A possible alternative to security programs?

Discussion in 'other security issues & news' started by SpikeyB, Nov 11, 2005.

Thread Status:
Not open for further replies.
  1. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I have recently been experimenting with XP's Software Restriction Policy on a stand alone PC. I removed the default rules and created a list of exe files that could run on my machine. I then set the default Security Level to Disallowed.

    I surfed a few dodgey websites and got browser lockups etc. When I checked the Event Viewer I noticed that some tmp files had been created but had been stopped from running and also cmd.exe had been stopped.

    I then tried to install some software I had downloaded. Before I could begin to install it, I had to add the install exe to my unrestricted list. I still couldn't get things to install because tmp files created during the install were stopped from running and services could not be installed because they were also blocked.

    I wondered if the use of the Software Restriction Policy was a viable alternative to installing HIPS type security programmes.

    Does anyone have any comments on the shortfalls of the Software Restriction Policy approach (apart from it's lack of user-friendliness)?
     
    Last edited: Nov 11, 2005
  2. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I think your best bet would be to set up a limited user account that is set as "Disallowed" while leaving the admin account free (remember to rename the administrator account, and set up a guest account named "administrator"). Then just log on to the administrator account to install any software you need to, and add them to the white-list. Don't forget to restrict scripts, too! (or better yet, restrict the scripting hosts, like cscript.exe, wscript.exe, regedit.exe, cmd.exe, etc. etc.)

    In short, yes I do believe it is viable if set up correctly.. just don't think of it as an alternative to a good antivirus and firewall (it doesn't look like you do). It may not be 100%, but nothing is. It would still put you far ahead of most, however, especially if you did some hardening.
     
    Last edited: Nov 11, 2005
  3. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Thank you for your comments Notok.
     
  4. ghost16825

    ghost16825 Registered Member

    Joined:
    Feb 1, 2005
    Posts:
    84
    Yes it is, since most people use a HIPS to do exactly the same thing in most cases.
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Thanks Notok and ghost16825.

    I'm not a computer expert so it's nice to get confirmation that my thoughts about the software restriction policy being an alternative to HIPS is not completely crazy.

    I'm amazed there were not many other comments though. I guess it's old hat to systems admins but I think this is quite exciting.

    There is a HIPS already built into windows XP that doesn't add any extra processes to the task manager. It's free, you don't need to install it and it's 100% compatible with the OS.

    Wow, that's amazing isn't it? Why has it taken me so long to find out about it?
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Hehehe, I agree.. I think it just doesn't suit the way a lot of people around here use their computers. I'm glad to hear someone is using it, though, it really is a great feature in SP2 :)
     
  7. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Well, for anyone who is interested, I have been messing about with the Software restriction policy for over a week now and it seems to do the job very well.

    The windows files I added to my white list so I could boot up and shut down OK is given in this thread: https://www.wilderssecurity.com/showthread.php?t=105416

    I had a bit of difficulty with processes that I wanted to stop from automatically running such as cmd.exe but which I did want to run manually. It was a bit of a chore to go into the console to change the permissions for these processes when I wanted to use them. Then I remembered a neat little trick that I read about in the ProcessGuard forum (thank you to whoever came up with it). Copy the processes and give the copies new names. The newly named processes go on the white list so I can run them manually whenever I want but their exploitable originals are not on the white list and so are blocked.

    You need to create path rules (rather than hash rules) for the newly named files otherwise the originally named files will run as well.

    I created hash rules for the rest.

    I've tested it out on the e-mail security test site and it seemed to work OK. I didn't get any of the messages that showed the exploits had worked (http://www.gfi.com/emailsecuritytest/).

    I tried other security vulnerability tests but they would not run because they were not on my white list.

    The only issue I have found so far, is that if I change the permission for a file so it can run, there seems to be a time delay before I can get it to run. The reverse is also true, in that when a file is changed to be blocked, I can get it to run once, twice or sometimes three times before it actually becomes blocked.

    If anyone has any further advice, please let me know.

    Thanks.
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Mate, you're OK!

    I have gotten interested in what you wrote, so I decided to play.
    I took me a machine and started tweaking the policies.
    So far, after only a day of games, I have managed the following:

    Prevent Scoundrel Simulator from changing any setting, and when I let it do the changes, revert the settings back to original without using Scoundrel's revert options.

    I successfully prevented downloads ot different file types, blocked activeX, various protocols like mk etc.

    I managed to tweak the desktop, remove various items, prevent the changing of the desktop image or homepage in the browser, changed the IE identifying header to read something else, like Mozilla / Lynx.

    I managed to add the feature to prompt the user whenever active content runs on CD, therefore this could have been useful for those using sony disks, for instance.

    I forever killed the Messenger and played with Media Player's privacy and connections options.

    I disabled the Task Manager to prevent 'users' from killing processes.

    And so forth. This is a very nice toy. It takes lots of time and patience, because there are hundreds of options, but if someone really wants to tweak tweak and play all day long, this is indeed a nice thingy.

    Cheers,
    Mrk
     
  9. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    That's the great thing about it.. you can do a lot more with it than most 3rd party programs. If you think about it, having it not be so convenient to allow things can actually be a good thing.. you will have to be more serious about wanting to run something than with a program that gives you an allow/deny prompt. Those won't usually let you block things like Java files, either. Personally I'd probably throw in some memory protection, like PG or DefenseWall, but that's just me :D :D
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hi,
    And if you don't like someone, you can make his computer experiences very very difficult . . . :)
    Mrk
     
  11. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You mean SECURE! :D :D :D
     
  12. z12

    z12 Registered Member

    Joined:
    Oct 5, 2005
    Posts:
    5
  13. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Hi Mrkvonic

    You're light years ahead of me. How did you manage the above? I had some success in stopping it making changes by changing write permissions for specific registry keys but I couldn't find a way to revert back to the original settings if the changes occurred.

    If you pass this way again, please give me some tips.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hi,
    I passed by.
    I'm home and sick with flu, so if I don't make much sense, forgive me.
    You will notice that Scoundrel Simulator explains what it does with each option. Now, what I did is purely empirical. I would narrow down the possibilities that could affect a certain option, for instance, under IE, connections.
    I would switch the Scoundrel Simulator on, then go under Policies and enable / disable the rules that were affected. And then check when I could restore my options back to normal. Likewise, prior to activating the Scoundrel, I would tick the options that were about to be disabled and prevented the Simulator from changing them.
    I would not call this exact science, nor a method ... yet. I tried it for the fun of it. Lots of possibilites, but lots of dirty work, too. I knew what Scoundrel was supposed to do. Therefore, I was able to prevent it. An unspecified malware could do lots of problems. The Policies are much better as proactive defense rather than reactive defense. Set valuable policies to prevent changes to core system elements rather than undoing them manually.
    It's a nice toy / tool, but it is very complex. More than a 100 options to select. You can easily go wrong or leave things uncovered.
    This is also particularly valauble for shared machines, computer farms or computers with multiple users or if you have someone who requires admin privileges to work, yet you need to keep him / her contained. A stand-alone user can benefit as much from using his brains.
    I'm not sure if I helped or rambled. I'll try to get some time and do something methodical about it. But then, I'm just one guy and prone to mistakes...
    Cheers,
    Mrk
     
  15. ymen

    ymen Guest

    By this definition, a lot of people here don't like themselves. :)
     
Loading...
Thread Status:
Not open for further replies.