Software Policy: use Software Restriction Policies on any Windows edition (free)

Discussion in 'other anti-malware software' started by MrBrian, Jan 26, 2014.

  1. guest

    guest Guest

    You can do it "manually" with rightclicking on the folder and changing of access rights in the security tab, or you can use NTFS Permission Tools:
    https://www.wilderssecurity.com/threads/ntfs-permissions-tools.390219/
    Or other 3rd-party-tools:
     
  2. zagmarfish

    zagmarfish Registered Member

    Joined:
    Feb 27, 2017
    Posts:
    10
    Location:
    europe
    Yes I know how to do that but then I have to set the permissions of the "\Start Menu\programs\Startup" folders as many times as I have user accounts.
    I'm lazy and I was looking for a way to do it with a line like "%userprofile%\appdata\[...]\programs\Startup" in srp.ini
    Too bad.
     
  3. Turing Doenitz

    Turing Doenitz Registered Member

    Joined:
    Oct 23, 2013
    Posts:
    31
    Location:
    Australia
    I am fairly new to this program, but all good on Windows Creators update. Replacing Cryptoprevent v7 for the moment .
     
  4. Turing Doenitz

    Turing Doenitz Registered Member

    Joined:
    Oct 23, 2013
    Posts:
    31
    Location:
    Australia
    I have come across a strange issue with trying to add cscript.exe and wscript.exe to disallowed apps:
    If i do the following...

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
    ; Note that this list is ignored unless DisallowSpecificFolders is non-zero
    C:\windows\*\vssadmin.exe=0
    C:\windows\*\cipher.exe=0
    C:\windows\*\syskey.exe=0
    C:\windows\*\bcdedit.exe=0
    C:\windows\*\wscript.exe=0
    C:\windows\*\cscript.exe=0


    ...
    then running Powershell cscript.exe will be blocked while wscript will run ok.

    Now reversing the order like this...

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
    ; Note that this list is ignored unless DisallowSpecificFolders is non-zero
    C:\windows\*\vssadmin.exe=0
    C:\windows\*\cipher.exe=0
    C:\windows\*\syskey.exe=0
    C:\windows\*\bcdedit.exe=0
    C:\windows\*\cscript.exe=0
    C:\windows\*\wscript.exe=0


    ...
    then running Powershell wscript.exe will be blocked by SRP and cscript will run ok.

    I can't work out why this is happening. It might be something obvious that I am missing.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
  6. Turing Doenitz

    Turing Doenitz Registered Member

    Joined:
    Oct 23, 2013
    Posts:
    31
    Location:
    Australia
    Thanks Minimalist. Your idea put me on the right track. I played around with the path names for both and discovered that if they are different to some degree then SRP will work.
    Anyway here's what i came up with:

    [Disallowed]
    ; Add paths or executables which should never be run.
    ; Wildcards allowed. Be careful here as mistakes could cause problems.
    ; Note that this list is ignored unless DisallowSpecificFolders is non-zero
    vssadmin.exe=0
    cipher.exe=0
    syskey.exe=0
    bcdedit.exe=0

    wscript.exe=0
    C:\Windows\*\cscript.exe=0


    Working now..

     
  7. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Great to hear that you've found a working solution :thumb:
     
  8. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,872
    Question: how do I whitelist a program I want to always run. System administrator has blocked it from running.

    I figured it out - it may help others. Under custom policies, don't put the semi-colon in front of the executable to be whitelisted; just put in the executable path, save it and when the SRP asks to set the new policy active, click yes.

    Then you can test to see if the executable is now allowed after having been previously blocked by the system administrator popup.

    Worked for me! :)
     
    Last edited: Jun 13, 2017
  9. dja2k

    dja2k Registered Member

    Joined:
    Feb 15, 2005
    Posts:
    2,120
    Location:
    South Texas, USA
    Anyone have insight on how the default protection of Simple Software Restriction Policy compares to the default of CryptoPrevent?
     
  10. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    Also interested :). Have only tried the latter.
     
  11. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    237
    This program is one of my favorites. The only problem I recall happening is that it once blocked a Windows update from installing. I believe that it may have been a .NET Framework update, and possibly on Windows XP. Has anyone had a problem with SSRP interfering with automatic updates of various software, like Google Chrome? Now that I'm thinking about it, I definitely had another problem -- Bitdefender Free AV got thoroughly messed up because SSRP was preventing it from updating itself and I didn't know that it was happening until much later.
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    2.2.0 released

    Link: https://sourceforge.net/projects/softwarepolicy/files/

    Details: http://softwarepolicy.sourceforge.net/manual/windows10.php

     
  13. 142395

    142395 Guest

  14. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,792
    Location:
    .
    Thanks a lot @WildByDesign
     
  15. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Likewise-Many Thanks
     
  16. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    You’re welcome. I have always been a fan of this and especially appreciative for its open source nature.
     
  17. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    11,126
    Location:
    U.S.A. (South)
    Indeed. As open source it also can't help but contribute as a viable and openly available alternative, especially given it's added ability to help keep the system in a constrained state complimenting and assisting alongside other security measures
     
  18. silverfang

    silverfang Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    7
  19. paulderdash

    paulderdash Registered Member

    Joined:
    Dec 27, 2013
    Posts:
    4,639
    Location:
    Under a bushel ...
    :thumb:
    And if @WildByDesign is a fan, I'm a fan.

    Any views on how this compares with Andy Ful's Hard_Configurator?
    https://hard-configurator.com/
    I assume the latter is more 'configured', and complex ...
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.