Dealing with user installs when using (simple) software policies or Bouncer

DEALING WITH SOFTWARE WHICH INSTALLS IN USER FOLDERS

Pro and enterprise license owners have Software Restriction Policies and AppLocker. Windows Home version owners can install Simple Software Restriction Policies or Bouncer to get the equivalent.

Some software install in user folders outside the protection of UAC. With (Simple) Software Restriction Policies and Bouncer the only safe solution is to allow all executables and DLL's on hash. With Applocker you can allow those executables and dll's on signer (specific for that product). Allowing on (specific) trusted signer/product is a lot easier, since it does not require user intervention after updating the program (executing from user folders).

So most security aware people search for another program which behaves and executes from UAC protected folders. For the people having no alternative AND using the nice freebies (SSRP or Bouncer), the tricks in the next post offer better protection.

 

USE UAC TO INCREASE PROTECTION OF WINDOWS AND PROGRAM FILES FOLDERS

I can't comment in a decent way to so called experts advising to turn off UAC, so please refrain from commenting or posting in this thread when that is your wise advice.

Open REGEDIT, navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System and look for

"EnableSecureUIAPaths"
User Account Control: Only elevate UIAccess applications that are installed in secure locations 1 = ON (defaut), 0 = OFF
>> advice: keep this ON
>> effect: only elevates programs from C:\Windows, and the C:\Program Files or C:\Program Files (x86) location (the locations by default marked as secure)

"EnableInstallerDetection"
User Account Control: Detect Application Installations and Prompt For Elevation 1 = ON (default), 0 = OFF
>> advice: set to OFF
>> effect: when running an installer program Windows will NOT detect it is an installer and will NOT silently elevate to admin. You have to explicitely run a program as administrator. This prevents 'shoot in the foot' errors to some degree.

 

USE ACL (ACCESS CONTROL LIST) TO ADMIN PROTECT PROGRAMS INSTALLED IN USER FOLDERS

The idea is to remove write permission of the user. This means that in normal operation MEDIUM INTERGRITY LEVEL processes are not allowed to change this folder. To change you need ADMIN APPROVAL (simular to UAC protected folders), so when updating select right click RUN AS ADMIN.

Navigate with Windows Explorer to the program's application folder (in this example Chromium)

FALLBACK MEASURE: COPY THIS FOLDER (so you have the original ACL saved). WHEN PROGRAM DOES NOT RUN PROPERLY, DELETE ORIGINAL FOLDER, RENAME THIS FOLDER TO ORIGINAL FOLDER NAME (removing copy etc in the name).

OPEN SECURITY TAB OF FOLDER
1. Right click that folder (select properties)
2. Select SECURITY tab
3. Select the USER (in my example Kees)
4. Select ADVANCED

 

ACL: TAKE OVER PERMISSIONS OF USER

1. Select USER again (Kees)
2. Select DISABLE INHERITANCE

a warning will pop-up
3. Select "CONVERT INHERITED PERMISSIONS INTO ..."

 

ACL: EDIT PERMISSIONS OF USER

Now you are allowed to edit the permissions of this user

1. Select USER again (Kees)
2. Select EDIT

 

ACL: REMOVE WRITE/DELETE PERMISSIONS OF USER

Change the permissions,
1. Untick/unselect FULL CONTROL, MODIFY and WRITE
2. Select OK

 

ACL: CHECK AND APPLY PERMISSIONS

1. Check user should now have READ & EXECUTE rights ONLY
2. Click APPLY

 

RESULT: ADMIN APPROVAL NEEDED TO WRITE/DELETE IN THIS FOLDER

1. Navigate to this folder and right click on (any) executable with Windows Explorer

2. You should now see UAC shield before DELETE and RENAME



Note: you can still update by running program or updater with RUN AS ADMINISTRATOR

 

Thnx for idea Kees. I'm using SRP and am using hash rules for uTorrent and few dll and sys files that are dropped and started from temp folder and similar.
The problem with uTorrent is that I can't set those ACLs on whole folder, since it is being used to save DAT files, which are constantly used and updated by software. And I don't want to run uTorrent with elevated right all the time for obvious reason. Maybe I can set this ACL only on exe and some other "static" components of program? Maybe I'll test it later.
What is a benefit of disabling "EnableInstallerDetection" option? Only to prevent accidental confirmation of UAC prompt or something else?

 

@Minimalist

This is something when Vista introduced and most installers did not ask for elevation. Some experts ranted that M$ should NOT elevate software without reason, thus making it easier for PUP's to install(because most people always click on YES).

When people have trouble using UAC (always click ALLOW), I don't turn UAC off, but disable installer detection and set UAC on quiet ("ConsentPromptBehaviorAdmin"=0), block elevation from user accounts ("ConsentPromptBehaviorUser"=0) and block elevation of unsigned software ("ValidateAdminCodeSignatures" = 1). Most mainstream software is signed now, so that should not give anybody any problems.

 

Thnx for explanation, Kees.

 

Really appreciate the help for getting some of us up to speed on this. Great n Thanks

 

This is really good. Generally, I just put any software that tries to install itself in the user folder on the reject list and find another program that installs in the program files directory but that approach is not for everyone. This covers exactly what should be done with the ACLs if you have a program that needs to execute from a user folder. Well done.

 

My Win7 Pro does not have AppLocker.

 

Windows 7 Enterprise, and Windows 7 Ultimate have AppLocker.

 

Sorry, should have posted Windows Pro has SRP and Windows Enterprise has AppLocker