Creating a white list using XP software restriction policies

I'm playing around trying to create a white list of programmes allowed to run on my machine by creating software restriction policies.

In the Security Levels I've set Disallowed as the default and then created rules to allow certain programmes to run.

If I want to temporarily change the default Security Level from Disallowed to Unrestricted is there a quick way to do so without opening up the console.

I wondered if I could change the Security Level using a batch file. I don't know what commands to use to change the Security Level.

Can anyone help?

 

The batch commands associated with your endeavers are "SECEDIT" and "GPUPDATE". You'll find all the general overview as well as specific syntax help you'll need in your Windows "Help and Support" Center [Start > Help and Support].

HTH ... Craig

 

Thanks DudeofGrace

I shall look into it.

 

Can you share your list when it's completed?

-rich

 

Hi Rmus

Here is my list of my windows files which is enough to get me booted up and switched off OK. I only have 16 processes running in the task manager so I guess other people will have to unrestrict a few more processes such as alg.exe for the windows firewall:

Hash Unrestricted mmc.exe
Hash Unrestricted wmiapsrv.exe
Hash Unrestricted winlogon.exe
Hash Unrestricted imapi.exe
Hash Unrestricted taskmgr.exe
Hash Unrestricted wmiprvse.exe
Hash Unrestricted services.exe
Hash Unrestricted spoolsv.exe
Hash Unrestricted wmiadap.exe
Hash Unrestricted svchost.exe
Hash Unrestricted wiaacmgr.exe
Hash Unrestricted userinit.exe
Hash Unrestricted Windows Screensaver logon.scr
Hash Unrestricted rundll32.exe
Hash Unrestricted wuauclt.exe
Hash Unrestricted logonui.exe
Hash Unrestricted Explorer explorer.exe

The mmc.exe is quite important so you can get back in to mess with the software restriction settings.

Obviously I have had to add a lot more entries so my other programmes can work but that will vary for everyone.


I've just edited out msiexec.exe from my list, it's not needed for booting up and shutting down.

 

Hi,

What I´m trying to do is to prevent people running .exe and .msi files on my system. Only apps running from C:\Program Files, C:\WINDOWS\system32 and C:\WINDOWS are allowed to run, at least that´s what I´m trying to achieve.

But I don´t get it, if I add the rule "C:\WINDOWS\system32\*.EXE" and set it to unrestricted, and if I add the rule "*.EXE" set to "Disallowed", apps running from the C:\WINDOWS\system32 directory will still be able to run, this is a good thing. The same goes for "C:\WINDOWS\*.EXE". But if I add the rule "C:\Program Files\*.EXE", apps will not be able to run from the C:\Program Files directory, unless I make specific rules (Basic user or Unrestricted) for apps running from this directory. So it seems that C:\Program Files is handled in a different way than the other directories, how come?

And I´m a bit confused after reading the quoted text, it looks like these rules are created so that the OS will still be able to run in a normal way. But this doesn´t seem to be the case! It looks like if .exe files are set to "Disallowed", apps will not be able to run unless you add specific rules ("Unrestricted") for C:\WINDOWS\system32 and C:\WINDOWS. So I don´t see how the OS would boot up in a normal way.

 

Btw, can this thread be moved to "Other Security Issues", seems like a better place for this subject.

 

Hi,
Spikey how's it going?
Did you start to like the policies yet?
A tiny question. I played with these alongside autstart lists by HJT and the msconfig. Did you enable all the drivers in startup as well? Or did you enable only Windows processes? For instance, did you also hash the graphic card, audio card, ethernet drivers etc...
Mrk

 

Hi Rasheed187

If I set a path rule e.g. c:\folder1 and set it to unrestricted, then all the exe's can run in folder1 and also the exe's in any subfolders of folder1.

To get around it you have to set a path rule c:\folder1 and set it as disallowed. Then set up another path rule c:\folder1\*.exe and set as unrestricted. This allows the exe's in folder1 to run but not the exe's in subfolders of folder1.

So you would need to set the following path rules:

C:\Program Files (unrestricted)
C:\WINDOWS\system32 (disallowed)
C:\WINDOWS\system32\*.exe (unrestricted)
C:\WINDOWS (disallowed)
C:\WINDOWS\*.exe (unrestricted).

That's the way it would work on my machine.

HTH

 

Hi Mrkvonic

I must confess, it's no where near as convenient to set up as using something like Process Guard or Anti-Executable but I do like it because it doesn't seem to use any resources. I just got a new computer at work and it was tremendously tedious adding all the processes to my white list. It wasn't so bad the first time round at home because it was new and an experiment, so I wanted to find out the results.

I only did it for Windows processes not for graphics card, drivers etc. I'm not sure if it would cover those. I seem to recall from reading the MS website that drivers and things load up before the SRP kicks in. For example, csrss.exe and lsass.exe are not on my white list but they appear in the taskmanager. If you mess up the SRP then you can reboot in safe mode to modify it.

 

Have you seen this

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp

Might help?

 

Nice link, thanks starfish_001

 

Thanks for the help, what I basically tried to do is to prevent other people (who are total noobs) from doing dangerous stuff on my PC. At the moment everyone is running the PC as an admin, I do not yet want to install seperate accounts because I like to be in full control you know what I mean.

However, with this approach I would have to toggle settings with MMC.exe each time I shutdown the PC, not the best solution. What I really would like to have is the ability to prevent people from downloading certain kind of files (executable, script files) but such software does not exist at the moment, it seems.

 

you might find this useful



DefenseWall HIPS:
DefenseWall HIPS (Host Intrusion Prevention System) is the simplest and easiest way to protect yourself from malicious software (spyware, adware, keyloggers, rootkits, etc.) when you surf the Internet! Using the next generation proactive protection technologies, sandboxing and virtualization, DefenseWall HIPS helps you achieve a maximum level of protection against malicious software, while not demanding any special knowledge or ongoing online signature updates.

DefenseWall HIPS divides all applications into 'Trusted' and 'Untrusted' groups. Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications. In the case of penetration by malicious software via one of the untrusted applications (web browsers etc), it cannot harm your system and may be closed with just one click! With DefenseWall HIPS, Internet surfing has never been so simple, safe and easy. Try it today, and you will be convinced!



The Security Pit

It is common that most Windows XP / 2000 users use their computers from an account with administrator privileges, which allows the user full control of the system. From an Administrator account, users or programs may change security settings, install software, access, modify, or delete personal and system files, and just about anything else, with few (if any) restrictions. The idea behind the Security Pit is to offer protection to users that operate their computers as an Administrator.



Running your computer as an Administrator can become a real problem if you inadvertently download any Virus, Malware or Spyware while using any internet or email software. Most malicious software take advantage of the administrative privileges to infect the computer they are attacking. As an example, Viruses and hackers target systems running with Admin privileges to do the following, as part of the infection:

Admin protection system Disable any Antivirus software that may be running

Admin protection system Modify Antivirus software to leave it running, but be ineffective

Admin protection system Disable Firewalls

Admin protection system Overwrite system files

Admin protection system Change registry settings

Admin protection system Add malicious background services to Windows that start before any other programs, and have even greater privileges than the Administrator account.

 

Yes of course, now that I think of it, the best way to restrict noobs on my system without having to create separate accounts is to use a tool like BufferZone for example.

 

Of course you could use

ShadowSurfer™ provides secure and easy to use PC protection. ShadowSurfer can acidental or malicious changes to your PC.

Requires a reboot before each use, because they sandbox disk storage as a whole. They provide the operating system and everything in it with a single virtual disk?

It is free - tried it but don't use it myself - First Defence ISR is better for my needs


https://www.wilderssecurity.com/showthread.php?t=65007&highlight=shadowsurfer