Software Restriction Policy

Discussion in 'other security issues & news' started by cruchot, May 31, 2009.

Thread Status:
Not open for further replies.
  1. cruchot

    cruchot Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    126
    Location:
    Germany
    I'm using Vista Business, SP 2, 32bit, UAC enabled (default settings), and using a Vista user with limited rights (the one that was created during Vista installation).

    Now I've setup SRP as described here, http://www.mechbgon.com/srp/

    As all my apps are installed on D: I've added a further path rule to allow execution from drive D:

    So far so good.

    .txt files are linked to Notepad++ (that resided in D:\Notepad++).
    Opening a .txt on drive D: works
    But if I now try to double click a .txt on drive E: starting Notepad++ aborts with an error message (anything like Scintilla could not load library).

    Whats the reason? Hope you can help.
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Are you also applying SRP to include dll's or exclude dll's. Might try that to start with.

    If you are denying executables but make exception for allowing d:\..\notepad++.exe, then notepad++.exe should run. However, if you are also protecting dll's, it might be possible that you need to open the directory for notepad++.exe, not just the executable.

    It is hard to say without seeing what your actual SRP looks like. Can you post a screenshot? It sounds like a dependency is being denied by SRP.

    Sul.
     
  3. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    If it is SRP blocking something then this block should show up in the event log. Perhaps you can take a look at the event logs and see if anything in there helps to pinpoint the problem.
     
  4. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    I have had errors when monitoring DLLs on vista with SRP. If you try to open a PDF or word document on a CD then it fails with some general error. Nothing was ever logged as blocked in the event log and it works OK on XP or on vista without checking DLLs. I think it is a bug.
     
  5. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    You are correct tcarrbrion. Vista's SRP is buggy. It's one of the reasons I don't like Vista. I hope 7 turns out to be more stable.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    If you have the same setup currently, please create in CodeIdentifiers the REG_SZ value LogFileName, with the value of something like c:\logs\srplog.txt (any text file path). Then run that test and see what you find. You will see text something like this:

    Please note then the above case. Normally you have a program, that might look like this
    Where here you can see that vmware.exe is the actual program starting, it is allowed via an SRP ALLOW rule, and it shows it's GUID. Also then, all of the dependents of vmware.exe are loaded with the same rule allowing, thus the same GUID.

    But in the top example, it is run with a RunAs from user account. Instead of the program pgs.exe being the starting thread, the process svchost.exe is actually starting, it is allowed via a GUID rule {} but each subsequent dependency that pgs.exe uses is allowed, but is inherited from some other GUID which I cannot locate.

    The point is, that just because maybe acrobat does not run properly, there are other issues, and not known yet if they are bugs or just limitations of some restriction associated with the SRP in place.

    If you still have your config in place, put the regedit it to log SRP, and maybe see what it shows.

    Sul.

    PS. I just figured out what that GUID is. It must be the GUID for the option to 'exclude administrators'. I did not know there was a GUID for a 'default rule' versus a 'path rule'. How interesting!!
     
  7. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    I did this at the time and it did not show anything blocked. I might try it again when I have time. I had the problem with the original Vista. It might be better with SP2.
     
Loading...
Thread Status:
Not open for further replies.