Software Policy: use Software Restriction Policies on any Windows edition (free)

@ExtremeGamerBR: You're welcome .

1. No, as far as I can see.
2. DLLs contain executable code; including DLLs makes your security setup stronger; yes you would have to include those DLLs also.
3. I didn't try that, so I don't know.
4. AdminBypass=1 is what I'd recommend. If you use AdminBypass=0 then you'll have to Unlock policy while installing software.
5. I haven't used Sandboxie in awhile, so I don't know; you can search for "StripMyRights" to find out more though.

 

Thanks!

I will add the DLL protection too!

Well, I found this about StripMyRights: http://www.sysint.no/nedlasting/StripMyRights.htm. I don't know... I will stay with DropMyRights of the Sandboxie.

I edited my post (I think you don't seen). I have a last question:

6) When I click on "Unlock" and run an app, the tray icon is closed. Someone has this too?

I will stay with this app closed, so I don't need password protection as far as I can see.

 

@ExtremeGamerBR: You're welcome .

6. Yes, I've noticed that also.

If you're using AdminBypass=1 then you shouldn't need to use Unlock when installing a program - just run the installer elevated. In fact, with AdminBypass=1 you can even uninstall the program, assuming it doesn't remove the SRP rules when it uninstalls.

If you don't want to use StripMyRights, then you should remove these lines from your config file:
Mozilla Firefox=Firefox.exe
Opera=opera.exe
Microsoft Internet Explorer=iexplore.exe
SeaMonkey=seamonkey.exe

 

Thanks!

Really, with AdminBypass=1 I can install programs without having to switch to "Unlock". Perfect!

I have already removed those lines.

 

You're welcome . That's similar to how I use AppLocker. See post #7 for some tips when using AdminBypass=1.

 

I see. Thanks!

Here is my new setup:

The ones in bold are the exceptions that I opened because of DLLs.

If you notice, they are inside the Sandboxie box. Sandboxie is configured to block any execution that are not essential to the browser (chrome.exe, dllhost.exe etc). I hope to be covering all possible security breaches after that combination of Sandboxie and SSRP.

There is the possibility to create a reg file for these entries: https://www.wilderssecurity.com/showpost.php?p=2334555&postcount=45? It would be much easier.

Is it best to leave this setting (creating exception for Windows, Program Files, etc.) or this way:

Thanks and sorry foy my English!

 

@ExtremeGamerBR: it seems that these are included, whether you specify them or not in your config file:
\windows
\program files
\program files (x86)

Therefore, I believe there is no functional difference between the two configs in your last post.

If somebody wants a .reg file for setting DLL enforcement, I could make one.

P.S. your English seems fine .

 

Thanks again!

I want the .reg file! This will be great!

I will go to a trip now, but friday I will be here again!

Thanks for all your help!

 

Create any file with .reg extension. Contents as follows:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers]
"TransparentEnabled"=dword:00000002


Double-click this .reg file in Windows/File Explorer to enable SRP DLL enforcement.

 

Thank you!

Using the SRP for executables and DLLs, how the system can be infected? I mean, if the viruses don't be executed in any exception of SRP, how the system can be infected?

The viruses who explore Java, Flash etc also execute themselves through executables and DLLs?

What I want to say is: I will be vunerable in which aspect?

I am thinking in just use the SSRP and NoScript with ADP and Bitdefender Trafficlight.

Sorry my English...

Thanks!

 

You're welcome .

1. You're still vulnerable to exploits. I'd recommend using Microsoft's EMET if you're not already using it.
2. SRP doesn't cover Java and some others.

 

You are my saviour!

I will add EMET to my config.

What is your setup? I was curious now...

 

If I remember to, I'll post mine in the "security setup" thread in the next few days.

 

Ok, I will wait!

Well, I did some questions about this program through the site, and here is the answer:

These guys are awesome!

 

I removed Sandboxie of my setup for now, and I gave a try to StripMyRights of the SSRP.

I am using:

AppProxy=StripMyRights.exe /D /L U

I put only the Firefox, because IE isn't ran with SMR.

How I can know if an app is executed with SMR?

 

Are you using Win XP?

 

No, I am using Windows 7 HP x64.

Thanks!

 

Do you use UAC-protected admin account? Standard account? No UAC?

 

If anyone's interested in governing Java processes using path rules, here's a list of Java locations for a x64 Win 7 setup, including one with wildcards...

Code:

"C:\Program Files (x86)\Java\jre7\bin\java.exe"

"C:\Program Files\Java\jre7\bin\java.exe"

"C:\Program Files\Java\jre7\bin\javaw.exe" 

"C:\Program Files (x86)\Java\jre7\bin\javaw.exe" 

"C:\Program Files\Java\jre7\bin\javaws.exe"

"C:\Program Files (x86)\Java\jre7\bin\javaws.exe"

"C:\Program Files (x86)\Common Files\Java\Java Update\jaucheck.exe" 

"C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe"

"C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

"C:\Windows\SysWOW64\javaw.exe"

"C:\Users\*\AppData\Local\Temp\jre-*-iftw.exe"

 

UAC-protected admin account.

Thanks!

 

Then there's no need to use StripMyRights, as far as I know. That's for people running as full admin (no UAC), but who want certain programs to have limited privileges.

 

Interesting, I will not use it then.

I did not know that UAC has the same effect of SMR in Untrusted mode.

By the way, UAC still necessary even using the SSRP?

Thanks!

 

I would highly recommend to keep UAC on even when using anti-executable protection. In fact, I recommend to set UAC to its highest (max) setting because the default setting is weak.

 

What Kind of Malware Can Bypass Anti-Exes?

 

If, for whatever reason, you decide to turn UAC off, then make sure to use AdminBypass=0, because AdminBypass=1 offers no protection with UAC off.