Software Policy: use Software Restriction Policies on any Windows edition (free)

Discussion in 'other anti-malware software' started by MrBrian, Jan 26, 2014.

  1. ExtremeGamerBR

    ExtremeGamerBR Registered Member

    Joined:
    Aug 3, 2010
    Posts:
    1,315
    Thanks! :thumb:

    I will keep UAC. :)
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. DX2

    DX2 Guest

    How would i allow programs from my internal storage drive? I added it to the custom policy part.

    ; G:\Sage=1

    What am i doing wrong?
     
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The semicolon indicates that the line is a comment only and isn't in effect. What is the volume letter of your internal storage drive?
     
  5. DX2

    DX2 Guest

    Volume F
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Add this line in the [CustomPolicies] section (assuming you want everything in F to be executable):
    f:\=1
     
  7. DX2

    DX2 Guest

  8. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    Does volume F contain your \windows folder also?
     
  9. DX2

    DX2 Guest

    No, just my backups and a couple of portable programs.
     
  10. DX2

    DX2 Guest

    Would running this and NVT be redundant?
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Assuming you mean NoVirusThanks EXE Radar Pro, from reading its description I think they would be redundant.
     
  12. DX2

    DX2 Guest

    Got everything running good. Special thanks to MrBrian for walking me through this. :D
     
  13. rhabdomantist

    rhabdomantist Registered Member

    Joined:
    May 12, 2011
    Posts:
    38
    Location:
    Canada
  14. 1.1 added option to include DLL's (default off), no manual registry tweak needed anymore

    1.2 added best practice as showed often by Mr. Brian to lock (deny execute) folders which basic users (or limited users) have write access to. In stead of following's Mr Brian's instructions (also explained in this thread), it contains a predefined set of directories

    I guess Mr. Brian has contacted developer of the developer has been inspired by Mr Brian's post on closing the 'write' holes in software restriction policies.

    It is only getting better :D

    Wish list to include Symantec's tweak to allow MSI to install as Admin and set default level to basic user (so medium IL processes are blocked from execution and admin is allowed to install with right click run as admin, when rules don't apply to Admin).
     
  15. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I didn't contact the developer, but another Wilders member did as a result of this thread. I didn't know about these recent changes to the software, so thanks to rhabdomantist and Windows_Security for mentioning :thumb:.

    As I recall, when I audited my UAC-protected admin account, there were a few additional locations (in addition to the ones I listed publicly) within \Windows where my UAC-protected admin account could write to when not elevated. The point: if you really want this to be airtight, you should audit your own system.
     
    Last edited: Mar 8, 2014
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    MrBrian,

    As of version 1.2, the developer has added the majority of those items to the disallowed list so long as DisallowSpecificFolders=2 within the ini file. It is preset so you cannot see or change those preset ones. However, I use PGS to view the Disallowed and Allowed paths to confirm which paths the developer has added.

    Code:
    Added:
    c:\windows\Tasks=1
    c:\windows\Temp=1
    c:\windows\tracing=1
    c:\windows\debug\WIA=1
    c:\windows\Registration\CRMLog=1
    c:\windows\System32\Tasks=1
    c:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}=1
    c:\windows\System32\spool\PRINTERS=1
    c:\windows\System32\spool\drivers\color=1
    c:\windows\SysWOW64\FxsTmp=1
    c:\windows\SysWOW64\Tasks=1
    c:\windows\SysWOW64\com\dmp=1
    
    Not Added:
    c:\windows\System32\FxsTmp=1
    c:\windows\System32\com\dmp=1
    The list above is what I have been able to confirm through PGS. I like to use PGS along with Software Policy because it makes it easier for me to manage and view some of it. I have no idea why the developer hasn't added the other two paths within System32 though even though they are suggested here on Wilders and elsewhere for hardening Windows.

    Anyways, thank you MrBrian for compiling so much great information into this thread and for sharing your knowledge with others here. It is greatly appreciated. :cool:
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome, and thanks also for the info :).

    I don't know why they didn't add those two folders, but I'll guess they erroneously thought that those two folders are duplicates of other folders that were suggested to block execution from.
     
  18. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    AdminBypass=1 doesn't seem to work correctly for me with my specific setup.

    I always use my Standard User Account. Whenever I install a program, I simply right-click the installer and elevate using Run as Administrator and type in the password of my Admin account. However, even using AdminBypass=1 the installers are blocked by SRP. In theory, I thought that this should work. But instead I have to Unlock the policy before running installers still.

    Would I have to log out of my Standard account and log into the Admin account to be able to run installers without Unlocking the policy? I was hoping that AdminBypass=1 would do the trick.
     
  19. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @WildByDesign: I'm surprised too. Can you try one of those installers in your admin account and report what happens?
     
  20. guest

    guest Guest

    Just when I was about to search this thread. Thanks for bringing this up, making it easier for me to find. I wanted to enable SRP in my mother's Windows 8 Standard laptop, but PGS threw errors. I only have less than a week before her deadline, so hopefully SSRP will work.
     
  21. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,154
    Location:
    Toronto, Canada
    I tried running any installers within my admin account as well and it was blocked by policy as well. I had to specifically use the Unlock option to be able to run the installers. I thought for sure it would work in my admin account at least with the AdminBypass=1 option. Therefore, I must be doing something wrong or made some sort of mistake. I'll copy and paste my softwarepolicy.ini contents here just in case somebody here can spot an error.
    Code:
    ; Software Policy inifile 
    
    [LimitedApps]
    ; Run these apps with limited priveleges, such that they can typically only save files to the user-profile,
    ; and not into system-folders. Note this section is only useful if the user is a local admin. 
    ; Enter the (case-sensitive) window-title of the app = the exe filename (case-insensitive) alone, no path.
    ; For best security you should include all Internet-facing software here, especially browsers etc 
    ; UNLESS you find the software has issues with running restricted. BTW, Mozilla software runs fine this way. 
    ; Mozilla Firefox=Firefox.exe
    ; Opera=opera.exe
    ; SeaMonkey=seamonkey.exe
    ; Note that IE is one of the more vulnerable apps, BUT may malfunction if run restricted. Your call on that one!
    ; Best advice is to restrict it (remove the semicolon below) and use an alternative instead. 
    ; Microsoft Internet Explorer=iexplore.exe 
    
    [CustomPolicies]
    ; Add extra locations from which software can be run: 
    ; (LAN users note - drive mappings are accepted, but may need a manual policy update if they are changed.) 
    ; C:\Sage=1
    ; \\server=1
    ; \\server2\share=1
    ; J:\=1
    Q:\140066.enu\Office14\*.exe=1
    *.gimp-2.8\plug-ins\*.exe=1
    *.gimp-2.8\plug-ins\_gmic\*.exe=1
    *PGS_v1\PGS.exe=1
    *Office 2010 Starter Offline Setup Tool v1.4.exe=1
    *CryptoPrevent.exe=1
    
    [AdminMenu]
    ; Provides a tray-menu of useful functions. Use as you wish, or remove if not wanted.  
    ; For local admins, these always run unrestricted. 
    ; (C:\)=explorer.exe C:\
    ; Control Panel=control.exe
    ; Printers and Faxes=control printers
    ; Network Connections=ncpa.cpl
    ; Computer Management=compmgmt.msc
    ; Disk Management=diskmgmt.msc
    ; Registry Editor=regedit.exe
    ; Task Manager=taskmgr.exe
    ; Windows Firewall=firewall.cpl
    ; Command Prompt=cmd.exe
    ; Salamander=salamand.exe
    
    ; *********************************************************
    ; Items below here mostly don't need changing. 
    
    [General]
    ; Allow the system-tray applet to be closed:
    AllowExit=1
    
    ; Require a password to unlock the policy or use admin-menu shortcuts:
    ; 1=any password, 2=Admin-level password only
    AdminMenuPasswordLevel=0
    
    ; Minutes to remain in unlocked mode whilst installing software:
    ; (a reboot restarts the timer if it has not expired) 
    UnlockTimeout=30
    
    ; Time during which you don't need to repeat the password for admin functions: 
    PasswordRetention=5 
    
    ; Do we limit the rights of specified applications to change system files?  
    ; No if 0, in which case LimitedApps config section does nothing. 
    ; Yes if 1, Limited Apps are run as a restricted user when in locked mode. 
    ; Yes if 2, Limited Apps are ALWAYS run as a restricted user.
    LimitedApps=0 
    
    ;Limit primary instance of Explorer (the desktop itself) Not presently implemented so should be 0.
    LimitedUser=0
    
    ; Show install/uninstall items on traymenu (not needed if installer is used) 
    ShowInstallOptions=0 
    
    ; Use a different restricted-rights app loader: (for advanced users only) 
    AppProxy=StripMyRights.exe /D /L N
    
    ; Minutes between automatic reload of settings. (not yet implemented)
    AutoReload=60 
    
    [SoftwarePolicy]
    ; Your list of restricted extensions, comma-separated, no spaces or fullstops - for advanced users only.  
    ; -Leave this item commented-out unless you have a pressing reason to change it. 
    ; FileExtensions=A3X,BAT,CHM,CMD,COM,CPL,CRT,EXE,HLP,HTA,INF,INS,ISP,MSC,MSI,MSP,MST,OCX,PIF,REG,SCR,SHS,VB,WSC,APPLICATION,XPI
    
    ; Allow programs to be run from desktop - NOT advised!
    AddDesktop=0
    
    ; Allow programs to be run from root folders other than userprofiles. Needed for sone very old software. 
    AddRootDirs=0
    
    ; Automatically add drive letters created by a LAN login script. Generally OK on trusted networks. 
    AddMappings=0
    
    ; Bypass security for local admins. Do NOT turn this on unless user is a genuine restricted account. 
    AdminBypass=1
    
    ; Allow software to run from Temp folder in userprofile. Not wise, but needed for some badly-behaved programs.
    AddTempDir=0
    
    ; Convert drive letters in CustomPolicies section into UNC path permissions. Unfortunately necessary as polices don't directly support mappings. 
    TranslateMappings=0
    
    ; Control whether disallow policies may be set. A predetermined set of disallow policies exists 
    ; which match the folders under \Windows which may be writable by an ordinary user. 
    ; 0 No disallow action, 1 Disallow custom folders, 2 Disallow custom list AND predetermined system subfolders. 
    ; As from v1.11, disallow policies are controlled by lock/unlock action instead of being permanently on. 
    DisallowSpecificFolders=2
    
    ; Control where dynamic link libraries can be launched from, as well as executables:
    ; Note that this has a performance hit, therefore only use where max security is needed.  
    IncludeDLLs=0
    
    [Safety]
    ; Ensure that Windows system components can always be launched.
    ; Do NOT change this item unless you understand the implications!
    AlwaysAllowSystemFolders=1
    
    [Disallowed]
    ; Add paths or executables which should never be run. 
    ; Wildcards allowed. Be careful here as mistakes could cause problems. 
    ; Note that this list is ignored unless DisallowSpecificFolders is non-zero
    
     
  22. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    @WildByDesign: I didn't see anything wrong. Try making a trivial change to that file, making sure that Software Policy reapplies the policies. Then reboot. Then test again. If that doesn't work, perhaps there's a bug in the newer version of Software Policy.
     
  23. talker

    talker Registered Member

    Joined:
    May 24, 2014
    Posts:
    4
    Hello, How do you use Simple Software-Restriction Policy in standard user account ? Thank you.
     
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Welcome to Wilders :).

    Are you having a specific problem when used with a standard user account? Or are you asking about what differences one should consider when using it with a standard user account?
     
  25. talker

    talker Registered Member

    Joined:
    May 24, 2014
    Posts:
    4
    Well, everytime I log in standard account, SRP ask me for the admin password. It's not very practical. Another question : I understand that even when SRP is off, the SRP policy is applied. But is it possible to make sure that the policy is applied only for user account and not the admin account ?
     
Loading...