Apparently AppLocker was different: it didn't work with either :(. Maybe they would then apply to access through a mapped drive? it's not 100% clear. Vadims Podāns reports that SRP entries using mapped drives do not work. So you can't trust the official documentation, and it seems unlikely to get fixed now. Microsoft present multiple examples of this including *.Extension, with no warning. Note that the explanation applies to using any extension in a path rule. If you try to compromise by allowing LNK files on the desktop, and you leave users with write access to the desktop, they can now bypass your policy entirely.or maybe stuffing enough shellcode in an inline script parameter. or getting script interpreters to run files with an unexpected extension e.g. Disturbingly, no sources seem to discuss LNK vulnerabilities. (And Web Shortcuts to avoid breaking Favourites?!). Many sources recommend simply removing LNK files from the list.And I only discovered Vadims Podāns' article by accident. Of the sources I found for SRP, none put the full list above together for you.Registry path rules must not have slashes immediately after the last percent sign (despite being included in Microsoft's own built-in rules for XP/Server 2003) and any backslashes must be replaced with forwardslashes in order for the rule to work ( 1/ 2/ 3).Also according to Microsoft's comparison table, SRP can't manage "Packaged apps" in Windows 8 I have no idea what this means. The default extensions neglect to forbid PowerShell scripts (*.PS1) supported by Windows.This is to do with 32-bit applications reading relevant paths from the WOW6432Node of the registry: resolution is to add both these paths to SRP to allow all programs to work on 32-bit and 64-bit machines as Unrestricted whether started from an 圆4 or x86 host process: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)% %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir% When resolving this using the more secure "registry paths", there are reports of false denials in random situations, which could easily be missed in testing. The suggested defaults neglect to allow for the two different \Program Files used on modern 64-bit installs.This footgun is fixed in AppLocker, because it never looks at environment variables. These are not used in the suggested defaults. Using environment variables like %systemroot%, SRP can be bypassed by users by clearing the environment variable.I didn't notice any answers to this anywhere :(. ![]() (Including the \Windows\*.exe legacy, System32\*.exe, etc). The obvious question is why aren't we carefully whitelisting individual paths under \Windows instead. ![]() "To enumerate all folders with users write access you can use, for example, AccessEnum utility from Sysinternals pack." (or AccessChk).Īn NSA document gives 16 examples of folders to blacklist with SRP (although the registry path rules use backslashes incorrectly so must be corrected - see point on registry paths below) and warns about a common over-broad blacklist entry. Applocker is the same, but at least official documentation mentions this limitation. Some sub-folders can be written to by users. In the default rules, execution from the \Windows folder is permitted.Some of them are described in a nice security article from Vadims Podāns. Hopefully you'd gain perfect understanding of SRP's pitfalls before you fall into any of them. It's also possible there's a suitable third-party alternative (but this question didn't include that option :). If AppLocker is an option then it could be the cheaper one - after accounting for your time and risks taken. AppLocker has the advantage that it's still being actively maintained and supported. In practice SRP has certain pitfalls, for both false negatives and false positives. ![]() Software Restriction Policy is deprecated by Microsoft ( technet effectively claiming SRP is not supported), since Windows 7 Enterprise/Ultimate introduced AppLocker.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |