Restricting Applications in Windows

Discussion in 'other software & services' started by BrandiCandi, Jan 6, 2012.

Thread Status:
Not open for further replies.
  1. BrandiCandi

    BrandiCandi Guest

    I decided not to hijack another thread with my curiosity, so I'm starting a new thread here.

    How can a Windows user (XP, Vista & Win 7) change/add/remove Mandatory Access Controls (recognizing that the answer may be different for each OS)? I want a tool that allows me to determine exactly what each program will be allowed to do. For instance I could confine my browser so that any malware I encounter can't access system files. It would prevent escalation of privileges. Does Windows allow me to have that kind of fine-grained control? Are the only options extra software that does it for me (like AppGuard)?

    I'm comparing it to AppArmor, which is Ubuntu's answer to Mandatory Access Controls.
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It is not natively supported. Instead Windows has MIAC, Mandatory Integrity Access Control. The best you can do is assign a file to a predefined "profile", which will have a loose set of write restrictions.

    Lame, right?

    In short, no AppGuard for Windows.
     
  3. BrandiCandi

    BrandiCandi Guest

    I'm flabbergasted. Seriously? You & I are the only people in the world that want to control access in Windows?

    What??

    #typed from my Linux machine :p
     
  4. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yeah I was actually a bit surprised by it myself... there's absolutely no way to fine tune a MAC system in Windows via the OS. The most you can do is try to get a program working with Low Integrity, which will likely break it entirely.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, there's no native way of doing it... kind of. You can work with integrity levels, but far from being perfect for what you aim to do.

    But, you can restrict such access with Sandboxie, for example. It's not a native solution, but it works.

    I wish I could have a solution that would only do that task, though. I do wonder why AppLocker didn't result in such, after all, the name AppLocker comes from application locker. Lock execution and access, right? They forgot the access part, once it's permitted. :D

    By the way, what else have we got out there that would give such functionality?
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Not really. You don't have to give something a low integrity level. Not only. I'll explain.

    I run Chromium with an explicit low integrity level. I'm pretty sure you're aware of its benefits, by now. But, a low integrity level object can still read from medium/high integrity level objects and containers.

    The solution is to apply an explicit medium/high integrity level to such objects and containers and apply the flags NoReadUp. By itself, this would already prevent low integrity level objects from reading medium and high integrity level objects and containers; medium integrity level objects wouldn't be able to read from high integrity level objects and containers.

    I follow this approach for a lot of folders I wish to protect (not important information, just things I don't want to give everything open access).

    There's also the flags NoExecuteUp and NoWriteUp (the latter applied by default).
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Sandboxie is the only program that came to mind.
     
  8. BrandiCandi

    BrandiCandi Guest

    I'm doing some more digging. I found that in Vista MAC = Mandatory Integrity Control. I also found an explanation of how it works on microsoft's website.

    Access Control for Application Resources can be set in Windows on a Windows Server according to MS. So maybe it can't be done on desktops but it can be done in servers? Or will that only be Discresionary Access Controls?
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I think GesWall works similar to what we're discussing? It create some sort of sandbox policy. And, we can add our own rules, I believe. I actually think that it does; I've never used it, so I can't be sure what it would allow us to achieve.

    But, judging by the screenshot, it does allow to restrict access to Registry and File System entries.

    -http://i1-win.softpedia-static.com/screenshots/GeSWall_3.png
     
  10. BrandiCandi

    BrandiCandi Guest

    AppGuard (which I saw in someone's signature and then googled) looks like it tries to do MAC. Anyone have any experience with it?
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It isn't path based like apparmor iirc and it's not super configurable either. I used it for about an hour to play around with but I couldn't block certain things without blocking certain other things. I think it's a system wide thing too instead of a per-application restriction.
     
  12. BrandiCandi

    BrandiCandi Guest

    That was my initial impression of it- looks like it tries to do everything for you to appeal to the non-tech folks in the world. I'm a nerd so I like to configure stuff myself ;)
     
  13. BrandiCandi

    BrandiCandi Guest

    GeSWall looks like it's not terribly configurable either, a quote from their website

     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    That sounds about what you'd like.
     
  15. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    You can add your own rules, that would block the file system and Registry. Still, we would have to run the applications isolated, judging by this:

    Source: -http://www.gentlesecurity.com/geswall_how.html

    I'd like for something different, though. I'd like the same functionality, but without the isolation; simply something that would allow to add applications so that I could block access to areas I wish. This would work as a service + application (GUI), and it would automatically monitor the applications in the rules and prevent access to such areas. A global setting would be nice, though.

    Any such thing? o_O
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Just Sandboxie.
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The champs in this area are
    1. Powerbroker free edition (needs at least Pro Windows edition)
    2. GesWall free edition (also limited to x32)

    See my sig on how to achieve something simular as AppArmor on unix
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Safe-admin doesn't do what AppArmor does. o_O

    I can achieve a bit of what it does, using integrity levels. We could also isolation sensitive applications, such as a dedicated browser from home banking in a secure desktop. This would isolate it from everything else.

    Not even Sandboxie. With Sandboxie you need to isolate the application to prevent access to areas we wish to block access to.
     
  19. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    If you use Sandboxie and allow full access everywhere and then block access to paths it's what he wants.
     
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Oh, OK. :D I thought you were replying to me. :p
     
  21. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,434
    Location:
    Europe

    GesWall is easy to set and to use. ;)
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    :D Safe-admin by far does not achieve what AppArmour can control in a granular manner :D
     
  23. BrandiCandi

    BrandiCandi Guest

    Powerbroker looks interesting. Can you run it along with GesWall?
     
  24. BrandiCandi

    BrandiCandi Guest

    What IS safe-admin? Is it 3rd party software? Is it a certain configuration? Sorry, I didn't really get what it was from the link in the sig.
     
  25. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I actually forgot all about PowerBroker. You may see more mentioned in a thread I started sometime ago: https://www.wilderssecurity.com/showthread.php?t=312231

    Shame on me, for not remembering it. :D

    -edit-

    Here's a review on PowerBroker -http://redmondmag.com/articles/2012/01/01/powerbroker-desktops-dlp-safeguards-sensitive-information.aspx
     
Loading...
Thread Status:
Not open for further replies.