY GENERAL PROTECTION

http://mrwoojoo.com/safe_admin/grab_002.jpg = OKAY ENHANCED MAIL PROTECTION

http://mrwoojoo.com/safe_admin/grab_001.jpg = OKAY ENHANCED BROWSER PROTECTION

** Explain the deny execution within download directory, give an example of the pop-up and tell people to move it out of the download directory

New tab called [CHROME/IRON BONUS OPTION] with text
When you are using Chrome or Iron as your ONLY browser Chrome/Iron offers a more flexible way to prevent drive by infection (even outside the download directory).

In stead of this default warining (Show the default warning), you can get the warning of the Enhanced Browser Protection, even when you move it out of the Downoad Directory or malware copies itself outside it without you knowing it. (show warning). You can reset this DENY-EXECUTE by using SAFE-Admin's right click context menu (select option RESET EXECUTE BLOCK).

Do you want to use this CHROME/IRON bonus option instead the ENHANCED BROWSER PROTECTION of the previous tab?
[ YES ] [ NO ] = two button choice

Regards Kees

 

Mk. I will work on refining the UI.

Is there any thoughts on whether a deny modify ACE should be imposed on the download directory? The ADS (Alternate Data Stream) that is used to indicate a file has been downloaded from the internet is easy to modify (I think anyway). How paranoid should this be? If we deny execute, that is fine. If we use chrome to download, the ADS is there, but any process that has rights to modify files in that directory can easily change it to allow it. The download directory is normally in the %userprofile% so modify rights would likely exist. This makes the enhanced security of chrome obsolete if the ADS on the file can be modified by any user created process. I will have to check and see if a Low IL process could modify this.

It doesn't have to be denied modify, just a thought that came to mind.

Is having the advanced tabs too much for this tool? They do not have to be there. I figured they would be nice to go beyond what is pre-defined by the concept if the user wanted to.

Also, what about the IL of the download directory. If SAFE puts browsers at Low IL, and the NW flag is set, the downloads directory will have an implicit (OS assigned) IL of Medium. Shouldn't that directory also have a Low IL for any browser forced to Low to create/write to? I should think so anyway.

Sul.

 

[The longer I think about it, the more I think the 1806 option should be in the advanced part (with four options and a description after the options). The legenda is browser specific.

My suggestion
a) Set a deny execute on the download directory
b) IE and Chrome runs with low rights, add the option to run Firefox with low rights. If option run FF in protected mode is chosen, set the download directory to low rights, plus others described earlier. Within IE and Chrome parts run with Medium rights and tabs run with low rights. Having teh download directory with Medium rights (for IE and Chrome) is part of the protection scheme.

With Chrome you can set Chrome to lock the place where stuff can be downloaded. In IE when you choose download (from Vista and up) it downloads in my Dowload directory. So with a deny execute on this in itself is enough protection.

When Firefox and IE8 are EMET-ted and FF runs in protected mode, the thre main browsers will be a tough cookie to circumvent (trapped in low rights and a deny execute). For teh majority this in itself is a big security improvement.

So make the basic version real simple, grey out the advanced tabs, only when somebody chooses to go advanced make them available.

Regards Kees

 

So basic mode contains

http://mrwoo1joo.com/safe_admin/grab_000.jpg = OKAY GENERAL PROTECTION

http://mrwoojoo.com/safe_admin/grab_002.jpg = OKAY ENHANCED MAIL PROTECTION (Sets Intergity level to medium = no elevation request ever, EMET's programs specified and sets a deny execute on mail directory)

http://mrwoojoo.com/safe_admin/grab_001.jpg = OKAY ENHANCED BROWSER PROTECTION

Sets process Medium integrity level (except when FF is selected for protected mode than Low rights), EMET's browsers (except Chrome/Chromium/Iron), sets a deny execute on download directory specified.
When FF is chosen, download and few others have to set LOW rights also.

Plus a tab to enable ADVANCED MODE

Advanced mode contains
EMET any program http://mrwoojoo.com/safe_admin/grab_004.jpg

Set ACL restrictions to any container (directory) http://mrwoojoo.com/safe_admin/ACL_1.jpg (with browse / navigate to)

Set IL of any process http://mrwoojoo.com/safe_admin/IL_1.jpg

Set 1806 trick http://mrwoojoo.com/safe_admin/drive-by-1.jpg (with remove option extra)

Add context menu items http://mrwoojoo.com/safe_admin/grab_005.jpg

Regards Kees

 

Here is a modified layout that means to simplify the core idea.

http://mrwoojoo.com/safe_admin/sa_a4_0.jpg
http://mrwoojoo.com/safe_admin/sa_a4_1.jpg
http://mrwoojoo.com/safe_admin/sa_a4_2.jpg
http://mrwoojoo.com/safe_admin/sa_a4_3.jpg
http://mrwoojoo.com/safe_admin/sa_a4_4.jpg

Opinions?

Sul.

 

Those are awesome, Sul. They're much more detailed, yet simplistic. It's starting to look real good there

 

Agree with DW,

One request: could tabs 1-4 be grouped as basic mode and tabs 5-8 as advanced mode

One layout remark in the advanced tab

Place the individual SAFE admin settings upper left
Place the internet zone radio button choice upper right

Place the EMET any program lower left
Place the ADD/REMOVE blocked internet zone lower right

Add a PANIC button, undo all changes (of tabs one to 3).

Great work

 

I have been contemplating how to make it very simplistic and technical, but segregated. I have planned on some form of 'hiding' the advanced tabs. How it plays out, I am uncertain.

I have also been contemplating what to do with a config file, if any. If you don't place a config somewhere, then the UI always starts center screen and always the same size. An .ini or reg values could allow you to keep the settings, like window placement and size. As well, if you chose to use Advanced Mode you could toggle it so that every time you start it, the advanced tabs will be visible. Not sure yet what to do. I think I am undecided whether .ini or registry if it develops.

I am also thinking that I might as well output each segment of SAFE to the appropriate script. In other words, if you enable download protection, a .reg or .bat or whatever should be made, as a record of sorts of what was performed. Or something, perhaps a sort of logfile to remove? Removing the reg values etc is easy to do. But without a record of some kind for the locations to the directories, it cannot undo programatically.

The advanced tab is going to change, I am just unsure how at this point. There are various other 'little' things to address and I am not sure where they will go yet. I will wait to change layout until I have decided what else needs to exist, then we can tweak what goes where.

I had thought, as you might see, to just get the baseline of SAFE working. I don't want to progress too far with it since it is only half of the project, but a working sample is probably the best bet for the UI to get refined properly. I am thinking of doing this very modular so that I can add the other tabs one at a time rather than having them be so reliant on base code.

Probably won't be working on this for 3-4 days, have some other business to attend to.

Sul.

 

Wow! you've got some serious technical ability It's looking slick.

 

EMET v2 came out today! It has a GUI. (http://blogs.technet.com/b/srd/arch...itigation-experience-toolkit-emet-v2-0-0.aspx)

 

I am messing with EMET v2 command line. Not much difference from v1 really.

Here is a question as I refine the logic behind the UI.

Assume you have a downloads directory. Assume your browser runs at an Integrity Level of LOW.

What really needs to happen to the downloads directory? If you apply an Integrity Level of Low to the downloads directory, using the inheritance value of ID, all objects, in all containers, inherit the Low IL.

Now consider the two likely events that will happen.

First, your browser (running at Low IL) might do a 'drive by download' and attempt to execute what it downloaded. In this case, any process that is created gets the Low IL, effectively denying modifying anything except the few areas open to a Low IL.

Further, if a process were created, the OS defines few areas where there is a No Execute Up parameter, meaning the process created could read and execute almost anywhere. Except, because the OS defines that most everything has a Mandatory Label of Medium Integrity Level, a Low IL process could not start most things at anything other than the Low IL it already has.

The No Execute Up policy denies the process that is at Low IL from executing any Medium or above IL.

But, is it really needed? The processes that the Low IL process could start would all be themselves at Low IL, if they could even be started. This keeps everything at a Low IL because by default an IL cannot create a process at a higher IL that it is at. It only means a Low IL process is allowed to start other processes but these processes are very restricted.

The other event that might happen is the user themselves might execute something in the downloads directory. If the downloads directory had a Low IL already, then the same situation would take place as mentioned above.

The other options would be to deny execution in the downloads directory. This would be different than simply enforcing a Low IL on the downloads directory, but is it needed?

Also, one could assign the browser a Low IL with the No Execute Up flag. You could then place a Medium IL on the items in the downloads directory, and if a drive by execution occurred, the Low IL of the browser could not execute anything in the Medium IL downloads directory. It is a round-about way to stop execution, but may have other implications.

But, the downloads directory having a Medium IL still allows the user to use executables/files in the downloads directory manually. Perhaps the Medium IL allows them to have less inconvenience while still having Basic User functionality.

Of course, much of this is dependent upon whether you are Admin or Standard User, whether UAC is on or off.

Any thoughts on this?

It should be mentioned that when you use Integrity Levels on a directory like that, simply moving an object into it gives the object the IL you set, and likewise moving an object to another directory will leave the IL behind. The object will then inherit whatever IL is the new directory you move it into.

Sul.

 

Hi Sul,

From Mui ne Vietnam on a slow connection.

The low rights inhritance of processes started by drive by's is in itself enough protection. To exclude social engineered attacks, I allways added the no execute to the download directory. Often the first drop is in the temp directory (which has Low rights by default), trying to download another executable in the user space (often download directory, sometimes the desktop) and acquiring elevation by fooling the user (from medium to high). So I think Low rights (catch drive by in low rights container) plus deny execute (against social engineering) is sufficient

 

Man I hate it when I get into a groove and test too many things too quickly!

Last night I was messing with many different combinations of Integrity Levels on directories, setting many combinations of flags. At one point I got a directory to pass a Low IL to any object within it, and to any object within subdirs, but not the directories themselves.

While this is no great feat, whatever I did allowed the objects to recieve a Low IL, but they did not inherit the IL and take it with them. In other words, if you moved a file out of that forced Low IL directory, it then took on whatever IL the new directory told it to.

Now, for the life of me, I cannot figure out how I did it. It was a combination, and I wrote so many down I can't find the right one.

Anyone seen this behavior at all? Anyone? LOL. It is a very beneficial mechanism if I can isolate it again.

Sul.

EDIT: It seems I have found the method that will remove the explicit IL of all files and folders within a directory - with only a single command. No recursing required. It is a bit strange, but appears to "lack" an IL, so the OS imposes the default Medium IL with the NW flag. Go figure, I search for one thing and find another

 

Sully, you're wrong.

Taking the example of the "Downloads" folder you mentioned. If you set it to a Low IL, then any object will inherit that IL. So far so good.
Now, if you place any of those objects inside one other folder with a Medium IL, it won't be possible to execute any object. You actually need to execute with from a High IL object, say cmd.exe started with Administrator privileges.

Example:

I have installer.exe inside my Low IL downloads folder. Since it's a Low IL object, it would be logical I'd have the right to start it using a Medium IL object, say cmd.exe. In theory, considering what I mentioned above, it would be the logical thing, because if a Low IL object cannot mess with a Medium IL object, then the other way around would be possible, a Medium IL object messing with a Low IL object. It is not the case, for what I could find out. You actually need to start the Low IL object using a High IL object, like cmd.exe with Administrator privileges.

It does make sense, actually. You need Administrator rights to install an application, generally speaking.

So, I don't know what you did, but the Low IL will follow the object whereever it goes.
I still haven't tested if, say, I download a standalone application, and then place it under %PROGRAMFILES% dir what permissions it will inherit; whether the previous one (Low IL) or %PROGRAMFILES% own permissions.
I'll test it after I finish doing some other stuff, though.

 

That depends on what you are implying below.

Please also note that I am testing this from admin token, not standard user. UAC is turned off.

It is helpful to understand that when using standard user and UAC, that the shell and everything you do run at a default Medium IL, so you get different results than if you have the full admin token that runs at default High IL.

In experimenting, there is no way I am going to elevate everything. It is too much. Besides, the hierarchy of high, medium and low trickles down in the same way.

Not always true I am afraid.

If an item (object or container) is lacking an Explicit IL, the OS notes this and gives a default Medium IL with the NoWriteUp flag (NW). Most everything uses this as its IL. This is the Mandatory Label that is applied to everything by default.

When you apply an Explicit Integrity Level to an object or container, it applies to that object or container only. There are no inheritance flags set. If you apply a Low IL to the downloads directory, it has a Low IL, but nothing inside it does, they are all Medium IL (default).

In order for objects and containers within the downloads directory to also get an Explicit Low IL like the parent directory, you must engage inheritance.

Again, not always true.

If downloads directory had a Low IL with no inheritance, then none of the objects within it inherited the Low IL, so they are Medium IL by default. If you move these files to another directory, they will either remain at Medium IL by default or they might inherit an IL from whatever directory they are moved into.

If the downloads directory propagated the Low IL to the files, then as you say, moving them into another directory with a Medium IL may or may not change the Low IL. It is true that once a file has been assigned an Explicit Low IL from the downloads directory, it carries that with it. If the new directory has no Explicit IL but uses the default Medium IL, then the file remains at Low IL. If the new directory has an Explicit IL of Medium (or High etc) then the Low IL on the file is replaced with the Medium IL of the new directory, but only if the flags on the new directory are set to allow it to propagate to child objects/containers.

This gives me an idea for testing tonight btw, thanks

Yes, it should be so.

Yes, low levels cannot create processes higher than themselves. They might be able to read or write, depending on the flags set, and even allowed execute, but the new process will always be at or below the original IL of the parent process.

This is not true in all cases.

If you are standard user instead of admin, you start with a Medium IL. A Medium IL can start a process with an Explicit IL. If the file has Explicit IL of Low, then a Medium IL will start the new process at the Low level. If the file has Explicit IL of Medium, then the Medium IL will start the new process at the Medium level. If the file has Explicit IL of High, then the process will be created at only the parents IL, which would be Medium. There are stipulations when you are using UAC that go around this however.

This is because of your token being standard user along with UAC. UAC like this sort of lays on top of the IL because the token does not have the privelages that are needed to allow certain aspects regarding Integrity Levels.

Yes, this is true. I had it working so that it would not follow it. I only wish I could reproduce it again. Could have been a strange quirk. I tend to find those for some reason.

Again, it will depend entirely upon if there is an Explicit IL anywhere in the parentage and whether the flags are set for the parent to pass along inheritance to child objects/containers. Some directories, such as c:\windows and c:\program files have flags in the DACL to not allow thier parent(s) to modify them, even if the parent was told to do so. It is the NP (No Propagate) flag, and it used so that whatever rights they give to thier children are not altered by thier own parents changeing them.

Having played with this a little bit with UAC on and off, I am focusing on how the ILs work from a true admin token. Some things change when you have UAC on because the standard user token is missing some rights. How these play out have to be seen yet. But right now, I need to find out all I can about the highest to lowest levels, how creating Explicit levels effects other explicit levels. After I am satisfied I understand all that I can, I will move down to UAC mode and see what changes.

Are you using chml to apply this stuff or icacls? Would you be interested in learning something new to do this with? You seem to be one of the most interested in the inner workings of it. Maybe you would like to experiment with me? PM me if interested.

Sul.

 

I assumed you were also testing within a LUA. My bad.

In all my testing, and I've been messing with IL a lot, and as I mentioned, I do have my special Downloads folder set to IL of Low, with a default policy of NW. This folder is set to inherit permissions to objects and containers, which is the default behavior.

This part, I've done it with icacls. The right command is icacls "some folder" /setintegritylevel (OI)(CI)L/M/H

For what I could see in the help for icacls, that's how it is done.

So, any object created in that folder will inherit its permissions or lack of permissions.

I've tested with both options. First a new Downloads2 folder with no Explicit IL, and then one with an Explicit IL of Medium. Any object placed within any of these folders, coming from the Downloads folder with Low IL, would still remain with the Low IL.

Again, these behaviors are in a LUA with UAC. Perhaps, this happens due to UAC, indeed.

I'll test it later when I can. I'm testing a lot stuff in between! Crazy fellow, I am!

I'm messing around with both icacls and chml.

 

I find the exact opposite. If I create dir1 with explicit Low IL and dir2 with explicit Medium IL, and set inheritance on both to OICI, then the object in dir1 (Low IL (OICI)) gets new inheritance in dir2 (Medium IL (OICI)).

Using flags ID, IO and NP in differing combinations has effects I don't fully comprehend. Also, setting inheritance (which propagates immediately) with one flag, then using a different flag can give different combos. It also makes a difference if you are merging or overwriting.

Much fun IMO.

Sul.

EDIT: It is also interesting to note, and it may well be what I was confusing, is that if you move a file, it carries the IL with it. If you copy a file, it has a null ACE, so it gets either an inherited from its new location or gets default Medium IL. I am beginning to think I copied the files rather than moved them when I found the IL was implied but not permanent. Still, this is good to know, that you can simply copy a file to another directory and remove it's IL. This could also be bad if a malicious tool did the same thing. Who knows. I have yet to test a drag/drop copy versus right click copy, right click paste. I know that when dealing with Explorer Zones, there is a difference between the methods.