is SRP on windows 7 broken?

Discussion in 'other software & services' started by chrcol, Sep 3, 2014.

  1. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    So I enabled SRP
    It has 2 default rules which allow the program files folder and system root
    I added the programfiles x86 folder.

    Yet some odd behaviour.

    I can execute various executables on my K: drive. Even as LUA, even if I Specifically set K:\ to not allowed and even if I block admins as well.

    Even tho I have excempted the x86 prog files folders I cannot run 32bit IE, the app log shows this.

    Access to C:\Program Files\Internet Explorer\IEXPLORE.EXE has been restricted by your Administrator by the default software restriction policy level.

    Note the above is the 64bit path but that's the error that appears when trying to run 32bit IE.

    Which should be excempted by default rule right?

    Bizarrely the 64bit IE which uses that path directly works.

    So in short SRP is running chaotic, I guess in win7 I should be using applocker instead?
     
  2. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I've had no problems with it on Windows 7. You would probably need to post the rule you created for your Program Files (x86) so we can take a look.
     
  3. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    Ok tried Applocker, it correctly allows 32 bit prog files to work, but with that said it seems to be blocking nothing at all. Again same with LUA, yes rule enforcement is on. As a LU I can run exe's from %temp% LOL
     
  4. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    here is SRP rules (currently off tho as trying applocker) and I know prog files x86 is added twice as was trying 2nd method of adding it.
     

    Attached Files:

  5. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    should I be rebooting after applying rules?
     
  6. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    ok I got somewhere, noticed the message saying application identity service needs to be running for applocker, it wasn't so started it, it didn't immediately start working was a time period of a few minutes but now it is working.
     
  7. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    Yes. That or run "gpupdate /force" from a run prompt.
     
  8. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    for now I am back on an admin account since firefox is so anti windows, I couldn't even update it on my limited account.

    I will either switch firefox to portable version or restrict admin account on applocker/srp.

    thanks
     
  10. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    apparently the LUA update issue with firefox is fixed in esrv31 , so if I can get firefox v31 running well (currently runs badly) then I can switch back again.
     
  11. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,050
    Location:
    USA
    I've not had problems updating Firefox on machines with LUAs. I have 15 users here and have had no problems for a long time. I did have that problem a couple of years ago, but not recently. Worst case you can download the full install and run as admin over the top. That always works.

    -Another thought... do you have the Mozilla Maintenance Service installed? That is specifically for updating on LUA.
     
  12. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    783
    Location:
    UK
    there is a firefox bug report it was fixed in v26, so my esrv24 wouldn't work (even with the service).
     
Loading...