Software Policy: use Software Restriction Policies on any Windows edition (free)

Discussion in 'other anti-malware software' started by MrBrian, Jan 26, 2014.

  1. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  2. pcunite

    pcunite Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    15
    Thank you so much!
     
  3. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome.
     
  4. They are obselete on windows 10
     
  5. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    How about Windows 8.1. Is this app still relevant? If so would you mind sharing your Custom_SRP.ini
     
  6. @EASTER

    I have installed SRP on my 32 bits Asus transformer running Windows10 Home version with PGS.

    Because I use the UAC tweak to block elevation of unsigned, I am not using PGS anymore (because it is unsigned), but these are my rules

    Add ps1 (and vbs also when I recal; correctly) to monitored extensions

    Set default level to basic user

    Set SRP for all files except Administrators

    Install Symantec Run MSI as admin tweak (google for it)

    No additional rules, zero maintenance because you can install/update everything which installs itself in Windows or Program Files.

    This is not bullet proof, but since it is set and forget it is a nice no cost and no drain (build in) security feature.

    With UAC and Smartscreen and a browser with a (build-in) sandbox with (free) anti-exploit (EMET, MBAE) you should be secure enough IMO

    Regards Kees
     
    Last edited by a moderator: Feb 20, 2016
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Looks good enough and thanks for the step to step. It's only an experimental run for me ATM but this offers something useful to see if it's what I might prefer or not.

    Thanks

    EASTER
     
  8. @EASTER

    Since you have SmartObjectBlocker you could set it in Behavirol Mode and block all in C:\users\* and other data partitions and allow only the trusted Vendors (signatures) to run executables, dlls and drivers from these blocked locations. This would ensure that when you run something as admin from user space, it is always a trusted vendor

    Level 1 block medium level IL processes from user space

    Level 2 block elevated objects from user space which are not from a trusted vendor.

    Level 3 would be UAC on full protecting Windows and program files folders.

    You would keep full control on installing and updates only without any hassle with only 1 third party application.

    Only thing to worry for are file infector malware/ransomware, but you have got that covered with secure folders.
     
    Last edited by a moderator: Feb 21, 2016
  9. pasmal

    pasmal Registered Member

    Joined:
    Jan 25, 2015
    Posts:
    55
  10. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Just found this blog post posted 5 days ago: https://sourceforge.net/p/softwarepolicy/news/2016/03/termination-of-development-and-free-support-/

    It is unfortunate to see development cease for Simple Software Restriction Policy. But at the same time, I don't think that there was much more for developers to fix or add to the program. SSRP had always function quite well as far as stability and efficiency go.
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Thanks.

    Sometimes support just doesn't meet expectations and it's understandable. Developers do need even a little kitty to draw from in order to forward their work.
     
  13. guest223

    guest223 Registered Member

    Joined:
    Apr 2, 2016
    Posts:
    2
    Hi, does this program really enhances security or just adds the inconvenience of having to unlock it every time we need to install/unninstall something?
    Also, i have my HD partitioned, one with windows and the other to store stuff, is it ok to allow the free partition to run executables or will it be less secure? I have some portables that i want to run.
    So on the |CustomPolicies| i just need to add something like
    E:\portables=1

    Thank you
     
  14. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    First of all, welcome to Wilders! :thumb:

    More Convenience = Less Security

    SRP can add a very nice layer of security to any Windows system by whitelisting certain executables/directories and by blocking all else. You can still achieve a certain level of convenience with application whitelisting / anti-executable such as SRP, but ultimately that convenience would come down to an individual users' rule set and creativity. So in short, SRP can certainly add a nice tight layer to a layered security setup. And one of the nice things about SRP is that the impact on system performance is almost non-existent. I would still highly recommend this open-source SSRP program as I had used it for a number of years.
    Yes, in this case allowing certain, trusted folders such as "E:\portables\" is a good idea. Much better than, for example, allowing the entire E: partition to allow execution from any directory. So you definitely have the right idea in mind. Sometimes with portable apps, they may also temporarily copy another executable to a temporary location within %APPDATA% directories as part of their normal operation. So you may, for some programs, need to create specific rules within %APPDATA% locations. But I would strongly recommend that those rules be careful and specific. In general, you would want to block anything running from within %APPDATA%, with the exception of these very specific and precise rules of programs that are well trusted and needed for normal operation.

    Anyway, I hope that is helpful in some ways. :)
     
  15. guest223

    guest223 Registered Member

    Joined:
    Apr 2, 2016
    Posts:
    2
    That helped thanks.;)
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    Much to my surprise, Simple Software Restriction Policy is back from the dead and version 2.1.0.0 has been released just recently over here (http://iwrconsultancy.co.uk/download) instead of on Sourceforge. The installer looks much nicer and also claims Windows 10 support as well.

    Release notes:
    Previous:
    EDIT: I should note that the source code is also provided in a sub folder where SSRP is installed.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I have never used it, but have known about it for a long time. Have you used it? Does it offer any functionality that Bouncer does not? Does it have a GUI?
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    The developers have put up an online user manual now which I believe they were lacking in documentation previously.
    Link: http://softwarepolicy.sourceforge.net/manual/setup.php

    On a technical level of interest to me (and to ease my technical curiosity), the developers have shared the Inner Workings of their SSRP program which also I don't think they shared before. Particularly, the techniques in which they've used to apply (and temporarily suspend) software restriction policies without needing to restart Windows. This of course makes it easier to unlock the policies to install a program, for example, then lock the policies and carry on without rebooting. Anyway, they achieve it all with rather simple registry tweaks (see link below).
    Link: http://softwarepolicy.sourceforge.net/manual/howitworks.php

    The one major issue previously was UAC and their tray app requesting elevation everytime Windows boots. There were workarounds shared here regarding using scheduled tasks to elevate the tray app during boot, but that was sloppy. The developers have resolved this issue in their tray app now and it works great with UAC finally. It does not request elevation during every boot now, only when the user needs to lock/unlock the policy or modify configuration.

    @Cutting_Edgetech I apologize for not responding sooner. I used this SSRP program for 1-2 years before Bouncer came along. Similar to Bouncer, it is configured entirely from INI file which I actually quite like. It is an open source program which is a bonus and essentially utilizes the underlying SRP functionality (similar to CryptoPrevent also) which is already built into Windows. Also works on Home editions of Windows which lack the group policy editing functionality. From my understanding, SRP has always been enforced in user-mode in comparison to AppLocker (and many modern security software) which enforce their policies in kernel-mode. Therefore, SRP is likely less secure but still a lot better than enforcing no restrictions of executables, for example. Though it does lack command line scanning, parent process, hashing, etc.

    I still appreciate the simplicity and would happily still recommend SSRP to users wanting a simple and open source tool for basic application whitelisting. It is quite efficient as well.
     
  19. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Thank you for your description. I think i'm doing really good with AppGuard, and Bouncer. I just need to see if I can convince BRN to make AG fully compatible with Bouncer. I'm waiting until Barb comes back from vacation before bringing up the problems I have discovered. I may give SRP a try though just to see what I think about it.
     
  20. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    I have been interested in SSRP, buit had not tried it as the devs previously indicated that they were abandoning it. But it seems they are back now. :)
    @WildByDesign I don't know how familiar you are with anti-exes AppGuard or NVT ERP, but how would you position SSRP against especially the former, as it is also policy based?
    Seems like a simpler version of AppGuard?
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You're welcome. Oh yes I do recall that issue where AG was flagging something to do with Bouncer in the registry. It would be good if AG had an option to make custom exceptions for certain things like that so that the user can allow/disallow specific actions.
    I wouldn't really put SSRP in the same ballpark as AppGuard or NVT ERP. For instance, SSRP has nothing when it comes to memory protections. It is your most bare bones basics when it comes to application whitelisting, essentially just rules stating which executables can run and from which directories. You can whitelist and blacklist executables and directories. It does have an option for .DLL filtering as well but can potentially slow the system down so I am not certain how it's .DLL filtering compares to the other application whitelisting software as far as efficiency goes. So while it is very basic, it is also quite efficient (at least minus the .DLL filtering) and can be utilized as a layer of security in a layered environment.
     
  22. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    solved this problem with bellow- apply with cmd
    Code:
    REG ADD "HKEY_CLASSES_ROOT\Applications\Notepad2.exe\shell\open\command" /v @ /t REG_SZ /d "\"C:\\Program Files\\Notepad2\\Notepad2.exe\" \"%1\"" /f
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt" /v "Application" /t REG_SZ /d "Notepad2.exe" /f
    REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList" /v "g" /t REG_SZ /d "Notepad2.exe" /f
    
    assoc .txt=MyCustomType
    ftype MyCustomType="C:\Program Files\Notepad2\Notepad2.exe" "%1"
    thanks to tazosmr on github

    also with this user can add notepad2 to context menu
    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_CLASSES_ROOT\*\shell\Notepad2]
    "Icon"="C:\\Program Files\\Notepad2\\Notepad2.exe,-100"
    
    [HKEY_CLASSES_ROOT\*\shell\Notepad2\command]
    @="C:\\Program Files\\Notepad2\\Notepad2.exe %1"
    
    
     
  23. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    http://iwrconsultancy.co.uk/softwarepolicy

    They experienced a big issue with Sourceforge apparently.

     
  24. zagmarfish

    zagmarfish Registered Member

    Joined:
    Feb 27, 2017
    Posts:
    10
    Location:
    europe
    SRP seems designed to prevent execution, mostly.

    Is it possible to use SRP to make a folder or a group of folders (like every startup folders for every users) unwritable?
     
  25. Lockdown

    Lockdown Registered Member

    Joined:
    Oct 28, 2016
    Posts:
    772
    Location:
    Wilders Security
    That is the whole point. Block execution in the first place and there is no need to depend upon unreliable signature detection, heuristics, HIPS, behavior blocking, sandboxes, etc. While such protections have been refined over the years to fairly good levels, their protections still remain less than ideal.

    SRP is just one protection model among many. Using it comes down to personal choice.

    Yes. There are softs that will do this.
     
    Last edited: Mar 20, 2017
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.