Software Restriction in Windows 7

These are some quick notes from a session on AppLocker by Paul A. Cooke, Tech-Ed EMEA 2008:

As you may have seen, I’ve written a few articles on Software Restriction Policy (SRP) under Windows XP and Windows Vista for www.windowsecurity.com (see below). I’m very happy to tell you, that Microsoft now improved this functionality and renamed it into: AppLocker!

Unfortunately I cannot bring you any screenshots (because of NDA), but I can tell you a few things about the basic functionality. With AppLocker you can more easily eliminate unwanted and unknown applications in your Windows (7) environment. You can enforce application standardization – both from a security (malware), and from a management point of view (licensing & user control).

What most organizations try to do these days, it to limit users to be standard users (non-administrators) on their local machines – however this is actually not enough to feel secure as an IT administrator. Running as standard user is not the solution to all of our problems. Many applications can do bad stuff, even within user context – like stealing data, deleting data, manipulating data, encrypting data, creating bot-nets, send spam, social engineering etc. etc. This is true for applications that install in user context (like Google Chrome), or regular executables that don’t actually install – they just run!

If you want to control applications like that, what can run and what cannot – then you need another approach. AppLocker comes to the rescue!

AppLocker has been build around digital signatures – signing of software executables and DLLs. This was also an option in SRP under Windows XP, were we had path, filename, HASH & certificate rule, but it was pretty hard to manage and enforce back then. With Windows 7, a new GUI has been added to the group policy editor to support easy creation of software rules. We have 3 types of rules:
- Allow rules: same as Whitelisting (‘known good’ software)
- Deny rules: same as Blacklisting (‘known bad’ software)
- Exceptions: exclusion from allow or deny rules

Allow rules are of course the recommended approach – the “default deny all applications” rule (Whitelisting), but with specific applications the network administrators wants to allow users to run. As an administrator, you get granular control of specific applications, enforcing who can run and/or install them (if they have the appropriate rights and permissions).

The administration is done by group policy under Computer Configuration > Application Control Policies, but strangely enough you have to put in affected users and groups (still unclear whether or not the SYSTEM account is still excluded from SRP checks). So this is actually Computer policies that are able to hit users, like loopback or group policy preferences.

You can create multiple rule sets and take advantage of specific attributes, like app version (equal/above/below X.0.0.0), filename (executable name), product publisher (the valid root certificate used to sign), product suite (like “Microsoft Office 2007”) – and wildcards seems to be supported still.

You can control executables, installers (MSI), scripts, and DLLs, using certificates (publisher), HASH or path rules. The disadvantage of using HASH rules is, that the HASH will change if the application is updated, certificate/publisher rules are much more flexible because the signature is still going to be there (unless the developers totally mess up). So always try to go for publisher rules, certificates are here to stay :)

Can be run in 3 modes: Enforce policy, Enforce Policy using Group Policy Inheritance  and Audit Only mode! The latter is pretty cool, as you can configure a Software Restriction Policy, and test it out before you go “live”.

AppLocker supports import and export of rules, which can be very useful, but one of the best new features is, that there’s no need to create all the rules manually – you have the option to “automatically generate rule”, this feature will analyze a “reference machine” (not sure if this has to be the local machine yet) and files in a given folder on that machine (not sure if this can be a share yet). You can compare this to a “snapshot” feature, take all files in this folder (and subfolders), and make an allow rule from that (certificate based preferably).

The new rule creation tools and wizards seem pretty straight forward – but you really need to think about the SRP design before you go for it, and test intensively, or else you’ll end up in serious trouble ;-)

 

I just can’t wait to test this deeply and bring you more information!

 

Previous article series on SRP:
Default Deny All Applications (Part 1)
Default Deny All Applications (Part 2)

Microsoft AppLocker description:
http://www.microsoft.com

.

User Account Control in Windows 7

These are some quick notes from a session on UAC by Paul A. Cooke, Tech-Ed EMEA 2008:

Microsoft Windows 7 will reduce the number of OS applications and tasks, that require elevation – this has been done by re-factoring apps and tasks into elevated and non-elevated pieces.

UAC v2 will provide a more flexible prompt behavior for administrators, also administrators will see less UAC elevation prompts.

Users can do even more as standard user (eg. parts of Bitlocker, Windows Update etc.), they will also be able to ‘read’ system settings without needing to elevate.

Windows 7 will be better spotting human vs. application changes, this way “human administrator” changes will be allowed without too many prompts.

UAC can now easily be graduated into 4 levels (from the strict Vista default to totally off) - everything can of course be handled using group policy.

 

To me this is all pretty cool – but to be honest, I’m one of those weird guys, who don’t care about Vista UAC prompts… I just press ALT+C… How hard can it be? ;-)

.

I just love sharing!

Just found this - using Google Alerts of course :)

I made little modifications on this script created by Jakob Heidelberg to search for printers manually created on user profiles. This is very usefull when you wanna ensure that eveybody has only auto created printers, from Citrix or ThinPrint.

This script load ntuser.dat on each profile, check some registry keys, write a log and unload ntuser.dat. Some users can have problems to load their profiles if you use this script on the same time that they try logon.

http://www.robertoalves.com/?p=58

I just love sharing!

Why does standby overrule shutdown?

Well, I’m a Microsoft kinda guy – but I do have a problem with one “feature” which has been part of the Windows OS for some time…

Normally I change the default behavior under Power Setting, so that Windows does NOT start a STANDBY process when I close the lid of my laptops – but I haven’t done it on all of my machines, and under every user profile I have (and customers have the same issue).

So, what happens is, that you are done for the day, and then you start a SHUTDOWN process like normally, and then you close the laptops lid – a STANDBY process then starts – Doh!

That means, the SHUTDOWN process is put into STANDBY mode, and the next time you boot your laptop, the machine state resumes, just to finalize the SHUTDOWN process… And then you have to boot you machine to get started – hmmm, I definitely don’t like it!

So what should happen? Well, when a SHUTDOWN process had started, a STANDBY process should NOT be able to “take over” – just let me close the laptop lid and continue the already started SHUTDOWN process, thanx :)

OK, I admit that it’s only a problem when I haven’t changed the default Power Settings, but I can’t be the only human being in this world with that particular problem!?!? Why would you EVER want a SHUTDOWN process to be put into STANDBY mode?

 

BTW – I have seen, that Mac and Ubuntu people have the same issue on some version – don’t know if it has been fixed on those OS – I have the problem on all the different Windows systems I run on laptops.

Microsoft: IT-experts.dk online forum er nu opdateret

Citat:

Microsoft Danmark tror meget på lokale danske it netværk. Vi vil gerne hjælpe danske it professionelle med at knytte professionelle forbindelser og have et forum for tekniske spørgsmål og svar, hvor ikke-Microsoft ansatte bidrager med deres perspektiver.

IT-experts.dk er et gratis online forum for danske IT professionelle. Sitet har haft stor succes med en åben stil, hvor alle medlemmer kan stille tekniske spørgsmål og dele sin viden med andre. Efter en nylig opdatering af sitet er der kommet rigtig mange nye features til, såsom RSS feeds i utallige afskygninger, blogs, OpenID og meget andet. Hvis du ikke allerede er oprettet som bruger på den nye platform, så gør det nu og her: http://it-experts.dk/medlem.

De typiske brugere er professionelle IT konsulenter, specialister, administratorer, supportere og arkitekter indenfor messaging, sikkerhed, infrastruktur, virtualisering, terminal services og lignende. Der er en overvejende hovedvægt på Microsoft platformen, men der er bestemt også plads til fokus på andre områder indenfor IT verdenen.

Bag IT-experts.dk står en række dygtige danske IT konsulenter, MVP’ere og Microsoft Technet Influenters, som yder en stor indsats for at holde sitet kørende, besvare spørgsmål, blogge, skrive artikler og lignende, alt på frivillig basis.

Vi ønsker IT-experts.dk tillykke med den nye platform og vil hermed opfordre til at deltage i det største danske Microsoft community for IT professionelle: www.it-experts.dk.

Kilde: http://blogs.technet.com/dkitpro

Windows SteadyState 2.5 is out there!

This is great news - I've been writing a few articles on this baby, but now we have a brand new version available for download!!!

Go ahead and read some more:

Protect Public Computers with Windows SteadyState, Part 1

Protect Public Computers with Windows SteadyState, Part 2

Windows SteadyState 2.5 Technical FAQ

Windows SteadyState 2.5 Handbook

 

Download Windows SteadyState 2.5 right here!

 

Enjoy!

.

Great Vista hack... Somebody call Mr. Bitlocker!

We've seen hacks like this before, no doubt about it - but it's a really nice trick which you gotta love (and hate) - check it out here!

So, basically this hack requires PHYSICAL ACCESS to the harddrive, using BackTrack (or some other boot utility capable of reading/writing NTFS) the file Utilman.Exe in \Windows\System32 is replaced with Cmd.exe - after a reboot, at the logon screen, if Utilman is called (by hitting Win-key + U) you'll get a nice command prompt running under SYSTEM credentials - pretty powerfull... From there the only limit is your imagination!

Yes, Bitlocker protects us from attacks like these - so somebody please call Mr. Bitlocker!

.

Group Policy Survival Guide

Yes, it's true - there's a new GP guide out there from Microsoft...

Check it out here - it's pretty cool!

 

<source>