1 / 14

Application Support

Application Support. This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”. Software Restriction Policies. Basically it’s a list of programs that can and can’t run You pick which ones run and which don’t

hadar
Download Presentation

Application Support

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Application Support This is an excerpt from a section of the course that explains a new area of group policies called “Software Restricion Policies”

  2. Software Restriction Policies • Basically it’s a list of programs that can and can’t run • You pick which ones run and which don’t • But there are thousands of EXEs etc on your system, so you wouldn’t enjoy having to name every single EXE file that your system knows… • … Disabling every EXE would keep your system from booting!

  3. How You Control SW Policies • A program is either “disallowed” (you can’t run it) or “unrestricted” (you can run it, assuming that there’s nothing else stopping you) • One rule (“Security Levels”) specifies the default value for all programs – disallowed or unrestricted • Another rule (“Enforcement”) excludes administrators from SW restriction policies • Typically you set the default to “unrestricted” and then restrict particular programs

  4. How To Restrict Programs • Four kinds of rules: • Certificates: refer to a code-signing cert to allow (or, I suppose, disallow) an app • Hash: GPEDIT actually computes a “fingerprint” that identifies a particular program and then uses it to allow or disallow an app • Internet Zone: lets you control running apps directly from an URL • File and Directory Path: allow/disallow everything in a directory and its subdirectories, or a particular file or wildcard pattern • Examples coming!

  5. Getting Started • First, create a software policy and start from an all-open, “safe” point of view, then lock it down • Open gpedit.msc, look in Computer Configuration/Windows Settings/Security/Software Restriction Policies

  6. Initial SW Policy – No Objects

  7. Create A Basic Policy • Right-click SW Restrictions Policy, “create new policy” • Now a policy exists, but it basically does not stop anyone from doing anything that they couldn’t do before • First question: disallow all apps by default, or allow all apps by default? In the Security Levels folder; allowed by default

  8. Folders Created in SW Policy

  9. Now let’s disallow Solitaire • Again, there are four ways to identify an app – its Authenticode cert, its hash, its URL or its filename/location • Let’s disallow Solitaire; rt-click Additional Rules folder and choose “New Path Rule…” • Fill in path %windir%\system32\sol.exe • Choose “disallowed” rather than “allowed”

  10. Defining a Path

  11. Now turn the screwsI mean, let’s apply the rule • gpupdate /force typically isn’t enough • Restrictions seem to need a logoff/logon • Then try to start Solitaire • If it doesn’t work, then reboot; you’ll see

  12. But the users aren’t dumb… • So they copy sol.exe to another directory, run it, and they’re back to Solitaire • So let’s try for a better approach – zap sol.exe itself; create a new “Hash” rule • Point to sol.exe and the system will compute a “fingerprint” that will identify sol.exe no matter where it is • Result: Solitaire is dead

  13. A Hash Rule

  14. We hope that looked useful… We cover that and a WHOLE lot more in the Powerpoint. If you’re interested, visit www.minasi.com/buyxpbook.htm to purchase the entire 279-slide book. Thanks for downloading and examining our sample!

More Related