Software Restriction Policy and Windows 10 in 2020

Discussion in 'other software & services' started by xxJackxx, Feb 10, 2020.

  1. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,504
    Location:
    USA
    Is there any reason not to go with SRP on Windows 10 in 2020? I like the ability to use a Path rule to block an .exe file anywhere on the drive just by naming it. I did not find AppLocker to have the same flexibility. Are any of you still using it, or is there a better way to go these days?
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,786
    Location:
    Canada
    I use SRP on Windows 10 Pro, although nowadays I almost never use Windows, opting for Linux instead. The Path rules work great, and more so if you use wildcards for the more critical directories in userspace. I'm surprised you didn't find the same flexibility with Applocker. It should also give you the added bonus of utilizing Publisher rules, unless something has changed in Win 10.

    EDIT: You're also probably better off just using a default-deny approach, rather than blacklisting executables, but that's just my opinion.
     
  3. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    5,504
    Location:
    USA
    Thanks for the response. It seems on further investigation (I had not tried to use AppLocker in the past due to the extensive rules we already had set up in SRP) that it does not function on Windows 10 Pro, despite being available to setup with no warning that it is useless. As SRP still seems to function it gives me a clear direction forward. Now for the tedious job of setting up the rules I want to roll out. :eek:
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,786
    Location:
    Canada
    If you plan on enforcing dll's as well as executables, you will want to set up advanced logging in the registry, which is easily done as explained in the link:

    https://www.itprotoday.com/security/q-how-can-we-verify-software-restriction-policy-srp-rule-we-defined-one-our-applications

    This will log any disallowed dll's. It is tedious job to properly allow only what's required in a default-deny policy, though it will give you far better security than a blacklisting approach. Some examples of "tedious" path rules i have for unrestricted dll's:

    Code:
    C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\DismCorePS.dll
    C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\dismhost.exe
    C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\Dismprov.dll
    C:\Users\username\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
    
    C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{*}\*.dll
    C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.dll
    C:\ProgramData\Microsoft\Windows Defender\Offline Scanner\*.exe
    C:\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\*.dll
    C:\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\*.exe
    C:\ProgramData\Microsoft\Windows Defender\platform\*.*.*.*\X86\*.dll
    C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin
    C:\ProgramData\Microsoft\Windows Defender\Scans\*.bin.*
    C:\ProgramData\Microsoft\Windows Defender\Scans\*.exe
    C:\ProgramData\Microsoft\Windows Defender\Scans\MsMpEngSvc.dll
    C:\ProgramData\Microsoft\Windows Defender\Support\*.bin
    C:\ProgramData\Synaptics\Intel(R)_SGX_Windows_x64_PSW_*.exe
    C:\Users\username\AppData\Local\*\Engine\HostAppServiceUpdater.exe
    I replaced my actual user name with "username". There have several more than these, especially for onedrive. For better granularity, I started using the "?" instead of the "*" in some of my more recent rules. It's a work in progress.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.