Dealing with user installs when using (simple) software policies or Bouncer

Discussion in 'other anti-malware software' started by Windows_Security, Oct 25, 2015.

  1. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    DEALING WITH SOFTWARE WHICH INSTALLS IN USER FOLDERS

    Pro and enterprise license owners have Software Restriction Policies and AppLocker. Windows Home version owners can install Simple Software Restriction Policies or Bouncer to get the equivalent.

    Some software install in user folders outside the protection of UAC. With (Simple) Software Restriction Policies and Bouncer the only safe solution is to allow all executables and DLL's on hash. With Applocker you can allow those executables and dll's on signer (specific for that product). Allowing on (specific) trusted signer/product is a lot easier, since it does not require user intervention after updating the program (executing from user folders).

    So most security aware people search for another program which behaves and executes from UAC protected folders. For the people having no alternative AND using the nice freebies (SSRP or Bouncer), the tricks in the next post offer better protection.
     
  2. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    USE UAC TO INCREASE PROTECTION OF WINDOWS AND PROGRAM FILES FOLDERS

    I can't comment in a decent way to so called experts advising to turn off UAC, so please refrain from commenting or posting in this thread when that is your wise advice.

    Open REGEDIT, navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System and look for

    "EnableSecureUIAPaths"
    User Account Control: Only elevate UIAccess applications that are installed in secure locations 1 = ON (defaut), 0 = OFF
    >> advice: keep this ON
    >> effect: only elevates programs from C:\Windows, and the C:\Program Files or C:\Program Files (x86) location (the locations by default marked as secure)

    "EnableInstallerDetection"
    User Account Control: Detect Application Installations and Prompt For Elevation 1 = ON (default), 0 = OFF
    >> advice: set to OFF
    >> effect: when running an installer program Windows will NOT detect it is an installer and will NOT silently elevate to admin. You have to explicitely run a program as administrator. This prevents 'shoot in the foot' errors to some degree.
     
    Last edited: Oct 25, 2015
  3. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    USE ACL (ACCESS CONTROL LIST) TO ADMIN PROTECT PROGRAMS INSTALLED IN USER FOLDERS

    The idea is to remove write permission of the user. This means that in normal operation MEDIUM INTERGRITY LEVEL processes are not allowed to change this folder. To change you need ADMIN APPROVAL (simular to UAC protected folders), so when updating select right click RUN AS ADMIN.


    Navigate with Windows Explorer to the program's application folder (in this example Chromium)

    FALLBACK MEASURE: COPY THIS FOLDER (so you have the original ACL saved). WHEN PROGRAM DOES NOT RUN PROPERLY, DELETE ORIGINAL FOLDER, RENAME THIS FOLDER TO ORIGINAL FOLDER NAME (removing copy etc in the name).

    OPEN SECURITY TAB OF FOLDER
    1. Right click that folder (select properties)
    2. Select SECURITY tab
    3. Select the USER (in my example Kees)
    4. Select ADVANCED

    1.png
     
    Last edited: Oct 25, 2015
  4. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    ACL: TAKE OVER PERMISSIONS OF USER

    1. Select USER again (Kees)
    2. Select DISABLE INHERITANCE

    a warning will pop-up
    3. Select "CONVERT INHERITED PERMISSIONS INTO ..."

    upload_2015-10-25_10-37-40.png
     
    Last edited: Oct 25, 2015
  5. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    ACL: EDIT PERMISSIONS OF USER

    Now you are allowed to edit the permissions of this user

    1. Select USER again (Kees)
    2. Select EDIT

    upload_2015-10-25_10-43-5.png
     
    Last edited: Oct 25, 2015
  6. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    ACL: REMOVE WRITE/DELETE PERMISSIONS OF USER

    Change the permissions,
    1. Untick/unselect FULL CONTROL, MODIFY and WRITE
    2. Select OK

    upload_2015-10-25_10-45-40.png
     
  7. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    ACL: CHECK AND APPLY PERMISSIONS

    1. Check user should now have READ & EXECUTE rights ONLY
    2. Click APPLY


    upload_2015-10-25_10-49-10.png
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    RESULT: ADMIN APPROVAL NEEDED TO WRITE/DELETE IN THIS FOLDER

    1. Navigate to this folder and right click on (any) executable with Windows Explorer

    2. You should now see UAC shield before DELETE and RENAME

    upload_2015-10-25_10-55-15.png

    Note: you can still update by running program or updater with RUN AS ADMINISTRATOR



     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    Thnx for idea Kees. I'm using SRP and am using hash rules for uTorrent and few dll and sys files that are dropped and started from temp folder and similar.
    The problem with uTorrent is that I can't set those ACLs on whole folder, since it is being used to save DAT files, which are constantly used and updated by software. And I don't want to run uTorrent with elevated right all the time for obvious reason. Maybe I can set this ACL only on exe and some other "static" components of program? Maybe I'll test it later.
    What is a benefit of disabling "EnableInstallerDetection" option? Only to prevent accidental confirmation of UAC prompt or something else?
     
  10. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    @Minimalist

    This is something when Vista introduced and most installers did not ask for elevation. Some experts ranted that M$ should NOT elevate software without reason, thus making it easier for PUP's to install(because most people always click on YES).

    When people have trouble using UAC (always click ALLOW), I don't turn UAC off, but disable installer detection and set UAC on quiet ("ConsentPromptBehaviorAdmin"=0), block elevation from user accounts ("ConsentPromptBehaviorUser"=0) and block elevation of unsigned software ("ValidateAdminCodeSignatures" = 1). Most mainstream software is signed now, so that should not give anybody any problems.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    Thnx for explanation, Kees. :thumb:
     
  12. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    Really appreciate the help for getting some of us up to speed on this. Great n Thanks :thumb:
     
  13. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    This is really good. Generally, I just put any software that tries to install itself in the user folder on the reject list and find another program that installs in the program files directory but that approach is not for everyone. This covers exactly what should be done with the ACLs if you have a program that needs to execute from a user folder. Well done.
     
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,275
    My Win7 Pro does not have AppLocker.
     
  15. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    4,953
    Location:
    USA
    Windows 7 Enterprise, and Windows 7 Ultimate have AppLocker.
     
  16. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,095
    Location:
    Netherlands
    Sorry, should have posted Windows Pro has SRP and Windows Enterprise has AppLocker
     
Loading...