Windows: restricting the DLL search path, and a case in point

First off, the real-world case, in which a harmless digitally-signed file from nVidia is used to foist a malicious .DLL by abusing the DLL search order: http://nakedsecurity.sophos.com/2013/02/27/targeted-attack-nvidia-digital-signature/

As a defense-in-depth measure, consider changing the DLL search rules on Windows to a more restrictive method. If you have software that can't handle this change, you can make exceptions on a case-by-case basis.

To make these changes, you'll need to be comfortable editing the Registry. Before you start, it would be advisible to

1) back up your data, bookmarks, contacts and settings. The Windows Easy Transfer tool is one way to get most of that, assuming it's in conventional locations.

2) create a System Restore point

3) know how to boot your version of Windows in Safe Mode, and how to use System Restore in a worst-case scenario. I haven't had any serious problems, but it seems prudent.


Now run Regedit.exe as an Administrator and go to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\.

http://www.mechbgon.com/build/cwdillegal_1.PNG
(above) Right-click on Session Manager and create a new DWORD named CWDIllegalInDllSearch.

http://www.mechbgon.com/build/cwdillegal_2.PNG

Double-click on your new DWORD and change the value to FFFFFFFF (eight Fs), then click OK. You'll see it as 0xffffffff when done.

So far, so good. Reboot and make sure no immediate show-stopping problems occur with your startup programs. Now run your software programs and note whether they have problems getting launched, to begin with.

If you find a program that's not tolerant of your new blanket DLL-search policy, you can make an exception for that particular .EXE by going to
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. Right-click on Image File Execution Options and create a new key with the exact name of the .EXE file that's giving you trouble, then create a DWORD within that key named CWDIllegalInDllSearch and change the value to 0 (for the least restrictive option) or 2 to restrict WebDAV and UNC paths but nothing else (probably safe).

http://www.mechbgon.com/build/cwdillegal_3.PNG

In the bigger picture, my first line of defense against this would be Software Restriction Policy + LUA, which would block the .EXE and its bogus .DLL if they were launched in the context of a non-Admin, whether it's by the user, or by an exploit that gets the user's level of privilege. But defense in depth never hurt anything

 

I suppose not, but in this case of loading an unauthorized executable, if one has enough confidence in the first line of defense, the Registry-editing thing seems like a lot of trouble -- to this user, anyway!

Nice solution, though.

regards,

-rich

 

This user as well Still, thanks for the idea, mechBgon!

BTW, I used your Step 6 SRP tip from your site in the HIPS component of Jetico firewall to govern the user-writable locations within the protected directories of XP

 

Glad to hear that info was useful The NSA gets full credit for the info in Step 6, their guide (PDF) is the source for that auditing technique.

 

Does anyone have a link(s) to an Applocker equivalent of the excellent 8-step SRP related instructions MechBgon has published?

I have Win 7 Ultimate and am a relative noob, so would like to make sure I wouldn't make any mistakes in translation to Applocker. I have family members that I need to configure a fairly restrictive/resiliant system for.

Thanks.

EDIT:

Found this...

https://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7

Hopefully that covers the same ground.

 

Has anyone done this and had trouble with NVIDIA drivers installing? I just had a problem where I could not install the new driver. Of course I first assumed there was an issue with the new driver itself, but I tried 3 different versions and nothing would work. Finally I remembered I had done this, so I deleted the registry key and the driver installed fine.

It's not a difficult workaround (now that I know), but I was wondering if anyone else had this problem.