Software Policy: use Software Restriction Policies on any Windows edition (free)

Discussion in 'other anti-malware software' started by MrBrian, Jan 26, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From http://iwrconsultancy.co.uk/softwarepolicy:
    I tried it on Win 7 x64 - it works :D.

    Download the most recent .exe from http://sourceforge.net/projects/softwarepolicy/files/.

    In the "[CustomPolicies]" and "[Disallowed]" sections, you need to append =1 to any item. For example, c:\program files=1 .

    I recommend making some changes to the default configuration.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you set AdminBypass=1 then there probably isn't any good reason to have the program run on startup. The program doesn't need to be running for protection to be active.
     
    Last edited: Jan 26, 2014
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Update: post #24 has the newest version of the configuration file that I tried.

    Below is a sample of the configuration I tried. Make sure to have a full system image before trying this.

    ---------

    ; Software Policy inifile

    [General]
    ; Allow the system-tray applet to be closed:
    AllowExit=1
    ; Require a password to install software or use admin functions:
    ; 1=any password, 2=Admin-level password only
    AdminMenuPasswordLevel=0
    ; Minutes to remain in unlocked mode:
    UnlockTimeout=30
    ; Time during which you don't need to repeat password:
    PasswordRetention=5
    LimitedApps=1 ; overrides LimitedApps section if 0, unlock operates on Limited Apps if 1, not if 2.
    LimitedUser=0 ; not presently implemented.
    ShowInstallOptions=0 ; Show install/uninstall items on traymenu (not needed if installer is used)
    AppProxy=StripMyRights.exe /D /L N
    AutoReload=60 ; minutes between automatic reload of settings. (not yet implemented)

    [SoftwarePolicy]
    AddDesktop=0
    AddRootDirs=0
    AddMappings=1
    AdminBypass=1
    AddTempDir=0
    TranslateMappings=1
    AutoInstall=-1

    [Safety]
    ; do NOT change unless you understand implications!
    AlwaysAllowSystemFolders=0

    [CustomPolicies]
    ; Add extra locations from which software can be run:
    ; (LAN users note - now drive mappings DO work, but may not update if they are relocated on the server.)
    c:\windows=1
    c:\program files=1
    c:\program files (x86)=1

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.

    [AdminMenu]
    ; Provides a tray-menu of useful functions:
    ; (You can password-protect these and hide the equivalent Control-Panel links if required)

    [LimitedApps]
    ; Run these apps with limited priveleges, such that they can typically only save files to the user-profile,
    ; and not into system-folders. Note this section is only useful if the user is a local admin.
    ; Enter the (case-sensitive) window-title of the app = the exe filename (case-insensitive) alone, no path.

    ---------

    You should additionally add entries under "[Disallowed]" for the exceptions listed in the first link in post #2. Be sure to append =1 to each entry.
     
    Last edited: Jan 29, 2014
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you're using AdminBypass=1, you might find the first three items in section "Step 7: understand how to override Software Restriction Policy when necessary" at http://www.mechbgon.com/srp/ useful.
     
  8. Windows_Security

    Windows_Security Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    3,079
    Location:
    Netherlands
    Bravo, great, good find, :thumb: :thumb: :thumb:

    (do you realize you are the worst frennemy of anti-exec programs, you could put them out of business when you continue to find free ant-execs like this find and teuersteher free :D )
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Thank you :). Maybe the paid anti-exec companies wouldn't mind me mentioning CodeShield because it's unavailable now :( (pdf direct link hxxp://www.cs.purdue.edu/homes/gates2/publications/acsac2012-codeshield.pdf ).
     
    Last edited: Jan 26, 2014
  10. kupo

    kupo Registered Member

    Joined:
    Jan 25, 2011
    Posts:
    1,122
    Can it be installed and used in an Admin account? I'm too lazy to create a new standard user account. :D
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Yes it can.
     
  12. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Thanks MrBrian! :thumb: Excelent software that makes SRP very easy. I will introduce this to my friends who doesnt know much about security. I think even they can see the simplicity.
     
  13. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Yeah, works. :thumb:
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @sukarof and @Solarlynx: you're welcome, and glad it works for you :).

    --------

    Sometimes you may have to reboot for policy changes to take effect.

    --------

    I wonder what config file settings AddMappings and TranslateMappings are for? I'll guess it's related to this from the homepage: "Now accepts driveletters as mappings, as well as UNC paths."

    I'll guess that AddDesktop controls whether .LNK files are considered executable or not.

    I believe that AdminBypass controls whether policy applies to admins (only when elevated) or not.

    I don't know if the policy applies to all executables, or all executables except DLLs. Maybe somebody can test that.
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Make sure to get the installer from SourceForge instead of the program's home site because SourceForge has the latest.
     
  16. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    I cannot find how to make exclusions. For example I forbid "D:\" under "
    [Disallowed]" but how to allow executables in some "D:\allowed"?
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Add d:\allowed=1 to the CustomPolicies section.

    Also you'll probably want these settings:
    AddDesktop=0
    AddRootDirs=0
    AddMappings=0
    AddTempDir=0

    With these settings, hopefully if something is not explicitly allowed, then it won't be allowed to run. The Disallowed section is for exceptions to what you explicitly allowed in the CustomPolicies section. The setting AddRootDirs might control whether policy is default-allow or default-deny. Test though to make sure what I said is accurate.
     
    Last edited: Jan 27, 2014
  18. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    What I wonder is HOW effective these policies are versus a well setted HIPS.
     
  19. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Thank you, this works. And as I see this "Simple SRP" does not control dll (actually SRP cannot do this, only Applocker can). Am I right?

    Oh, yeah I like the Default-Deny. :thumb:

    And it works. :)

    Thank you very much. :D
     
  20. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    IMHO actually it's only some weakened version of an antiexecutable. It just controls start of executables from the HD. So any decent (and must be even weak) HIPS is way more powerful as HIPS additionally controls wider area of security (registry, memory ...) .
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    These settings seem to allow executables within c:\windows, c:\program files, and c:\program files (x86) to run, with execution denied to other folders:

    [SoftwarePolicy]
    AddDesktop=0
    AddRootDirs=0
    AddMappings=0
    AdminBypass=1
    AddTempDir=0
    TranslateMappings=0

    [Safety]
    ; do NOT change unless you understand implications!
    AlwaysAllowSystemFolders=1

    [CustomPolicies]
    ; Add extra locations from which software can be run:
    ; (LAN users note - now drive mappings DO work, but may not update if they are relocated on the server.)
    ; C:\Sage=1
    ; \\server=1
    ; \\server2\share=1
    ; J:\=1

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    AddDesktop actually controls whether non-shortcut items in your desktop are allowed to execute.
     
    Last edited: Jan 27, 2014
  23. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    SRP has an option for whether to include DLLs or not. This program doesn't seem to expose that option, and my test reveals that the program sets it to not include DLLs.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Here are some settings you could try for Windows 7. Make sure to have a system backup before trying, just in case something goes wrong.

    ; Software Policy inifile

    [General]
    ; Allow the system-tray applet to be closed:
    AllowExit=1
    ; Require a password to install software or use admin functions:
    ; 1=any password, 2=Admin-level password only
    AdminMenuPasswordLevel=0
    ; Minutes to remain in unlocked mode:
    UnlockTimeout=30
    ; Time during which you don't need to repeat password:
    PasswordRetention=5
    LimitedApps=1 ; overrides LimitedApps section if 0, unlock operates on Limited Apps if 1, not if 2.
    LimitedUser=0 ; not presently implemented.
    ShowInstallOptions=0 ; Show install/uninstall items on traymenu (not needed if installer is used)
    AppProxy=StripMyRights.exe /D /L N
    AutoReload=60 ; minutes between automatic reload of settings. (not yet implemented)

    [SoftwarePolicy]
    AddDesktop=0
    AddRootDirs=0
    AddMappings=0
    AdminBypass=1
    AddTempDir=0
    TranslateMappings=0

    [Safety]
    ; do NOT change unless you understand implications!
    AlwaysAllowSystemFolders=1

    [CustomPolicies]
    ; Add extra locations from which software can be run:
    ; (LAN users note - now drive mappings DO work, but may not update if they are relocated on the server.)
    ; C:\Sage=1
    ; \\server=1
    ; \\server2\share=1
    ; J:\=1

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
    c:\windows\Tasks=1
    c:\windows\Temp=1
    c:\windows\tracing=1
    c:\windows\debug\WIA=1
    c:\windows\Registration\CRMLog=1
    c:\windows\System32\FxsTmp=1
    c:\windows\System32\Tasks=1
    c:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}=1
    c:\windows\System32\com\dmp=1
    c:\windows\System32\spool\PRINTERS=1
    c:\windows\System32\spool\drivers\color=1
    c:\windows\SysWOW64\FxsTmp=1
    c:\windows\SysWOW64\Tasks=1
    c:\windows\SysWOW64\com\dmp=1

    [AdminMenu]
    ; Provides a tray-menu of useful functions:
    ; (You can password-protect these and hide the equivalent Control-Panel links if required)

    [LimitedApps]
    ; Run these apps with limited priveleges, such that they can typically only save files to the user-profile,
    ; and not into system-folders. Note this section is only useful if the user is a local admin.
    ; Enter the (case-sensitive) window-title of the app = the exe filename (case-insensitive) alone, no path.
     
  25. Solarlynx

    Solarlynx Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    1,915
    Is it in "Designated File Types"?

    My test confirms this as well.

    Good news here is that if you stop the SP then this prog "softwarepolicy.exe" leaves the RAM and its policy stays in the OS.

    I wonder one thing: the changes from SP are not reflected in the in-built SRP. How to revert from them without SP?
     
Loading...