Software Policy: use Software Restriction Policies on any Windows edition (free)

Thanks!

I will keep UAC.

 

You're welcome .

Lesson 2: Understanding User Account Control (UAC)

 

How would i allow programs from my internal storage drive? I added it to the custom policy part.

; G:\Sage=1

What am i doing wrong?

 

The semicolon indicates that the line is a comment only and isn't in effect. What is the volume letter of your internal storage drive?

 

Volume F

 

Add this line in the [CustomPolicies] section (assuming you want everything in F to be executable):
f:\=1

 

Ty

 

You're welcome .

Does volume F contain your \windows folder also?

 

No, just my backups and a couple of portable programs.

 

Would running this and NVT be redundant?

 

Assuming you mean NoVirusThanks EXE Radar Pro, from reading its description I think they would be redundant.

 

Got everything running good. Special thanks to MrBrian for walking me through this.

 

Has anyone had a chance to check out the latest v.1.2?
http://sourceforge.net/projects/softwarepolicy/files/

 

1.1 added option to include DLL's (default off), no manual registry tweak needed anymore

1.2 added best practice as showed often by Mr. Brian to lock (deny execute) folders which basic users (or limited users) have write access to. In stead of following's Mr Brian's instructions (also explained in this thread), it contains a predefined set of directories

I guess Mr. Brian has contacted developer of the developer has been inspired by Mr Brian's post on closing the 'write' holes in software restriction policies.

It is only getting better

Wish list to include Symantec's tweak to allow MSI to install as Admin and set default level to basic user (so medium IL processes are blocked from execution and admin is allowed to install with right click run as admin, when rules don't apply to Admin).

 

I didn't contact the developer, but another Wilders member did as a result of this thread. I didn't know about these recent changes to the software, so thanks to rhabdomantist and Windows_Security for mentioning .

As I recall, when I audited my UAC-protected admin account, there were a few additional locations (in addition to the ones I listed publicly) within \Windows where my UAC-protected admin account could write to when not elevated. The point: if you really want this to be airtight, you should audit your own system.

 

MrBrian,

As of version 1.2, the developer has added the majority of those items to the disallowed list so long as DisallowSpecificFolders=2 within the ini file. It is preset so you cannot see or change those preset ones. However, I use PGS to view the Disallowed and Allowed paths to confirm which paths the developer has added.

Code:

Added:
c:\windows\Tasks=1
c:\windows\Temp=1
c:\windows\tracing=1
c:\windows\debug\WIA=1
c:\windows\Registration\CRMLog=1
c:\windows\System32\Tasks=1
c:\windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}=1
c:\windows\System32\spool\PRINTERS=1
c:\windows\System32\spool\drivers\color=1
c:\windows\SysWOW64\FxsTmp=1
c:\windows\SysWOW64\Tasks=1
c:\windows\SysWOW64\com\dmp=1

Not Added:
c:\windows\System32\FxsTmp=1
c:\windows\System32\com\dmp=1

The list above is what I have been able to confirm through PGS. I like to use PGS along with Software Policy because it makes it easier for me to manage and view some of it. I have no idea why the developer hasn't added the other two paths within System32 though even though they are suggested here on Wilders and elsewhere for hardening Windows.

Anyways, thank you MrBrian for compiling so much great information into this thread and for sharing your knowledge with others here. It is greatly appreciated.

 

You're welcome, and thanks also for the info .

I don't know why they didn't add those two folders, but I'll guess they erroneously thought that those two folders are duplicates of other folders that were suggested to block execution from.

 

AdminBypass=1 doesn't seem to work correctly for me with my specific setup.

I always use my Standard User Account. Whenever I install a program, I simply right-click the installer and elevate using Run as Administrator and type in the password of my Admin account. However, even using AdminBypass=1 the installers are blocked by SRP. In theory, I thought that this should work. But instead I have to Unlock the policy before running installers still.

Would I have to log out of my Standard account and log into the Admin account to be able to run installers without Unlocking the policy? I was hoping that AdminBypass=1 would do the trick.

 

@WildByDesign: I'm surprised too. Can you try one of those installers in your admin account and report what happens?

 

Just when I was about to search this thread. Thanks for bringing this up, making it easier for me to find. I wanted to enable SRP in my mother's Windows 8 Standard laptop, but PGS threw errors. I only have less than a week before her deadline, so hopefully SSRP will work.

 

I tried running any installers within my admin account as well and it was blocked by policy as well. I had to specifically use the Unlock option to be able to run the installers. I thought for sure it would work in my admin account at least with the AdminBypass=1 option. Therefore, I must be doing something wrong or made some sort of mistake. I'll copy and paste my softwarepolicy.ini contents here just in case somebody here can spot an error.

Code:

; Software Policy inifile 

[LimitedApps]
; Run these apps with limited priveleges, such that they can typically only save files to the user-profile,
; and not into system-folders. Note this section is only useful if the user is a local admin. 
; Enter the (case-sensitive) window-title of the app = the exe filename (case-insensitive) alone, no path.
; For best security you should include all Internet-facing software here, especially browsers etc 
; UNLESS you find the software has issues with running restricted. BTW, Mozilla software runs fine this way. 
; Mozilla Firefox=Firefox.exe
; Opera=opera.exe
; SeaMonkey=seamonkey.exe
; Note that IE is one of the more vulnerable apps, BUT may malfunction if run restricted. Your call on that one!
; Best advice is to restrict it (remove the semicolon below) and use an alternative instead. 
; Microsoft Internet Explorer=iexplore.exe 

[CustomPolicies]
; Add extra locations from which software can be run: 
; (LAN users note - drive mappings are accepted, but may need a manual policy update if they are changed.) 
; C:\Sage=1
; \\server=1
; \\server2\share=1
; J:\=1
Q:\140066.enu\Office14\*.exe=1
*.gimp-2.8\plug-ins\*.exe=1
*.gimp-2.8\plug-ins\_gmic\*.exe=1
*PGS_v1\PGS.exe=1
*Office 2010 Starter Offline Setup Tool v1.4.exe=1
*CryptoPrevent.exe=1

[AdminMenu]
; Provides a tray-menu of useful functions. Use as you wish, or remove if not wanted.  
; For local admins, these always run unrestricted. 
; (C:\)=explorer.exe C:\
; Control Panel=control.exe
; Printers and Faxes=control printers
; Network Connections=ncpa.cpl
; Computer Management=compmgmt.msc
; Disk Management=diskmgmt.msc
; Registry Editor=regedit.exe
; Task Manager=taskmgr.exe
; Windows Firewall=firewall.cpl
; Command Prompt=cmd.exe
; Salamander=salamand.exe

; *********************************************************
; Items below here mostly don't need changing. 

[General]
; Allow the system-tray applet to be closed:
AllowExit=1

; Require a password to unlock the policy or use admin-menu shortcuts:
; 1=any password, 2=Admin-level password only
AdminMenuPasswordLevel=0

; Minutes to remain in unlocked mode whilst installing software:
; (a reboot restarts the timer if it has not expired) 
UnlockTimeout=30

; Time during which you don't need to repeat the password for admin functions: 
PasswordRetention=5 

; Do we limit the rights of specified applications to change system files?  
; No if 0, in which case LimitedApps config section does nothing. 
; Yes if 1, Limited Apps are run as a restricted user when in locked mode. 
; Yes if 2, Limited Apps are ALWAYS run as a restricted user.
LimitedApps=0 

;Limit primary instance of Explorer (the desktop itself) Not presently implemented so should be 0.
LimitedUser=0

; Show install/uninstall items on traymenu (not needed if installer is used) 
ShowInstallOptions=0 

; Use a different restricted-rights app loader: (for advanced users only) 
AppProxy=StripMyRights.exe /D /L N

; Minutes between automatic reload of settings. (not yet implemented)
AutoReload=60 

[SoftwarePolicy]
; Your list of restricted extensions, comma-separated, no spaces or fullstops - for advanced users only.  
; -Leave this item commented-out unless you have a pressing reason to change it. 
; FileExtensions=A3X,BAT,CHM,CMD,COM,CPL,CRT,EXE,HLP,HTA,INF,INS,ISP,MSC,MSI,MSP,MST,OCX,PIF,REG,SCR,SHS,VB,WSC,APPLICATION,XPI

; Allow programs to be run from desktop - NOT advised!
AddDesktop=0

; Allow programs to be run from root folders other than userprofiles. Needed for sone very old software. 
AddRootDirs=0

; Automatically add drive letters created by a LAN login script. Generally OK on trusted networks. 
AddMappings=0

; Bypass security for local admins. Do NOT turn this on unless user is a genuine restricted account. 
AdminBypass=1

; Allow software to run from Temp folder in userprofile. Not wise, but needed for some badly-behaved programs.
AddTempDir=0

; Convert drive letters in CustomPolicies section into UNC path permissions. Unfortunately necessary as polices don't directly support mappings. 
TranslateMappings=0

; Control whether disallow policies may be set. A predetermined set of disallow policies exists 
; which match the folders under \Windows which may be writable by an ordinary user. 
; 0 No disallow action, 1 Disallow custom folders, 2 Disallow custom list AND predetermined system subfolders. 
; As from v1.11, disallow policies are controlled by lock/unlock action instead of being permanently on. 
DisallowSpecificFolders=2

; Control where dynamic link libraries can be launched from, as well as executables:
; Note that this has a performance hit, therefore only use where max security is needed.  
IncludeDLLs=0

[Safety]
; Ensure that Windows system components can always be launched.
; Do NOT change this item unless you understand the implications!
AlwaysAllowSystemFolders=1

[Disallowed]
; Add paths or executables which should never be run. 
; Wildcards allowed. Be careful here as mistakes could cause problems. 
; Note that this list is ignored unless DisallowSpecificFolders is non-zero

 

@WildByDesign: I didn't see anything wrong. Try making a trivial change to that file, making sure that Software Policy reapplies the policies. Then reboot. Then test again. If that doesn't work, perhaps there's a bug in the newer version of Software Policy.

 

Hello, How do you use Simple Software-Restriction Policy in standard user account ? Thank you.

 

Welcome to Wilders .

Are you having a specific problem when used with a standard user account? Or are you asking about what differences one should consider when using it with a standard user account?

 

Well, everytime I log in standard account, SRP ask me for the admin password. It's not very practical. Another question : I understand that even when SRP is off, the SRP policy is applied. But is it possible to make sure that the policy is applied only for user account and not the admin account ?