The irrelevance of Applocker / relevance of SAFE admin tweaks

Sully, since you're using Chromium (Unless you've switched), could you, please, if you've got the time, verify if what I'm experiencing with one extension (AdThwart) is due Low IL (explicit one)?

The icon won't show in Chromium top. MyWOT shows fine. I tried with AdBlock and the other extension that makes the icon appear, and it does appear. So, I'm not sure whether or not it is related to it or some bug with AdThwart, or if not working properly with Chromium.

-Edit-

Despite Adblock icon appearing, certain settings won't remain after closing and re-opening Chromium. I've changed Chromium to Medium IL, and no change. The profile folder was in Low IL, though. I highly doubt it has anything to do with ILs, but who knows.

I'll try in a virtual machine, and see what happens, I guess.

 

Odd behavior.

I was, and still am, setting some security in a family member's system (Windows 7 Ultimate 32-bit), and I have "installed" Chromium for the daily browsing, including a different profile for Youtube. (This is where I got the issue with AdThwart.)

In my play system, I've always used Chromium via Sandboxie, which would allow me to save executables to a Downloads folder with execution rights denies to both Users and HomeUsers group, without denying me execution, until I remove the unblock feature. If I saved outside this folder, then I wouldn't be able to execute due to the Low IL restriction. Nothing new here. It's something I already had mentioned sometime ago.

Back to my family member's system. Having as principle that a low IL object (chrome.exe) cannot save outside an area unless also a low IL one, I created a Downloads folder with a low IL.
This still wouldn't let me save anything, because I had forgotten that I had to set %AppData%\Local\Temp folder with a low IL as well.

Until SAFE-Admin comes out, I wanted to create a batch file where my family member could drag & drop an executable to remove any labels, assuming one of medium by default.
But, before this, I don't know why, I went ahead and double-clicked the executable. UAC prompted me for an action. What Unless my head was going nuts, and if I still got everything in my head, then this should not be happening, because a low object cannot write to the user space, which runs with a medium one.

I even changed the Downloads IL to NoExecuteUp. UAC would still prompt me.

Back in my play system, it happened what it should, it blocked execution, because the executable has low IL. I tried it with Chromium unsandboxed, so Sandboxie has no role in this one.

I started a virtual machine, and it happens the same as it happened in my family member's system, UAC prompts me for an action.

I verified the ILs of the executable in both virtual machine and family member's system and low IL is applied. So, what the

I even removed any labels from the executable before trying it in the virtual machine and family member's system.

 

Two oddities.

First, my relative's Windows 7 Ultimate doesn't have a HomeUsers group

Secondly, to be able to download with Chromium, I had to set %AppData\Local\Temp with a low IL. But, I only set Temp folder with low IL and have removed the inheritance flag. The odd thing is that icacls is not able to provide any information regarding other folders and files within Temp folder. chml, on the other hand, does it fine.

 

Well, for security purposes I removed the Low IL from Temp folder. This way, nothing gets downloaded through Chromium, not even malware.

I've also directed Chromium to a Cache folder with Medium IL; this way no cache to disk happens.

 

SAFE-Admin is going along nicely. I have a lot of the main functions accomplished.

Here is a script type of file, really just an INI file. I have been using the .sas extension for it right now, haven't seen it used yet. Stands for Safe Admin Script.

Here is a breakdown of what the structure looks like, which also gives an almost complete snapshot of what SAFE-Admin will be capable of.

Code:

; === SCRIPT file ===
; file type - text
; file extenstion - Safe Admin Script (.sas)

[prefs]
; allow modification of app compatability settings other than RunAsAdmin/RunAsInvoker
advanced=false

; UAC: Only elevate UIAccess applications that are installed in secure locations
; 0 disabled, 1 (def) enabled
secure_paths=1

; UAC: Detect Application Installations and Prompt for elevation
; 0 disable, 1 enable   Default: (home = 1) (enterprise = 0)
detect_install=1

; SEHOP - enable globally - 1(def) disable, 0 enable
sehop=1

; only allow safe (signed) drivers to install - 0 ignore, 1 (def) warn, 2 block
unsigned_driver=1

; stop saving Alternate Data Stream with file - 1 stop saving, 2 (def) save
zone_information=2

; hide 'unblock' property - 0 (def) off, 1 on
hide_zone_properties=0

; execute/move files downloaded from internet - 0 off, 1 (def) prompt, 3 display deny, 5 silent deny
1806=1

; trust logic for file attachments - 1 by file type, 1 (def) by handler, 2 both
attach_usetrusted=2

; notify antivirus programs when you open attachments - 1 off, 2 (def) optional, 3 on
attach_scanav=2

; ACL - add Explicit Deny Execute
; directories use OICI
[acl-adx]
1=c:\path\dir
2=c:\path\file.ext

; ACL - remove Explicit Deny Execute
[acl-rdx]
1=c:\path\dir
2=c:\path\file.ext

; App Compatability - RunAsAdministrator
[appc-raa]
1=c:\path\file.ext

; App Compatability - RunAsInvoker (virtualize)
[appc-rai]
1=c:\path\file.ext

; App Compatability - remove
[appc-rac]
1=c:\path\file.ext

; EMET - add object
[emet-ae]
1=c:\path\file.ext

; EMET - remove object
[emet-re]
1=c:\path\file.ext

; Integrity Level - modify to Low level
; directories use OICI
[il-low]
1=c:\path\dir
2=c:\path\file.ext

; Integrity Level - modify to Medium level
; directories use OICI
[il-med]
1=c:\path\dir
2=c:\path\file.ext

; Integrity Level - modify to High level
; directories use OICI
[il-hi]
1=c:\path\dir
2=c:\path\file.ext

; Integrity Level - modify to default Medium
; directories remove OICI
[il-r]
1=c:\path\dir
2=c:\path\file.ext

; Zone - block a file (create/modify ADS)
[zone-b]
1=c:\path\file.ext

; Zone - unblock file (modify ADS)
[zone-u]
1=c:\path\file.ext

; remove/modify components of SAFE-Admin
[rem_mod]

; remove/reset all explicit ACL settings
racl=true

; remove/reset all App Compatability settings
rappc=true

; remove/reset all EMET settings
remet=true

; remove/reset all Integrity Level settings
ril=true

; remove/reset all Zone settings
rzone=true

; remove all SAFE-Admin settings
; reset syste to state SAFE-Admin found initially
rall=true

; set system to default states
set_def=true

Sul.

 

Entering alpha stage of the worker program for SAFE-Admin. Once bugs are worked out and I finish the remaining portions, it will likely go open beta and I can work on the GUI portion.

At some point I will post a proper thread here and make one of my uber-simplistic web pages lol.

Sul.

 

Can anyone confirm whether or not you can open Chromium/Chrome Developer Tools properly, with a low integrity level applied to Chromium/Chrome?

 

Hope the SAFE Admin Program is still ticking along

 

Since just before the holidays, it has been on the side burner. I have had too much at work to focus on lately. I was hoping this last week would let me resume, but it looks like it will be the upcoming week. After a few days of getting back into the "groove" I will better know where I am at again.

Sul.

 

@Sully
Thats good stuff.
I spent a few hours going through this thread last night and downloaded the chml tool.
Its fun to play with allright !
Its very impressive what your doing - don't they say make your hobby your work ? You should think about it !

 

I have thought about that, and actually turned down a job twice. Where I work I am always learning things, always challenged with a new problem. I have the freedom to design and fabricate some rather technical things. As much as I love computers and messing around programming, I am not sure I would still love it after a couple years of doing it for a living, which is why I turned those job offers down.

Since it is my hobby though, I absolutely love messing with it, and have no aspirations of making any $$. I fear if I did, I would not love doing it so much, and the enjoyment would be gone. Might not make much sense, but it is how it is

Thanks for the kind words.

Sul.

 

Allow me to alert you that if when upgrading an application to which some process you applied an integrity level, if during this upgrading that process gets deleted and replaced, instead of just replaced, the applied integrity level will be lost.

That's a failure in how chml works. Didier Stevens created a tool called Runasil, which will prevent that. Runasil

 

Could someone running Chromium/Chrome with an explicit low integrity level confirm whether you're able to reproduce Silverlight content?

Go to -http://www.silverlight.net and play a video. My experience is that it loads it, but then it just gets blank and plays nothing.

When I do that with Internet Explorer 8, IE does warn me for a dll file belonging to Silverlight wanting to execute.

Most likely, due to the low integrity level of Chromium, Silverlight can't write to certain areas... I need to figure out which, though.

 

Will Process Monitor (http://technet.microsoft.com/en-gb/sysinternals/bb896645) log anything useful?

 

I'm familiar with it. Just didn't have time to check it, though. But, I was wondering if it's, in fact, related to it.

 

Just something I'd like others know, in case you don't.

Those of you who have the elevation of unsigned executables blocked, may circumvent this restriction for the apps you have, which are not digitally signed, by creating a batch file pointing to the processes names, and then execute the batch file with administrator privileges.

This way, you still get to block unsigned processes, except those you need.

 

What outer spaces of the OS did you travel to discover this workaround?

 

What outer spaces of the OS did you travel to discover this workaround?


Having Low IL-ed my browser completely (chromium with McFee Site Advisor as only add-on and running incognito all the time) + 1806 deny execute downloaded aps + disallow unsigned to elevate = kort knox hardened OS

I even have my UAC setup to elevate without warning. I will create a reg file disallowing command + batch files to execute (swithc on + switch off). With your batch file workaround I can run everything safely.

Regards Kees

 

Well, actually I took that approach because I disabled unsigned applications elevation in a relative's system, and a few days ago I wanted to run an application that isn't digitally signed. My first approach was to enable the elevation of unsigned applications, but then I thought, WTH, why don't you simply run Windows cmd line with administrator privileges and copy the application's path and execute it?.

I assumed it was going to work, and it did. I also had in consideration, and I did not search for anything documented by Microsoft, that the blocking of unsigned applications elevation means that, if an application is precisely unsigned, we won't be able to directly elevate it. But, the same didn't necessarily mean that, if having an already elevated process, that it would also fail to execute.

I kind of thought of the opposite of low integrity level restrictions. If something has a low integrity level (explicit), then nothing that's elevated can elevate that process, directly or indirectly. Period.

The blocking of unsigned applications isn't like that; it only means you won't be able to directly elevate it. You will be able to use an already elevated process to elevate those unsigned processes.

It may sound confusing or a somewhat lame logic, but that's what I had in mind, when I tried it.

P.S: It does make me wonder why such hole exists, though. If it's to be blocked, is to be blocked. Because, if we can do it, so can the bad guys find a way to elevate their crap. Not likely to happen, because what we do isn't massively deployed, though.

Nice idea. That way nothing will be able to use cmd line (standard user/administrator), unless when you need it.

 

Well m00nbl00d, I don't use those (best) practises on any of my boxes currently but seriously; KUDOS.

And no, it doesn't sound confusing/lame logic, it makes perfect sense.
Have you ever contacted MS about this/asked their pov about it?

 

By the way, one more tip.

If you have the blocking of unsigned applications elevation enabled, you'll notice a lag between the moment you elevate something and the moment the UAC prompt appears.

A workaround is to simply have a shortcut, and change it to always request administrator privileges. UAC prompt appears promptly.

So, instead of just having a batch file, also create a shortcut for that batch file and change it to automatically prompt for credentials in its Properties.

The same goes for apps that are digitally signed, of course. The lag applies to all apps, because Windows makes a verification to see whether or not they're digitally signed. So, if you use this or that application more than any others, if you create a shortcut for it, and change its Properties to ask for permissions, then you will see the UAC prompt as soon as you click the shortcut.

-edit-

This means that if you want speed, do not press Run as administrator, when right-clicking a process/batch file. Just create a shortcut and make the appropriate changes I mentioned. This is the concise version of what I wrote above.

Never mind, I guess it was just a false impression I had. When you're connected to the Internet, UAC (consent.exe) connects to the Internet, which delays the credentials prompt, if you have the blocking of unsigned applications enabled. When I ran my shortcuts, I was offline, hence the fast prompts.