Documenting/ Questions about Applocker

I'm just going to use this topic to get some ideas on applocker/ experiment with it. Please feel free to give suggestions.

At the moment I'm trying to add a rule for Java to have it restricted except to very specific paths. Trying to do this all in one rule.

 

I will say that deny rules are not recommended.

 

Straight from Microsoft:

Deny rule considerations
Although you can use AppLocker to create a rule to allow all files to run and then use rules to deny specific files, this configuration is not recommended. The deny action is generally less secure than the allow action because a malicious user could modify the file to invalidate the rule. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.

 

I thought what I was doing was to deny all files to run and then creating exceptions to allow certain paths.

EDIT: Basically, all I want to do is stop java from reading/ writing except to very specific areas. On top of that I want Java to be the only program that can read/write to those areas.

 

wat and MrBrian will have to chime in on this one. I don't use applocker how you are trying to use it. And personally I don't think you need to use it that way if I'm understanding what you are doing.

 

How do you use it?

My Digsby rules are basically stopping access to Digsby only folders except for Digsby. That's a default deny rule, which has a publisher exception.

I can't see how that would be less secure than creating an allow-all rule and then blocking programs alreadyon my computer except for digsby.

Perhaps I'm misreading/ misrepresenting what I'm trying to do.

 

Perhaps you are. Also I don't use allow all in executable rules btw as I create my rules differently. Look at MrBrian rules for example: https://www.wilderssecurity.com/showpost.php?p=1679077&postcount=7 which is another way of setting up applocker.

 

Yeah I'm gonna let everyone execute from Program Files and Windows. You need admin to write there and if I configure applocker properly it won't matter anyways.

If I deny all + exceptions it means I have to update it every time I install a program there, which I don't think works for my personal use.

 

Well it seems to you want to go the route MrBrian uses. I prefer to auto-generate rules for program files/program files (x86),windows, my portable apps and Google Chrome directories (executable rules).

 

Ease of use is too important to me. The only thing I want to do is restrict the programs on my computer as much as is possible. I want absolutely as little rights as I can possibly give them.

Just to be clear this is what I understand of my rules.


1) Everyone (user and admin) can execute from Program Files and Windows folders, not a biggy since you need admin to write there.

2) I have no idea what BUILTIN\Administrators means

3) I have set deny rules on specific paths such as the AppData\Roaming\Digsby\* folder/files with the exception of Digsby via publisher exception.


So based on 3 that means no other program should be able to read/write to that folder, right? And only Digsby-signed files can execute from that area, right?

 

Not sure as I don't use deny rules.

 

TBH, I can't figure out a way to achieve this. My question to you is:

Since Java is a trusted process, why not simply allow it via Publisher or Hash rules, Publisher being the preferred? Are you afraid it's going to somehow behave maliciously? Remember that with publisher or hash rules, nothing can impersonate the actual process the rule's applied to. If you're worried that something malicious might influence Java in some way, this is extremely unlikely to happen because of the enforced AppLocker rules in place, especially if you have them set up as allow or allow with exceptions.

The whole idea with AppLocker, if it's set up correctly, is it allows only exactly what you trust to run and denies everything else.

I'm busy until later this evening but I'll take another look to see if it's possible to achieve what you're looking for, or maybe MrBrian or someone else knows a solution?

 

I think I'm just misunderstanding what AppLocker does.

Basically, I've removed Comodo so now Java is a fat gaping hole on my computer haha I want to limit what Java can do if it gets exploited. I want it to only be able to read/write to specific areas.

Can I do this with applocker? I though that's what I was doing with Digsby but now I'm just confused haha

 

That's saying too little...

The goal of AppLocker is to prevent execution. Not to prevent reading or writing to locations.

Imagine this: Your browser is allowed execution. You download something to your system. AppLocker prevents execution, unless you allow it or you have a predefined allowed folder.

 

Bah, that's no good to me.

I thought it denied read/write not execute.

Ok then, I'll set up some simple rules with this in mind - like that only Digsby-Signed applicaitons can execute in the Digsby folder etc

That's something at least...

Still virtually useless in my opinion for my use.

EDIT: I think that pretty much concludes the topic haha I see real reason to create any rules.

 

May I suggest just using Returnil, saving all downloads you want and consider safe to the virtual drive, turning on the anti-executable and checking off "allow execution of programs from real disk only"? You can test everything except programs that require a reboot, and if something goes wrong, simply reboot and you're back like nothing ever happened.

It's certainly easier than all this mess you're doing with read/write..and you have an unhealthy obsession with securing Java lately

 

Well the idea here is to remove software from my computer, not add it =p otherwise I'd still have Comodo and Java would be sandboxed.

If there was a built-in mechanism to restrict a program from reading/writing to specific areas it would definitely make my life a whole lot easier. No third party security to restrict things.

Integrity levels are nice, but too broad (unless there's a layer between low and medium that Java can run at?) and I'd like to fine tune it myself

 

Lol, I know, you're trying to go "bare", it was friendly poking Though it could be said that adding Returnil would actually give you more reason to shed more. After all, nothing that gets on the system can stay on it. No messy "spray and pray" cleanup procedures, the anti-executable should kill off the need for HIPS, as HIPS generally tells you when a program/exploit is trying to do something, and anti-execute simply shows them the door.

My question to you though, is why worry about Java reading/writing someplace, if protection is in place to prevent it from being exploited to begin with? In my mind, exploits are the only reason to deny access to things. So, if there is no exploit, there is no danger of data being compromised. Just an opinion.

 

The only defense I have right now for Java is EMET.dll running in it. I honestly do not believe that EMET's mitigations have solved every exploit in Java. That would be a bit too incredible.

Furthermore everything in EMET can pretty much be circumvented in a direct attack ie: when there's a user behind it. Not that I'm expecting a personal attack, but who knows?

Every other internet facing program is sandboxed. Java can't be (by sandboxie) so that's why I'm focusing on it primarily.

While I do believe trying to prevent exploits with methods like ASLR is great I would never rely on it as a security measure - exploits will always exist.

 

Yeah, nothing will ever completely solve exploits, and, you're right, if someone wants to get to you enough (I wish you luck fending off the NSA), you're toast. Hackers don't stop because the going gets tough, they just poke and poke until something works. I'm not certain what the anti-execute function of Returnil would do in the case of Java. It's a trusted program, so it would be allowed to run, but, considering the majority of exploits have some sort of execution to run as well, I'm assuming it would stop it cold.

As we all know though, to assume is to make an "a** out of u and me" It does give me something else to research though, so yay for more lab work, lol. In the end, nothing we can do will prevent everything. With the advances made in malware, it's getting more and more difficult to find a balance between security and simply turning the box off and having an expensive doorstop. Thankfully, the "disastrous" malware is something only testers have a good chance of seeing, and the rest is pretty easy to avoid.

 

Hungry man I think you are being a bit little too paranoid IMO and honestly I don't know if applocker is for you, since you stated its virtually useless for your use. Thats how I'm seeing it. There's not tons of options so I don't know what to tell ya.

I agree but we use the tools available to prevent as much as we can.

 

Applocker is definitely not for me.

It's less of paranoia and more of me being curious. Most of the software I mess with is because I'm curious about how it works.

I don't think Windows has any protections worth using for this scenario unfortunately.

 

I don't know if there is any hope for your security setup.

 

=p Clearly I'm a sheep waiting to be slaughtered.

 

LMAO