Creating a white list using XP software restriction policies

Discussion in 'other software & services' started by SpikeyB, Nov 7, 2005.

Thread Status:
Not open for further replies.
  1. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I'm playing around trying to create a white list of programmes allowed to run on my machine by creating software restriction policies.

    In the Security Levels I've set Disallowed as the default and then created rules to allow certain programmes to run.

    If I want to temporarily change the default Security Level from Disallowed to Unrestricted is there a quick way to do so without opening up the console.

    I wondered if I could change the Security Level using a batch file. I don't know what commands to use to change the Security Level.

    Can anyone help?
     
  2. DudeOfGrace

    DudeOfGrace Registered Member

    Joined:
    Oct 27, 2005
    Posts:
    1
    Location:
    Puget Sound, Washington
    The batch commands associated with your endeavers are "SECEDIT" and "GPUPDATE". You'll find all the general overview as well as specific syntax help you'll need in your Windows "Help and Support" Center [Start > Help and Support].

    HTH ... Craig
     
  3. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Thanks DudeofGrace

    I shall look into it.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you share your list when it's completed?

    -rich
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Hi Rmus

    Here is my list of my windows files which is enough to get me booted up and switched off OK. I only have 16 processes running in the task manager so I guess other people will have to unrestrict a few more processes such as alg.exe for the windows firewall:

    Hash Unrestricted mmc.exe
    Hash Unrestricted wmiapsrv.exe
    Hash Unrestricted winlogon.exe
    Hash Unrestricted imapi.exe
    Hash Unrestricted taskmgr.exe
    Hash Unrestricted wmiprvse.exe
    Hash Unrestricted services.exe
    Hash Unrestricted spoolsv.exe
    Hash Unrestricted wmiadap.exe
    Hash Unrestricted svchost.exe
    Hash Unrestricted wiaacmgr.exe
    Hash Unrestricted userinit.exe
    Hash Unrestricted Windows Screensaver logon.scr
    Hash Unrestricted rundll32.exe
    Hash Unrestricted wuauclt.exe
    Hash Unrestricted logonui.exe
    Hash Unrestricted Explorer explorer.exe

    The mmc.exe is quite important so you can get back in to mess with the software restriction settings.

    Obviously I have had to add a lot more entries so my other programmes can work but that will vary for everyone.


    I've just edited out msiexec.exe from my list, it's not needed for booting up and shutting down.
     
    Last edited: Nov 20, 2005
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Hi,

    What I´m trying to do is to prevent people running .exe and .msi files on my system. Only apps running from C:\Program Files, C:\WINDOWS\system32 and C:\WINDOWS are allowed to run, at least that´s what I´m trying to achieve.

    But I don´t get it, if I add the rule "C:\WINDOWS\system32\*.EXE" and set it to unrestricted, and if I add the rule "*.EXE" set to "Disallowed", apps running from the C:\WINDOWS\system32 directory will still be able to run, this is a good thing. The same goes for "C:\WINDOWS\*.EXE". But if I add the rule "C:\Program Files\*.EXE", apps will not be able to run from the C:\Program Files directory, unless I make specific rules (Basic user or Unrestricted) for apps running from this directory. So it seems that C:\Program Files is handled in a different way than the other directories, how come? o_O

    And I´m a bit confused after reading the quoted text, it looks like these rules are created so that the OS will still be able to run in a normal way. But this doesn´t seem to be the case! It looks like if .exe files are set to "Disallowed", apps will not be able to run unless you add specific rules ("Unrestricted") for C:\WINDOWS\system32 and C:\WINDOWS. So I don´t see how the OS would boot up in a normal way.

     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Btw, can this thread be moved to "Other Security Issues", seems like a better place for this subject. :)
     
  8. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hi,
    Spikey how's it going?
    Did you start to like the policies yet?
    A tiny question. I played with these alongside autstart lists by HJT and the msconfig. Did you enable all the drivers in startup as well? Or did you enable only Windows processes? For instance, did you also hash the graphic card, audio card, ethernet drivers etc...
    Mrk
     
  9. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Hi Rasheed187

    If I set a path rule e.g. c:\folder1 and set it to unrestricted, then all the exe's can run in folder1 and also the exe's in any subfolders of folder1.

    To get around it you have to set a path rule c:\folder1 and set it as disallowed. Then set up another path rule c:\folder1\*.exe and set as unrestricted. This allows the exe's in folder1 to run but not the exe's in subfolders of folder1.

    So you would need to set the following path rules:

    C:\Program Files (unrestricted)
    C:\WINDOWS\system32 (disallowed)
    C:\WINDOWS\system32\*.exe (unrestricted)
    C:\WINDOWS (disallowed)
    C:\WINDOWS\*.exe (unrestricted).

    That's the way it would work on my machine.

    HTH
     
  10. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Hi Mrkvonic

    I must confess, it's no where near as convenient to set up as using something like Process Guard or Anti-Executable but I do like it because it doesn't seem to use any resources. I just got a new computer at work and it was tremendously tedious adding all the processes to my white list. It wasn't so bad the first time round at home because it was new and an experiment, so I wanted to find out the results.

    I only did it for Windows processes not for graphics card, drivers etc. I'm not sure if it would cover those. I seem to recall from reading the MS website that drivers and things load up before the SRP kicks in. For example, csrss.exe and lsass.exe are not on my white list but they appear in the taskmanager. If you mess up the SRP then you can reboot in safe mode to modify it.
     
    Last edited: Jan 19, 2006
  11. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
  12. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Nice link, thanks starfish_001
     
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Thanks for the help, what I basically tried to do is to prevent other people (who are total noobs) from doing dangerous stuff on my PC. At the moment everyone is running the PC as an admin, I do not yet want to install seperate accounts because I like to be in full control you know what I mean. :)

    However, with this approach I would have to toggle settings with MMC.exe each time I shutdown the PC, not the best solution. What I really would like to have is the ability to prevent people from downloading certain kind of files (executable, script files) but such software does not exist at the moment, it seems. :blink:
     
  14. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041

    you might find this useful



    DefenseWall HIPS:
    DefenseWall HIPS (Host Intrusion Prevention System) is the simplest and easiest way to protect yourself from malicious software (spyware, adware, keyloggers, rootkits, etc.) when you surf the Internet! Using the next generation proactive protection technologies, sandboxing and virtualization, DefenseWall HIPS helps you achieve a maximum level of protection against malicious software, while not demanding any special knowledge or ongoing online signature updates.

    DefenseWall HIPS divides all applications into 'Trusted' and 'Untrusted' groups. Untrusted applications are launched with limited rights to modification of critical system parameters, and only in the virtual zone that is specially allocated for them, thus separating them from trusted applications. In the case of penetration by malicious software via one of the untrusted applications (web browsers etc), it cannot harm your system and may be closed with just one click! With DefenseWall HIPS, Internet surfing has never been so simple, safe and easy. Try it today, and you will be convinced!



    The Security Pit

    It is common that most Windows XP / 2000 users use their computers from an account with administrator privileges, which allows the user full control of the system. From an Administrator account, users or programs may change security settings, install software, access, modify, or delete personal and system files, and just about anything else, with few (if any) restrictions. The idea behind the Security Pit is to offer protection to users that operate their computers as an Administrator.



    Running your computer as an Administrator can become a real problem if you inadvertently download any Virus, Malware or Spyware while using any internet or email software. Most malicious software take advantage of the administrative privileges to infect the computer they are attacking. As an example, Viruses and hackers target systems running with Admin privileges to do the following, as part of the infection:

    Admin protection system Disable any Antivirus software that may be running

    Admin protection system Modify Antivirus software to leave it running, but be ineffective

    Admin protection system Disable Firewalls

    Admin protection system Overwrite system files

    Admin protection system Change registry settings

    Admin protection system Add malicious background services to Windows that start before any other programs, and have even greater privileges than the Administrator account.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    Yes of course, now that I think of it, the best way to restrict noobs on my system without having to create separate accounts is to use a tool like BufferZone for example. :thumb:
     
  16. starfish_001

    starfish_001 Registered Member

    Joined:
    Jan 31, 2005
    Posts:
    1,041
    Of course you could use

    ShadowSurfer™ provides secure and easy to use PC protection. ShadowSurfer can acidental or malicious changes to your PC.

    Requires a reboot before each use, because they sandbox disk storage as a whole. They provide the operating system and everything in it with a single virtual disk?

    It is free - tried it but don't use it myself - First Defence ISR is better for my needs


    https://www.wilderssecurity.com/showthread.php?t=65007&highlight=shadowsurfer
     
Loading...
Thread Status:
Not open for further replies.