Simple and free ways to allow program execution ONLY in some folders?

Discussion in 'other anti-malware software' started by flatfly, Jan 8, 2015.

  1. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    I want to only allow executables in Windows and Program Files to run, and block them everywhere else.

    I'm looking for a simple, lightweight, and free way to achieve this. I don't need any other fancy features. Any thoughts/suggestions?
    I'm running Win 8.1 Home, with a standard user account.

    (Previously on XP, I was using the excellent TrustNoExe to do that)
     
    Last edited: Jan 8, 2015
  2. siketa

    siketa Registered Member

    Joined:
    Oct 25, 2012
    Posts:
    2,695
    Location:
    Zagreb, Croatia
  3. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    253
    Location:
    router
  4. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,629
    Location:
    Toronto, Canada
    I agree with what co22 mentioned. Either Software Policy (using SRP) or Bouncer would give you the exact control that you are looking for. Software Policy is open source and utilizes Windows built-in SRP functionality. I have used Software Policy for around 2 years now thoroughly and recommend it often. I have only used Bouncer for a few months now and would recommend it as well but more for users who are familiar with these kind of tools.
     
  5. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    830
    Location:
    UK
    The free version of voodoo shield allows whitelisting of programs dir and windows services etc
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    That can be done by setting NTFS file permissions which is not always an easy thing to learn. Windows does that to a certain extent already but you have to use a standard user account to take advantage of it. The standard windows configuration still has some big holes in it. I tighten it up considerably so software may only be executed in the Windows and Program files folders without administrator privilege and it can't be executed even by administrators in a data drive, partition, or folder.
     
  7. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    Thanks for your suggestions. I'll give "Software Policy" a try.
     
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    That is however, the hardest way and can cause issue depends on your programs and usage. I only put deny-execute ACL to most abused folders including: Recycle bin, Temporary Internet Files, all user folder such as Documents except for Desktop and one folder I made, Just under each user folder (%USERNAME%; Non-Propagate), just under root drive (NP), just under AppData and its 3 subfolder (NP), and some subfolder in some major programs. Also deny-execute and deny-write to each user's Startup folder. I don't deny-execute e.g. Temp folder as some programs put updater in it.
     
  9. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I don't use deny at all, just uncheck read and execute. NTFS file permissions are overly complex compared to UNIX/Linux file permissions or older versions of NTFS. I do keep the Temp folder read/write. I don't let software update itself automatically. Very annoying and it uses up bandwidth. The goal is to not let anything execute unless I choose it. That includes updates.

    I also simplify users and groups and reduce groups to Users, System and Administrators. For external usb drives, I use Everyone and set it to read/write.
     
  10. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Windows inbuilt Software Restriction Policy is the best for OP purpose. Though SRP need some learning. Nice manual is here.

    Second option is Applocker. It is also Windows inbuilt app. It's described here.
     
    Last edited: Jan 9, 2015
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I understood.
    Surely NTFS file permission is complex for me and I still don't fully understand it. Sometimes it overrides file permission by adding another ACE on the top the other, e.g. when I download sth...
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    OP is using Home version of Windows so Software Policy could be used for similar protection.
     
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Does anyone have a link to a good guide to file system permissions, users and groups. This has come up quite often.
     
  14. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    66
    Location:
    London UK
    I'll just mention that the free version of UVK has it's own execute prevent feature with the ablility to define your own paths and exclusions.

    See: Execute Prevent

    Sometimes you need to define exclusions so that certain apps are allowed to run from blocked folders.

     
  15. Callender

    Callender Registered Member

    Joined:
    Jan 9, 2015
    Posts:
    66
    Location:
    London UK
    The first line in the above post should state:

    The free version of UVK has it's own execute prevent feature with the ability to define your own paths by adding them to the Locked Items List and additionally the user can create a list of executables that will be allowed to run from blocked folders.
     
  16. flatfly

    flatfly Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    66
    Just to provide some quick feedback after a couple weeks of use, Software Policy is pretty good and lightweight! My only gripe is that the GUI is a bit lacking.
     
  17. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    My approach to using NTFS file permissions came through trial and error. Up until NTFS 4, they were fairly simple and straight forward and not very different from UNIX file permissions. With NTFS 5 it got very complicated and the results aren't always what logic would lead you to expect. After seeing programs execute where I didn't want them to quite a few times, I simplified groups down to System, Administrators, Users and Everyone. I never use deny, just allow or not allow according to group. To make read/write work properly, I have to add delete and delete subfolders and files in the advanced settings tabs. Everyone is reserved for data partitions and external drives so even administrators have to copy software to a system drive in order to run or install it.

    SRP duplicates a lot of the NTFS permission functionality and is a bit easier to implement because a few rules can handle a lot of ground. I've ended up using both which makes for a stronger system overall. Redundant protection is good. In Windows 7 Ultimate, the SRP functionality is duplicated again with Applocker. That is one of the main issues with Windows security features, there is a lot of unneeded complexity and the learning curve is way to high. Securing a Linux server is far easier than a Windows client. There are too many built in users and groups and privilege levels. That makes it hard to keep track of things and is why I eliminate most users and groups to make things work.

    In Windows the group policy editor and security policy editor are your friends. They have all kinds of good security tweaks in addition to SRP. You can do things like globally disable execution on or all access to USB drives for example. It is just a lot of homework to learn all of the different security tweaks and I recommend testing all settings because sometimes they don't work the way you think they will work.
     
    Last edited: Mar 20, 2015
  18. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
  19. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Can I remove specific privilege from entire profile? I.e. remove execution permission from Everyone regardless of folder or drive?

    I agree, UNIX file permission is much simpler. I think this is not limited to file permission. Windows added too many control mechanisms w/out theoretical background like SELinux, and just caused room for oversight in configuration rather than real good security.
     
  20. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    No, file permissions are just that, they apply to files, folders and drives. That is one of their advantages. They are set in the file system itself and will be the same if that volume is mounted on another computer. There are some group policy settings that apply to specific groups but they are not the same as the basic file permissions. They are under the heading of "User Rights Assignments".
     
  21. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    731
    Sucks that the password has to sync with Windows login... really got on my nerves. Other than that, it was a ripper of an app.
     
  22. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Okay, the reason I asked was, I misinterpreted your previous comment, especially
    Maybe you removed x permission from all may-be-used drive paths (e.g. F:\, G:\,...) with inheritance enabled?

    Also, you can't remove each user group except actual user you made e.g. Network service from entire Windows, right?
     
  23. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    In NTFS, permissions may be given to individual users or groups. They are set on drives, not paths. A USB drive can be assigned a different path each time it is mounted. When I initialize a NTFS data drive, I go into the users and groups menu and remove all users and groups except everyone. All files inherit the volume permissions unless they are set otherwise.
     
  24. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Ah! I now fully understand. So you removed those user form the drive's permission.
    Thanks for correction as well as more explanation!:)
     
Loading...