The best protection of user access control on Windows 7 (32 & 64bit) ?

Discussion in 'other anti-malware software' started by yudigadget, Oct 14, 2012.

Thread Status:
Not open for further replies.
  1. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    Dear all,
    I have problem setup the best user access control on Windows 7 (32 & 64bit), i will implement it on my client's PC, there are about 30 PCs.
    I would like to:
    - Block user download from internet / copy from flashdisk / copy from anywhere to PC, based on file extension (*.exe, *.com, *.msi, *.mpg, *.mp3, etc)
    - Just allow user to access file only from C:\, but can give exclusion for Thunderbird Portable that store in D:\my documents\

    do you know what is the best & low cost method (or maybe free)?

    Thanks,
    Yudi
     
  2. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have a look at the 1806 trick. This will prevent downloads of executables. Add the media files to the high risk attachements and they will be blocked to. Remove user permissions for users of the registry keys controlling these settings in the registry. When you are not able to write these scripts yourself, there are a handfull of members running a it service company. I am sure the cost of writing such a script by a freelance, even at us or euro rates, by far exceed the cost of doing this manually.

    As for external data sources as usb, there are some freebies controlling access, google cnet for corporate security apps which are free.
     
  3. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    Hi Kees1958,
    do you mean "1806 registry tweak" ?
    i found some information on:
    https://www.wilderssecurity.com/archive/index.php/t-261346.html
    https://www.wilderssecurity.com/showthread.php?t=321428
    is that correct?

    well, no problem if there is charge in US or EURO for this script job, but it would be nice if not too expensive, well just give me the basic / core script of this security settings, then i will do the rest.. I don't know, does about 50 USD is too cheap? i would like to pay the effort, maybe use PayPal, if that too cheap, just tell me..

    actually, i've done perfect security settings with EQSecure (learn from Alcyon, EASTER, etc), AFAIK you ever discuss about EQSecure too, with EQSecure all employee PC very secure, no complain about virus anymore. It really safe my life, my time, etc.. :)
    But the problem is EQSecure only support WindowsXP, now life must go on, some new computers using Windows 7 (x86 & x64), so that become nightmare for me.
    Well this is some of my eqsecure setting:
    <Rule Data0="*" Type="1" />
    <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" Data0="*" Type="2">
    <Group Name="Allow" ModeID="1">
    <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\Users\ThunderbirdPortable\*.*" />
    <Rule SubType="15" IncludeSub="1" Action="15" Log="0" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\Mozilla Thunderbird\*" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.bat" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.cmd" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.com" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.dll" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.exe" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.js" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\*.scr" />
    <Rule SubType="15" IncludeSub="1" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%SystemDrive%\*.sys" />
    </Group>
    <Group Name="Virus Protection" ModeID="1">
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.bat" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.cmd" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.com" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.dll" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.exe" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.js" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.ovl" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.pif" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.reg" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.scr" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.sys" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vb" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vbe" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vbs" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.vmx" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.ws" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.wsc" />
    <Rule SubType="15" IncludeSub="0" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\autorun.inf" />
    <Rule SubType="15" IncludeSub="0" Action="2" Log="13" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="%WinDir%\system32\drivers\etc\hosts" />
    </Group>
    <Group Name="Multimedia Protection" ModeID="1">
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.mp3" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.mp4" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.aac" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.mpg" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.3gp" />
    <Rule SubType="15" IncludeSub="1" Action="0" Log="15" Ask="0" ExcludeDirectory="0" Enabled="1" MD5Check="0" MD5Value="" Desc="" Data0="?:\*.avi" />
    </Group>
    </Rule>


    As you can see, i already listed all potential virus extension and add some multimedia extension. Because there are some employee stores a lot of MP3 or p*rn films on office PC :(

    So, can you help me Kees1958? please.. :)
    or would you like to share your security settings, i really willing to pay for your help & effort to me.. but please, not too expensive hehe :argh: :D
     
  4. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    Btw Kees1958, about prevent downloads of executable, i think it should be done by Proxy. But sometimes, they download in ZIP (compression archive), so they can still extract the contents and open the file (*.exe, *.mp3, *.3gp, etc)

    Basicly, i will allow read access of some file extension (*.exe, *.com, *.dll, etc) on C:\ (system), but deny write access of some file extension (potentialy virus or music or video) to C:\
    Then on drive D:\ i just allow access to Thunderbird Portable.
    Well, i still want give permission to AntiVirus, so AntiVirus can check / delete virus detected file..

    I don't want to block user access to USB Flash Drive, they still can use USB Flash Drive, but i will block all user access to file that potentialy virus, because I don't trust AntiVirus 100%.

    Do you have any solution of this?
     
  5. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    I don't understand, what is 1806 Trick?? some said 1806 Tweak.. what is that? :eek:
     
  6. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    it is a regedit tweak to configure your browser to blocks file downloads in real time
     
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry,

    Maybe Mrkvonic or Sully can help you out with the scripts. I have not touched scripting since 1996 :D . Yes the 1806 is a registry tweak. When you download a zip file at default settings and block dangerous attachements, it will display a message telling you that for your security a few files were not unzipped. When you add jpg, mpg as dangerous extensions in the attachement part of the registry (or GPO) it will not unzip them.

    Regards Kees
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Have you ever tried using ACL to limit write access for users. Just right click on a folder, choose security tab, click advanced and you can change the rights for users. This can also be done with icacls in scripts.

    Regards Kees
     
  9. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    So, what is the best method of my case to implement? Does 1806 Registry Trick, SRP or ACL? Do i need mix of those?
    I already send PM to Mrkvonic, he said to implement SRP.. i don't know what is advantage & disadvantage of those things..

    would you like to share your experience, which one the best of my case?

    thanks Kees..
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Next Tuesday, I will be home again and I will send Sully and e-mail, asking whether he can send his PrettyGoodSecurity V2 with an ini file to you. This will accomplish SRP, ACL and the 1806 (depending on the commands in the ini-file).

    Regards Kees
     
  11. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    thanks a lot Kees, i need it so much.. really..
    if need to pay, please let me know, as long as according to my needs

    thank you, i really appreciate it
     
  12. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    does PGS (Pretty Good Security) is made by Sully? WOW! :argh:
    i can't wait until next tuesday :D
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, it is. :)

    @ Kees1958

    On a side note, I found out that the 1806 trick makes Chromium (I'd say Chrome as well) to complain that the browser's profile cannot be opened properly. Because I'm a bit lazy right now :D, I did not check if it's due to me running Chromium broker process with a low integrity label. But, I may check it later.

    Of course, turning 1806 off will make Chromium behave normally.
     
  14. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    Hello Kess, have you got the the PGS ? would you like to share with me?

    thanks
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I have contacted sully by e-mail, asked to contact you also. Maybe you could send him a PM also

    Rgds
     
  16. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    Kees, don't you have the PGS software and configuration?
    would you like send the software to me?

    thanks..
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Sorry no,

    I sent Sully e-mails on work and private address, hope he will respond soon to you.
     
  18. CGuard

    CGuard Registered Member

    Joined:
    Mar 2, 2012
    Posts:
    145
  19. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    i already download, but when downloading PGS not found..
    but no problem, i already got PGS v1 from skudo12, well maybe not the latest version, because afaik the latest is v1.1.1

    I have some questions:
    1. Is there any sample configuration (*.ini) ? maybe, would you send to my email at yudigadget (at) gmail.com
    i want to start learning about setting PGS very soon
    Please.. :)
    2. does PGS similiar like EQSecure or PGS is just a tool to configure the windows registry easily?
    3. It looks like if PGS similiar like EQSecure, very easy for user to disable / exit the software, is there any way to password the software?
    4. Do i need to set PGS.exe to run on windows startup?
    5. Does it works stable on Windows 7 32bit and 64bit environment ?

    thanks a lot for help!

    best regards,
    Yudi
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    1. When you have an ini file working, attach it to this post (as text file) and I can help explain it.

    2. It is a tool to give Software Restricition Policies to Home versions (normally only on Pro/Ultimate/Business). You get all the benefits of SRP without hacking the registry by hand.

    4. NO, it works as an replacement for gpedit, after reboot (or entering gpupdate) everything works fine.

    5. You have to ask Sully. I have installed it on Vista x32 and Vista x64. Now running Win7 Ultimate, so using gpedit instead.
     
  21. yudigadget

    yudigadget Registered Member

    Joined:
    Dec 30, 2008
    Posts:
    42
    So SRP is enough if i already use Pro at office?
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    PGS = SRP nothing more, so when you got PRO use SRP through gpedit.exe
     
Loading...
Thread Status:
Not open for further replies.