the future of SRP: AppLocker

Discussion in 'other security issues & news' started by Lucy, Feb 22, 2009.

Thread Status:
Not open for further replies.
  1. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Lucy, I've read a little about this, but am not convinced that it would be easy for the average home user to implement. This author being quite knowledgeable, had to use some of his knowledge to tweak things to his liking.

    I'm waiting for someone else with Windows 7 to try this out.

    ----
    rich
     
  3. Dogbiscuit

    Dogbiscuit Guest

    The beta of Windows 7 I'm using has under Local Security Policy (Administrative Tools) settings for both Software Restriction Policies (SRP) and Application Control Policies (ACP).

    I'm not sure why the articles state that SRP is changing into ACP.
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Is ACP the same as AppLocker?

    What differences in settings are there between these and SRP?
     
  5. Dogbiscuit

    Dogbiscuit Guest

    Yes. Applocker is the software that manages application control policies.

    Under Windows 7 SRP you have:
    • Security Levels (Disallowed, Basic User, Unrestricted)
    • Additional Rules (overrides default security by certifcate, hash, network zone, or path),
    • Enforcement (All software except libraries, or all software; All users except local admins, or all users; etc.)
    • Designated File Types (by extension)
    • Trusted Publishers
    Under Windows 7 ACP you have:
    • Executable Rules
    • Windows Installer Rules
    • Script Rules
    You manage both permissions and conditions for each of the above three ACP rule categories. Under Permissions you can control the rule type (allow or deny) and the User or group. Under Conditions you can select the primary condition to verify (by Publisher, Path, or File hash).

    The help file explanations are not available in the beta but this general explanation is shown when viewing the first Applocker screen:
    Both SRP and ACP (under Local Security Policy) are not accessable by standard user accounts except when "Run as administrator" (through UAC).
     
    Last edited by a moderator: Feb 22, 2009
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Wow! How does the average home owner understand all about that? This is not encouraging at all.

    Maybe this is why Microsoft has not put SRP in the Home editions in XP/Vista.

    Thanks for the explanations!

    ----
    rich
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Yep, the average home user doesn't understand any of that, and never will.
     
  8. Dogbiscuit

    Dogbiscuit Guest

    Yes. Not too get to far off topic, but I tell those who ask me that keeping updated and running as a restricted user behind a router/firewall will probably protect them from most anything on the internet unless they download and install it themselves.

    Remote exploits based on a zero-day vulnerability are sometimes possible (e.g., the current Adobe Reader vulnerability), but in my mind it's highly unlikely for an unpatched vulnerability (and especially one that can also breach LUA) to exist at exactly the same window in time that a legitimate website is compromised with the same exploit, so safe surfing and reasonable habits should take care of most of this.

    SRP and AppLocker will be available for those who want even stronger protection, but these will require more effort.
     
    Last edited by a moderator: Feb 23, 2009
  9. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Dogbiscuit,

    Can you check that the registry following registry keys still exist in windows 7:
    https://www.wilderssecurity.com/showthread.php?t=232857
    and that they don't need the service appID to run?

    Furthermore can you find the registry keys involved in ACP?

    To finish, can appid service be run under windows 7 "home"?
     
  10. Dogbiscuit

    Dogbiscuit Guest

    It looks like they're all there to me. The AppID service is required in Windows 7 for AppLocker to function according to BlackViper.com, nothing else.

    I can't help you with the other questions, sorry. Have you tried the Windows 7 Beta Forum?
     
    Last edited by a moderator: Feb 23, 2009
  11. Dogbiscuit

    Dogbiscuit Guest

    Last edited by a moderator: Feb 24, 2009
  12. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    True for XP Home. But for Vista Home (Basic and Premium), SRP is implemented via parental controls. Create a limited-user account and apply parental controls to that account. Inside parental controls you can select applications that the user is allowed to run. Much more intuitive then gpedit.msc.
     
  13. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Well, thank you bktII,

    You would have said it some time ago, you would have saved me a lot trouble, trying to figure out how to implement SRP in Vista Home...o_O

    EDIT: I just checked and this part of SRP is strangely more like a very simple AppLocker, almost unusable... and really no SRP security wise.
     
    Last edited: Feb 23, 2009
  14. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    btw applocker is only in ultimate and enterprise.
    link
    it looks good shame it isnt a feature in pro.
     
  15. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    @Lucy,

    What was unusable?

    With an LUA and application control enabled via parental controls in Vista Home, a user cannot write where he can execute and cannot execute where he can write. I've tested it with both exe and bat files and it works.

    http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
    Application Lockdown with Software Restriction Policies
    "Software Restriction Policies in Use Today
    There are a number of moving parts that you need to account for when you use software restriction policy. But it's not as you might think, and, in fact, you may even be using software restriction policies today without realizing it. If, for instance, you run Parental Controls on a Windows Vista system, you are using software restriction policies to control the execution of applications.
     
  16. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    Ok, Ok, I was taling about Configuration of blocked application, as it is virtually populating all applications from the computer; by unusable, I meant not really user friendly.

    I would have to check deeper to see by myself that it is real SRP as I mean it. Maybe because I checked so quickly, I was under the impression TransparentEnabled value was set to 1 under parental control (which means it doesn't check for dll. But I might be wrong...
     
  17. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    The dll angle you mention is interesting with the likes of rundll32.exe, etc. Drop a dll in the LUA $HOME and run it with a permitted system application (e.g., rundll32.exe) which cannot be blocked by parental controls.

    Will have to look at this.

    Edit:
    I ran a simple dll test.
    Source for dll test:
    http://pubs.logicalexpressions.com/pub0009/lpmarticle.asp?id=70
    Different Ways to Lock Windows XP

    rundll32.exe user32.dll, LockWorkStation

    In a command window, I executed 'rundll32.exe C:\Windows\System32\user32.dll, LockWorkStation' with the expected result:
    The computer was immediatedly locked and I had to log back in.

    I Copied C:\Windows\System32\user32.dll to C:\Users\<username>.
    In a command window, I executed 'rundll32.exe C:\Users\<username>\user32.dll, LockWorkStation' with the result:
    The computer was immediatedly locked and I had to log back in.

    Ran a bat file test with filename.bat in my $HOME folder containing the following 3 lines:
    @echo off
    rundll32.exe user32.dll, LockWorkStation
    cls
    with the result:
    A window "popped up" stating that "Parental Controls has blocked this program".

    So, SRP via Parental Controls in Windows Vista Home corresponds to the SRP Enforcement Properties Setting of "All software files except libraries (such as DLLs)". It is, thus, not as potentially powerful as in Windows Vista Business/Ultimate. However, it does protect from exe and bat files which does help to reduce the attack surface.

    Thanks for the comment. :)
     
    Last edited: Feb 23, 2009
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the link. It is a very straight forward tutorial.

    Nice test and clear explanations.

    It demonstrates the possibility that an untrusted application can run an untrusted, malicious file, which is exactlly what the conficker worm exploit does -- using rundll32.exe to load a malicious DLL.

    rundll32 is certainly popular lately, and has been mentioned in write ups on Windows 7:

    Second Windows 7 beta UAC security flaw:
    http://www.istartedsomething.com/20090204/second-windows-7-uac-flaw-malware-self-elevate/
    I'm not sure how this will play out with UAC, but you can try your test from a USB drive as conficker.b does, using this Autorun.inf file:

    Code:
    [autorun]
    shellexecute=rundll32.exe user32.dll, LockWorkStation
    
    You will need to put a copy of user32.dll on the USB drive with the autorun.inf file.

    A user can always block a USB drive with a rule as Lucy does, of course, but for this test it would be interesting to see if a rule watching for DLLs can catch it from this location.

    Another test would be to change the .dll extension to .xyz (the conficker trick) to show that the rule really watches for file type and not just file extension.

    ----
    rich
     
    Last edited: Feb 23, 2009
  19. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    @rmus

    Ran 2 tests based on your post.

    Test 1 with Autorun.inf and user32.dll on a USB drive
    ------------------------------------------------------------------------------
    Windows XP Professional LUA with full (including dll) SRP enabled + autorun disabled
    o No effect when the USB drive was installed; it was blocked silently
    o Windows Explorer Icon View of drives - double-clicked on the USB drive icon and the computer was locked and I had to log back in; it ran :(
    o Windows Explorer Tree View - expanded the USB drive and double-clicked Autorun.inf and SRP window "popped up" with a SRP blocked application message and a "ding" sound; it was blocked

    Windows Vista Business Standard User Account with full (including dll) SRP + UAC enabled (autorun not disabled)
    o When the USB drive was installed a window appeared and I clicked the button to run rundll32.exe (choice 1) with no effect other than a 'crash' sound
    o When the USB drive was installed a window appeared and I clicked the button to view the files (choice 2) and the drive opened with the file view
    o Windows Explorer Icon View of drives - double-clicked on the USB drive icon and the drive opened with a view of the files
    o Windows Explorer Tree View - expanded the USB drive and double-clicked Autorun.inf resulting in a 'ding' sound and a group policy window informing that the program was blocked

    Test 2 with Autorun.inf and user32.xyz on a USB drive
    -------------------------------------------------------------------------------
    Same results as above

    For these tests, Vista Business (with Autorun disabled) was more secure than XP Professional (with Autorun enabled). Double clicking the USB drive in the icon view was a surprise in XP Pro.
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the tests. I'll have to study your results!

    ----
    rich
     
  21. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Ok this is odd. I tried this and nothing happened. The autorun file didn't execute. BktII did you disable autoruns in the following location : Computer Configuration-> Administrative Templates-> System?

    Because the option to disable autoruns is available in two locations the one I mentioned above and the following : User Configuration > Administrative Templates > System. The autorun option in the Computer Configuration section is the one that takes precedence in case there are conflicting settings (for example : off selected in one, but on selected in the other).

    You have to make sure you disabled autorun in the Computer Configuration section.

    PS I ran this test in my LUA with SRP enabled BUT I disabled the block autoruns option. I clicked the icon in Windows Explorer like you did and the autorun.inf executed! This is either a bug or the settings in Computer Configuration take precedence over the block rules in SRP.
     
  22. bktII

    bktII Registered Member

    Joined:
    Apr 12, 2006
    Posts:
    224
    @zopzop
    "did you disable autoruns in the following location : Computer Configuration-> Administrative Templates-> System?

    Yes, but only for CD-ROM drives (not "All drives"). I re-enabled this setting for "All drives" and ran the test again. The results are the same (Windows Explorer Icon View of drives - double-clicked on the USB drive icon and the computer was locked and I had to log back in; it ran). For additional clarification, I used the Windows Explorer Icon View of the drives resulting from the "My Computer" menu item in the Start menu.

    "Because the option to disable autoruns is available in two locations the one I mentioned above and the following : User Configuration > Administrative Templates > System.

    "Turn off Autoplay" is "Not configured" here. I was not aware of this location.
     
  23. Lucy

    Lucy Registered Member

    Joined:
    Apr 25, 2006
    Posts:
    401
    Location:
    France
    The problem is that anyway autorun disabling is not perfect in Windows (whatever the version).

    The only real workaround is this:

    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"

    (Note: Cheesy icon must be replaced by : followed by D)
    Copy this text in notepad, save it as killatorun.reg (e.g.), and double click on it while under admin account. This will update your registry, and solve the problem for good.

    There is another method using M$ patch: http://support.microsoft.com/kb/953252 and following the steps here:
    http://antivirus.about.com/od/securitytips/ht/autorun.htm
     
  24. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    Wow that's odd. I can't replicate this on my machine. When I click my USB drive from the My Computer menu, I don't get locked out when I have autorun disabled on all drives. Stupid Microsoft! :D
     
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
Loading...
Thread Status:
Not open for further replies.