Software Policy: use Software Restriction Policies on any Windows edition (free)

No, it's under Enforcement.

I would guess that if you define rules (or remove them) in SRP, they would overwrite the registry settings that SP wrote to. I didn't test that though.

 

Yeah, really. I have them enabled. Thank you.

 

I don't think so. I think NoVirusThanks ERP will not be worried. They provide an excellent support here on the forum, well worth $20 bucks lifetime license.

 

Here my time machine (Eaz-Fix) is of great convenience unless MBR is intact.

Actually you change these rules (they are your AppLocker path rules for Windows 7 x64):

I've changed "Disallowed" in this way, rebooted, no problems (as it was when I applied their full set for AL). PC works as usual.

Thank you.

 

You're welcome .

-------

I noticed that the permissions for softwarepolicy.ini are unnecessarily loose. I removed its permissions for "authenticated user".

-------

You can audit your Windows folder with accesschk. Usage: accesschk -w -s user c:\windows . Preferably run this from an elevated command prompt. If user is a UAC-protected admin account, then you can use the trick in the last link in post #2. The output gives the list of folders that I used in the Disallowed section. The idea is that we want to disallow execution from anywhere where a standard user (or non-elevated admin) can write to.

 

Naturally. Sorry, my previous post was too synthetic , I meant: only for their work, SRP have the same strength of the analogous feature in HIPS ? ( I always believed : NO ).

 

I have a .cmd file with the following that I use to occasionally audit my system (run it elevated):

echo In C:\Program Files (x86) > "c:\temp\_accesschk output.txt"
"C:\Program Files (x86)\Sysinternals Suite\accesschk.exe" -w -s user "C:\Program Files (x86)" >> "c:\temp\_accesschk output.txt"

echo In C:\Program Files >> "c:\temp\_accesschk output.txt"
"C:\Program Files (x86)\Sysinternals Suite\accesschk.exe" -w -s user "C:\Program Files" >> "c:\temp\_accesschk output.txt"

echo In C:\Windows >> "c:\temp\_accesschk output.txt"
"C:\Program Files (x86)\Sysinternals Suite\accesschk.exe" -w -s user "C:\Windows" >> "c:\temp\_accesschk output.txt"

where user is the standard user account that I use.

 

You mean like http://blogs.technet.com/b/markruss...umventing-group-policy-as-a-limited-user.aspx?

 

Here is Didier Stevens on SRP vs. AppLocker:

If this bothers you, you could try Tuersteher Light instead, or additionally.

 

So it's basically the same as Parental Controls in Windows Home versions?

 

Some differences:
1. Parental Controls can restrict only a standard account.
2. With Parental Controls you must specify each program that you want to allow a user to run.

 

(continued)

3. Parental Controls can't be used to prevent execution from those areas within the Windows folder that a standard user (or non-elevated admin) can write to.

 

Thanks for the info. Now it seems that there are many ways to use SRP without buying the Pro and above versions of Windows OS. I love it when this is happening.

Unless we're talking about the invincible PatchGuard. SRP/AppLocker might be a better idea since it's integrated into the OS.

 

You're welcome .

What other SRP ways do you know?

 

AFAIK there's PGS (that you've mentioned) and a manual/semi-manual registry tweak. And CryptoPrevent utilizes the execution control of SRP, doesn't it?

 

Thanks . Yes I believe CryptoPrevent does.

 

Quite interesting, thank you.

 

I like this! Thanks for sharing!

 

You're welcome .

I'm going to look into whether an additional registry tweak can give protection against DLLs as well.

 

Here's how to change enforcement to include DLLs (recommended for more protection):
1. Start Regedit.exe
2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers.
3. Change value of TransparentEnabled to 2.

Note: if you click Yes to Software Policy's "Activate new settings now?" prompt, TransparentEnabled changes back to 1. Thus, you'll have to redo the above three steps every time you click Yes to Software Policy's "Activate new settings now?" prompt.

Microsoft's technical documentation of Software Restriction Policies registry items

 

If you want to see what folders/files execution is being allowed in, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths and browse the subkeys.

 

The specific value of Software Policy's AlwaysAllowSystemFolders setting doesn't seem to affect anything. Regardless of settings, the program seems to always allow execution in \windows, \program files, and \program files (x86), so it might be safe to run this program on a person's machine that doesn't have a recent full backup, provided that you don't make any serious mistakes in the [Disallowed] section.

 

From https://www.wilderssecurity.com/showpost.php?p=1723178&postcount=106:

 

Software Policy always sets SRP to use default-deny mode.

 

I have some doubts about this program, I think maybe someone can help me. First, thanks MrBrian by the topic!

I am using this settings:

; Software Policy inifile

[General]
; Allow the system-tray applet to be closed:
AllowExit=1
; Require a password to install software or use admin functions:
; 1=any password, 2=Admin-level password only
AdminMenuPasswordLevel=0
; Minutes to remain in unlocked mode:
UnlockTimeout=30
; Time during which you don't need to repeat password:
PasswordRetention=5
LimitedApps=1 ; overrides LimitedApps section if 0, unlock operates on Limited Apps if 1, not if 2.
LimitedUser=0 ; not presently implemented.
ShowInstallOptions=0 ; Show install/uninstall items on traymenu (not needed if installer is used)
AppProxy=StripMyRights.exe /D /L N
AutoReload=60 ; minutes between automatic reload of settings. (not yet implemented)

[SoftwarePolicy]
AddDesktop=0
AddRootDirs=0
AddMappings=0
AdminBypass=1
AddTempDir=0
TranslateMappings=0

[Safety]
; do NOT change unless you understand implications!
AlwaysAllowSystemFolders=1

[CustomPolicies]
; Add extra locations from which software can be run:
; (LAN users note - now drive mappings DO work, but may not update if they are relocated on the server.)
c:\windows=1
c:\program files=1
c:\program files (x86)=1
C:\Users\Rodolfo\AppData\Roaming\uTorrent=1

[Disallowed]
; Add paths or executables which should never be run.
; Wildcards allowed. Be careful here as mistakes could cause problems.
c:\windows\debug\WIA
c:\windows\Registration\CRMLog
c:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
c:\windows\System32\com\dmp
c:\windows\System32\FxsTmp
c:\windows\System32\spool\PRINTERS
c:\windows\System32\spool\drivers\color
c:\windows\System32\Tasks
c:\windows\SysWOW64\com\dmp
c:\windows\SysWOW64\FxsTmp
c:\windows\SysWOW64\Tasks
c:\windows\Tasks
c:\windows\Temp
c:\windows\tracing

[AdminMenu]
; Provides a tray-menu of useful functions:
; (You can password-protect these and hide the equivalent Control-Panel links if required)
(C:\)=explorer.exe C:\
Control Panel=control.exe
Printers and Faxes=control printers
Network Connections=ncpa.cpl
Computer Management=compmgmt.msc
Disk Management=diskmgmt.msc
Registry Editor=regedit.exe
Task Manager=taskmgr.exe
Windows Firewall=firewall.cpl
Command Prompt=cmd.exe

[LimitedApps]
; Run these apps with limited priveleges, such that they can typically only save files to the user-profile,
; and not into system-folders. Note this section is only useful if the user is a local admin.
; Enter the (case-sensitive) window-title of the app = the exe filename (case-insensitive) alone, no path.
Mozilla Firefox=Firefox.exe
Opera=opera.exe
Microsoft Internet Explorer=iexplore.exe
SeaMonkey=seamonkey.exe


1) There something I need to change?
2) What is the real application of this: https://www.wilderssecurity.com/showpost.php?p=2334555&postcount=45 ? I have some DLLs in my appdata folder, I will have to create exclusions for each one?
3) How I configure password protection for this app? I can't do that until now...
4) What is better: AdminBypass=1 or AdminBypass=0 ?
5) How [LimitedApps] can be compared with DropMyRights of Sandboxie? Both together is redundant?
6) When I click on "Unlock" and run an app, the tray icon is closed. Someone has this too?

Thanks and sorry for my English.