Software Restriction Policies: Which directories to open up?

Discussion in 'other security issues & news' started by wearetheborg, Dec 18, 2010.

Thread Status:
Not open for further replies.
  1. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    When installing programs, sometime programs write to some locations other that Program files etc during installation.

    Which directories should be opened up temporily during installation of new programs?
     
  2. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Absolutely right. Install as Admin and make sure your Admin account is excluded from the SRP.
     
  3. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Sorry, I deleted my post because I thought I misunderstood the OP.
     
  4. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Hmmm...currently I do install as admin, but just before installing introduce a C: allow rule. I guess temporarily excluding admins from SRP is better. Allowing a temp directory would be even better :D
     
  5. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    No, I mean always exclude local admins from SRP. Set your SRP up as per http://mechbgon.com/srp/
     
  6. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I'm a bit scared to always exclude admins from SRP :D ...the tighter the SRP policy the better :)
     
  7. Greg S

    Greg S Registered Member

    Joined:
    Mar 1, 2009
    Posts:
    1,039
    Location:
    A l a b a m a
    You need to turn it on and off at will.

    SrpOff bat
    Code:
    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00040000 /f
    SrpOn bat
    Code:
    REG ADD HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ /v DefaultLevel /t REG_DWORD /d 0x00000000 /f
    If you have to, place the two bat files in a folder and make an allow rule for the folder or create a hash rule for each bat file. Using the above allows you to keep Admins covered and the only time it's off is when you turn it off. Just don't forget to turn it back on.
     
    Last edited: Dec 24, 2010
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    If you're using LUA, then you shouldn't be scared imo. But if you do, why not set an "installer" directory with a random folder name, not located on system drive and make sure that it's set as a different path from your "downloads" directory. Ensure that no files of dubious nature is located there - leave all your other downloads in your "downloads" directory.

    If you're on XP, then it's wise to use that as only a temporary directory, unless you are on LUA and use SuRun. If on Vista/7, then you may set it as a permanent path rule - UAC would prompt you when you try to launch a file, either in admin-approval mode (just click OK) or with credential (if you're on LUA). I think that is a better idea than to fully turn off SRP but that's my own perception of things. So far, I've never needed to turn off SRP to install any programs.
     
  9. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    That is somewhat i'm attempting to do. The problem is that while installing some programs (occasionally), the program I guess extracts to a tmp directory of its own choosing and trys to run some intermediate installer from there. This iintermediate tmp file whose location I cannot control is what I'm trying to identify.
     
  10. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    What are you afraid of? If you're in your admin account, the Windows and Program Files directories are wide open anyway. Anyhow, how often are you in your admin account? I think I log on to mine once every two or three months at the most. Try out SuRun, you can avoid your admin account almost entirely.
    For your admin account this isn't necessary. Do yourself a favor and set it up the way Scoobs suggested. Works like a charm and you won't be searching for solutions to problems that don't exist.
     
  11. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    I'm admin only to install programs/do computer management/windows update (somehow windows update has not worked with SuRun).

    I like the fact that putting admin under SRP tells me exactly when the admin account is "unprotected".
     
  12. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    That is a problem if you try to do Windows updates manually. I have it set for automatic updates and it works OK (you can use the SuRun settings to allow update notifications for all users and no automatic reboots).

    I don't understand what you are trying to do here. The admin account is inherently unprotected, which is why you are using a limited account to begin with. The idea behind using a software restriction policy (as describe in the link Scoobs posted) is to mitigate user space malware while in your limited account. Using it in your admin account you're just locking the back door while the front door is wide open. At the same time, this restriction for admin accounts is causing the problems that led to your original post. That's why recommendations for SRP say to exclude admins.

    If you install software using SuRun you should have very little need to ever log on to your admin account. The results are often better because you're installing the software in your own user environment (with apps that don't give you the option to install for all users). You can also right-click the desktop and get the control panel with admin privileges. The only thing that doesn't work right there that I'm aware of is the user accounts applet.
     
Loading...
Thread Status:
Not open for further replies.