Windows 8: SRP or AppLocker for admin account

Discussion in 'other software & services' started by erim, Jan 23, 2015.

  1. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    In Windows 7 it's easy to set up Software Restriction Policies or AppLocker for the admin account. It won't protect against local bad users, but it will prevent some malicious/accidental software executions.

    However, in Windows 8 it seems that both SRP and AppLocker work differently.
    SRP doesn't work at all for the admin account. Everything can still be executed, even if I select "All users" in the enforcement settings.
    AppLocker works, things get blocked, but if I add "Administrators" as the users who can run everything (default rules), I can run everything without UAC prompt, which is different from how it works in Windows 7 (where the admin is also restricted, unless he elevates his privilege with UAC).

    So, is there any way to make it work like in Windows 7?
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    I have SRP enabled for all users and I (administrator account) can't run anything that is not whitelisted. :confused:
     
  3. guest

    guest Guest

    Something is definitely wrong there. In Windows 8/8.1 Pro I can confirm that it still works like what it does in Windows 7. It even carries the Basic User bug along. I can't tell anything about AppLocker though, as I don't own Windows 8/8.1 Enterprise.
     
    Last edited by a moderator: Jan 24, 2015
  4. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    So.. today I wake the PC from hibernation (no restart) and SRP suddenly starts working. o_O (Mind you, I restarted a couple of times yesterday to no avail.) Then I changed enforcement from "All users" to "All users except local administrators" and that did require a restart to apply.
    But anyway, SRP is fine right now and works like in Windows 7 (it blocks non-whitelisted executions for admin account unless I "Run as administrator").

    The AppLocker thing looks like a change MS made from 7 to 8. Another user noticed it here. Wish there was an option for the old behavior, but oh well.


    Which bug is that?
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
    @erim
    Are you using Windows 8 Enterprise? If you are using Windows 8 Pro, AppLocker won't work ( even if you can set rules :rolleyes: ).
     
  6. erim

    erim Registered Member

    Joined:
    Aug 29, 2006
    Posts:
    43
    Yes, of course. AppLocker works, just slightly differently from how it works in 7.
     
  7. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    Applocker default rules won't apply to Admin accounts in Windows 8/8.1 Enterprise.
     
  8. guest

    guest Guest

    The Basic User policy is supposed to (as far as I can remember) make apps to run with limited rights and unable to ask for elevation. But in Windows 7 and 8 it works basically the same as Disallowed policy. So your choice is only black and white.

    @Minimalist
    Nice new avatar! :thumb: :D
     
    Last edited by a moderator: Jan 24, 2015
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
Loading...