Windows 7 Professional comes with SRP

Discussion in 'other security issues & news' started by pcunite, Oct 22, 2009.

Thread Status:
Not open for further replies.
  1. pcunite

    pcunite Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    14
    Windows 7 Professional comes with SRP but not Applocker. Only the Ultimate and Enterprise SKU come with Applocker. At least according to Microsoft employee Stephen L Rose as stated in the comment section here:

    http://windowsteamblog.com/blogs/sp...standing-windows-7-applocker.aspx?PageIndex=1

    I have been happy with SRP and the Professional SKU of XP. As a home user I don't need the extra management features of Applocker... unless someone can prove to me otherwise.
     
  2. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Two words: Publisher Rules. SRP does not have this, which makes SRP extremely unwieldy for most people. You have to keep updating hash values every time a file changes, which is a PITA and results in huge hash file rule lists. With AppLocker, the publisher rules allow you to allow/deny based on a publisher signature, which means you don't have to update any rules when a file is updated.

    Here is a decent explanation:

    Source from M$ technet.
     
  3. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Surely you don't need AppLocker, but it might be rather useful to have even so.

    I don't know anyone who uses SRP with hash rules only. The easiest way to run a default-deny SRP is to use a default rule of disallowed and then allow everything in Windows and Program Files folders to run unrestricted. No hash rules needed at all, and very quick to setup, and in most cases you never have to update any rule no matter how much files change (even if the publisher's signature changes, which sometimes happens!), and need to add only a couple additional rules to disallow a couple of things that could be a problem otherwise.

    But that said, AppLocker does have great advantages over SRP. The most important of which is security. AppLocker is not user mode stuff like SRP which was relatively easy to circumvent due to that, but uses a kernel driver to enforce policies.
     
  4. pcunite

    pcunite Registered Member

    Joined:
    Oct 22, 2009
    Posts:
    14
    I read somewhere (can't verify it though) that SRP in Windows 7 hands things off to AppLocker so you still get kernel support. I don't know how this would work in the Professional SKU, perhaps just the AppLocker GUI is disabled? In any event the Ultimate SKU is only $20 more than Professional so I might as well get Ultimate.
     
  5. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    I must confess that I do. I also run Deepfreeze, so I don't bother updating files. I guess it works OK on a static system.
     
  6. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    I kind of have to ask you: have you deleted the four additional rules that are created by default that allow the executables in Windows and Program Files folders to run? Because if you haven't, then you're not using hash rules only... ;)

    But, I guess one could manage by just using hash rules, if one avoided updating software, made an absolutely huge list of hashes and disabled Windows updates. It wouldn't make much sense to me, though, considering that easier solutions exist.
     
  7. SpikeyB

    SpikeyB Registered Member

    Joined:
    Mar 20, 2005
    Posts:
    478
    Yes I did :D. It was quite time consuming to set up but it takes no major effort now (I suppose major is relative). If I want to create a new rule I browse to the file and it's added to my whitelist. Not quite as easy as using something like ProcessGuard but I like the idea that it's part of the o/s with no extra processes running.

    So far it's worked for me but perhaps it's not suitable for lots of people.
     
  8. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Ouch, man, you have way too much time in your hands. :D Yes, I think for most people path rules are a far easier choice, and really the difference in security is marginal.
     
  9. tcarrbrion

    tcarrbrion Registered Member

    Joined:
    Dec 15, 2007
    Posts:
    55
    I have found hash rules useful to allow programs that run directly off the CD. Signature rules could help here, if the program is signed.
     
  10. Windchild

    Windchild Registered Member

    Joined:
    Jun 16, 2009
    Posts:
    571
    Yes, hash rules are actually useful in many situations! I would not argue against that. What I'd say is that using hash rules only, and no other types of rules, not even path rules, is not very convenient or efficient. :eek:
     
Loading...
Thread Status:
Not open for further replies.