AppLocker vs SRP: Publisher vs Certificate rules

Discussion in 'other security issues & news' started by erim, Nov 27, 2012.

Thread Status:
Not open for further replies.
  1. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    I like the Publisher based allow rules in AppLocker.

    I never used SRP much, so I'm wondering if the same kind of functionality can be achieved with SRP and the Certificate rules.
    If yes, how? Can certificate files (.cer, .crt) be generated from digitally signed .exe files?


    (EDIT: Sorry, if this is more appropriate for other software & services, please move it there.)
     
    Last edited: Nov 27, 2012
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    To answer your question, yes, certificate rules can be created in SRP as long as the target file(s) has a valid certificate.

    However, as a difference there is more granularity with AppLocker Publisher rules; for instance, you can create Publisher rules based on some or all of the following Publisher attributes:

    • File version
    • File name
    • Product name
    • Publisher

    You can see in the attached how it is possible to modify the rule to include only what is wanted/needed...
     

    Attached Files:

  3. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    Alright, thanks.
    I now noticed that I can also load .exe files for Certificate rules (not just .cer and .crt), so it's very easy to add them.

    So Certificate rules work exactly like AppLocker at the Publisher level, right?


    Also, I saw a little warning: "Certificate rules will negatively impact the performance of your machine".
    Is there any more info regarding this, if the performance hit is noticeable and how it compares to AppLocker?
     
    Last edited: Nov 27, 2012
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    I don't know if cert rules work exactly like pub rules at the Publisher level, but that seems about right. I did read where with cert rules, a certificate revocation list is checked to ensure the cert is still valid, but I'm not really sure if that's how it works in SRP.

    About resource impact, I think it's likely not noticeable on today's modern hardware. A similar warning is given about enforcing dll rules, but I've not noticed a resource hit in either SRP or AppLocker when it's enforced.
     
  5. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    I got it working now. I followed this guide so that I can apply SRP to a specific user (I don't want it for the admin account).
    But then all the exceptions need to be configured in the 'main' SRP, not in the user-related group policy SRP (certificate settings are grayed out there).
    It's a bit confusing, AppLocker is much easier.
     
  6. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Good to see you got it configured :thumb:
     
Loading...
Thread Status:
Not open for further replies.