Software restriction Policies to Windows Home

Discussion in 'Tutorials & Guides' started by Windows_Security, Sep 18, 2016.

  1. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #1 Windows_Security, Sep 18, 2016
    Last edited: Sep 18, 2016
    First create a restore point before applying any of the tweaks mentioned in this post

    Intro

    On Wilders Security forum a well know member with the nickname Lucy (helas, she is not active anymore, hope she is well) posted a registry file to use Software Restriction Policies on Windows Home versions also. The update should add SRP to both 32 and 64 bits versions of Windows Home.

    What is SRP?

    SRP stands for Software Restriction Policies. As the name says it can be used to restrict software on your PC. It has basically three modes disallowed, basic user and unrestricted.

    Why only Basic User?
    This SRP uses Basic User as default level. This setup allows Administrators to overrule the execution restrictions enforces by Software Restriction Policies (SRP). Because all software which is already installed needs elvation to update itself, SRP basic User allows Windows and your already installed programs in Program Files to update themselves from user space.

    What is the benefit of this SRP?
    This SRP blocks program executions which are not initiated by the user of regular programs already installed. This covers 95% of all malware intrusions. This 5% risk is the price you pay for having Software Restriction Policies which still keep the Administrator at the steering will (being able to auto-update already installed and install new with right click 'run as administrator). I will provide two tips (which are free programs) to close the last 5 percent.

    Add Symantect tweak for MSI installs
    By default explorer has an option to run any executable with elevated priveledges by using the "Run as Administrator". Strangely Microsoft does not provice this option for MSI installers. Symantec came up with a registry tweak to also provide the option for running MSI files as Adminstrator (link)

    Save the text between --- (do not include --- lines) as Add_Run_MSI_Admin.reg and run it
    --- start
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
    @=hex(2):22,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
    00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,\
    73,00,69,00,65,00,78,00,65,00,63,00,2e,00,65,00,78,00,65,00,22,00,20,00,2f,\
    00,69,00,20,00,22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00

    --- end


    Add software restriction Policies
    These SRP are the simplest in its form, they run Windows and Program Files folder for bot 32 and 64 bits as unrestricted, applies for all files (including extra's mentioned by @Av Gurus) and all users (except Administrator). I used windows variables %ProgramFiles%, %ProgramFiles(x86)% and %ProgramW6432% from this source and the GUID's for ProgramFiles, ProgramFilesX86 and ProgramFilesX64 from this source

    Save the text between --- (do not include --- lines) as Add_SRP_Basic_User.reg and run it
    --- start
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "DefaultLevel"=dword:00020000
    "TransparentEnabled"=dword:00000002
    "PolicyScope"=dword:00000001
    "ExecutableTypes"=hex(7):57,00,53,00,48,00,00,00,27,00,57,00,53,00,46,00,00,00,\
    57,00,53,00,46,00,00,00,57,00,53,00,43,00,00,00,57,00,53,00,00,00,56,00,42,\
    00,53,00,00,00,56,00,42,00,45,00,00,00,56,00,42,00,00,00,55,00,52,00,4c,00,\
    00,00,53,00,48,00,53,00,00,00,53,00,43,00,54,00,00,00,53,00,43,00,52,00,00,\
    00,52,00,45,00,47,00,00,00,50,00,53,00,31,00,00,00,50,00,49,00,46,00,00,00,\
    50,00,43,00,44,00,00,00,4f,00,43,00,58,00,00,00,4d,00,53,00,54,00,00,00,4d,\
    00,53,00,50,00,00,00,4d,00,53,00,49,00,00,00,4d,00,53,00,43,00,00,00,4d,00,\
    44,00,45,00,00,00,4d,00,44,00,42,00,00,00,4c,00,4e,00,4b,00,00,00,4a,00,53,\
    00,45,00,00,00,4a,00,53,00,00,00,4a,00,41,00,52,00,00,00,49,00,53,00,50,00,\
    00,00,49,00,4e,00,53,00,00,00,49,00,4e,00,46,00,00,00,48,00,54,00,41,00,00,\
    00,48,00,4c,00,50,00,00,00,45,00,58,00,45,00,00,00,43,00,52,00,54,00,00,00,\
    43,00,50,00,4c,00,00,00,43,00,4f,00,4d,00,00,00,43,00,4d,00,44,00,00,00,43,\
    00,48,00,4d,00,00,00,42,00,41,00,54,00,00,00,42,00,41,00,53,00,00,00,41,00,\
    44,00,50,00,00,00,41,00,44,00,45,00,00,00
    "AuthenticodeEnabled"=dword:00000000

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{6D809377-6AF0-444B-8957-A3773F02200E}]
    "LastModified"=hex(b):14,1f,bd,58,7c,11,d2,01
    "Description"="Program Files on 64 bits"
    "SaferFlags"=dword:00000000
    "ItemData"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,57,00,36,00,\
    34,00,33,00,32,00,25,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}]
    "LastModified"=hex(b):b2,19,7a,3d,7c,11,d2,01
    "Description"="Program Files (x86) on 64 bits"
    "SaferFlags"=dword:00000000
    "ItemData"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
    6c,00,65,00,73,00,28,00,78,00,38,00,36,00,29,00,25,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{905E63B6-C1BF-494E-B29C-65B732D3D21A}]
    "LastModified"=hex(b):62,e4,e4,4e,7c,11,d2,01
    "Description"="Program Files (default)"
    "SaferFlags"=dword:00000000
    "ItemData"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
    6c,00,65,00,73,00,25,00,00,00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{F38BF404-1D43-42F2-9305-67DE0B28FC23}]
    "LastModified"=hex(b):28,e1,f9,62,79,11,d2,01
    "Description"="Windows"
    "SaferFlags"=dword:00000000
    "ItemData"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
    74,00,25,00,00,00

    --- end

    Restart Windows
     
  2. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #2 Windows_Security, Sep 18, 2016
    Last edited: Sep 18, 2016
    These two free programs close the 5% risk you have when using UAC+SRP while loging in as Administrator

    Closing AUTORUNS in user space risk (UAC does not warn)

    There are a few autoruns locations which can be changed withouut triggering an UAC-prompt, because those autorun entries are located in Current User registry or in User folders. There is a freeware program which warns you when some programs make additions to these user space autoruns.

    Thanks Kyle for this small but usefull freeware program: Startup Sentinel (download). Simply install and this set and forget program will warn you when something tries to survive reboot using user space auto entries (okay when you install software, suspicious when it happens out of the blue)


    Closing 'command line' and 'run as administrator' risk (SRP allows this)
    Windows has a some script interpreters and command shells which might be used to bypass Basic User SRP in a sneaky manner in poisoned documents. Also the user can still shoot her/him-self in the foot by running some malware as administrator

    Image you could combine the best of business strength Next Machine learning solutions like Invincea or Cylance and combine it with a herd of reliable Antivirus engines to close these risks? Imagine this solution is free for home use, sounds to good to be true does not it?

    There is a freeware program which uses machine learning/artificial intelligence to block zero day malware AND uses the most reliable engines of Virus Total to block known malware AND is free for non-commercial home use: VoodooShield (just make sure you download latest version 3.XX). Thanks Dan for this amazing program. Simply install VoodoooShield and set it to AUTO-pilot mode, then you are done.

    You will be warned for risky command lines (okay when you install software, suspicious when it happens out of the blue) and uses the best of Next Gen machine learning (to block Zero days) and 57 traditional AV-engines (to block known malware).

    Disclaimer
    I have tested it on 32 bits. Edit: Member Av Gurus was so kind to test this on 64, it seems to work also on 64 bits (Thank you).
     
  3. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #3 Windows_Security, Sep 18, 2016
    Last edited: Sep 18, 2016
    Why use VS in AUTO-pilot mode?
    VS in Smart mode (smart anti-executable mode) will block everything from user space when you are connected to the internet. Because most people go online as soon as they startup their PC and a lot of programs update from the internet, VS in SMART mode (the default) could interfere with updates. Therefore we use VS in AUTO-pilot mode which mimics the behaviour of a traditional antivirus.

    VS in AUTO-pilot (AV) mode weaker than SMART (AE) mode?
    Anti-Executable (whitelist) is stronger than Anti-Virus (blacklist). Ironically VS is tested most not in whitelisting/anti-executable mode (SMART or ALWAYS ON), but in a mode mimicking an AntiVirus. Cruel Sister has tested VoodooShield in AUTO-pilot mode (link). Dan (owner/developer of VS) has tested VS against Cylance and Sophos in AUTO-pilot mode even with VT blacklist scan disabled (link). So when VS is that good when using half of it capabilities (with the Anti-Executable smart lock off), why not use VS in this more relaxed (more user friendly) AUTO-pilot mode mimicking a SWAT squad of traditional antivirus solutions accompanied by an all seeing machine learning Zero day reconnaissance attack drone?

    Why use SRP as Anti-Executable?
    Any program updating to Windows or Program Files folders needs to elvate, because UAC protects these folders. SRP Basic User will automaticaly allow all processes with elevated rights to run from user space. This means a 100% update guarantee for programs installed in UAC protected folders. On top of that SRP basic User allows installing new programs from user space using right click 'run as administrator'. So this intended Admin hole in SRP keeps the Admin in control.

    Preventing VS nag-screen

    Another benefit is that SRP will block unintended executions from user space before VS does. When VS saves your ass (blocks a threat), VS will throw a NAG-screen to you a couple of times (asking you to buy PRO). Putting SRP before VS will prevent that.
     
  4. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #4 Windows_Security, Sep 18, 2016
    Last edited: Sep 18, 2016
    I have been asked: what if I don't dare to hack the registry.

    Answer: SUS and VS (on AUTO-pilot) with an outbound firewall and a browser with AppCointainer (edge or Chrome) will will also keep you safe when practising safe hex

    Nice thing with registry hacks is when you set a restore point before you apply it, it can be easily undone through windows restore.
     
  5. Av Gurus

    Av Gurus Level 28
    Trusted AV Tester

    Sep 22, 2014
    1,724
    10,664
    Testing security programs
    Earth
    Windows 10
    Do you think that Anvir can be used instead SUS (Startup Sentinel?) with this options enabled (picture)?

    Clipboard01.jpg
     
    Logethica, frogboy and _CyberGhosT_ like this.
  6. Tony Cole

    Tony Cole Level 27

    May 11, 2014
    1,619
    3,430
    Emergency medicine ST3
    UK
    Windows 10
    Kaspersky
    I thought software restriction policies adopted by software like cryptoprevent were no longer effective?
     
    Logethica and _CyberGhosT_ like this.
  7. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,114
    4,775
    business
    Poland
    Windows 10
    Microsoft
    #7 Andy Ful, Sep 18, 2016
    Last edited: Sep 18, 2016
    Windows_Security
    Great post:)

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "DefaultLevel"=dword:00020000

    What is the meaning of 00020000 value? The standard values are 00000000 (default deny) and 00040000 (default allow).o_O
     
  8. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,114
    4,775
    business
    Poland
    Windows 10
    Microsoft
    #8 Andy Ful, Sep 18, 2016
    Last edited: Sep 18, 2016
    Cryptoprevent and similar programs do not adopt default deny restrictions. They allow to run programs from many places in the User Space, contrary to default deny SRP, that blocks programs from running in the User Space ("DefaultLevel"=dword:00000000) . Default deny SRP can be ineffective mainly, when You choose to install programs . For this reason SRP is kindly supported by VS.
     
    Logethica and _CyberGhosT_ like this.
  9. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    Yes, I have used that in the past also. Anvir vs SuS, Anvir has some overhead as alternative task manager, In the past I noticed that Anvir seems to poll (does not prevent but detects changes), don't know about current Anvir protection mechanism. I would say when you already use Anvir or Winpatrol, keep using them, otherwise choose SuS
     
    Logethica, Av Gurus and _CyberGhosT_ like this.
  10. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    That is the Basic User value which combined with the Symantec MSI tweak, makes it so easy to use when running as Administrator.

    Behaviour of Basic User default value
    • Unelevated processes running Medium or lower Integrity level are blocked by SRP when you try to run them in user space.

    • Elevated processes are alllowed to run. You can manually elevate a process by right clicking it and Run as Administrator (e.g. when you want to install a new program). All programs in Windows and Program Files folders need to elevate to be able to change UAC protected folders (hence all auto-updates will be allowed from programs in UAC protected folders).
     
    Logethica and _CyberGhosT_ like this.
  11. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    Dealing with flash updates

    Chrome sometimes updates Pepperflash to
    C:\Users\[YOUR USERNAME]\AppData\Local\Google\Chrome\User Data\PepperFlash\[VERSION OF FLASH]\

    Just cut all files from the folder with the name of the flash version and past them to
    C:\Program Files\Google\Chrome\Application\[VERSION OF CHROME]\PepperFlash\

    Delete the flashversion folder in AppData. Now Chrome will use the updated flsah from Program Files
     
    Logethica, Av Gurus and _CyberGhosT_ like this.
  12. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    True, but with Cryptoprevent SRP default level is unrestricted (as explained by Andy Ful), this registry tweak sets default level to Basic User (which blocks all unelevated processes trying to run in user folders).
     
    Logethica and Av Gurus like this.
  13. LabZero

    LabZero Guest

    Good recommendation to create a restore point because when you add/modify registry values, it is nearly impossible to get back.
    If the registry is corrupted, Windows may not work correctly.
    The backup of the registry is already automatically included in the system restore points, but if something goes wrong with the restore points then before it is useful (or more convenient) to perform a manual backup of the registry.

    https://support.microsoft.com/en-us/kb/322756
     
    Logethica and Av Gurus like this.
  14. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,114
    4,775
    business
    Poland
    Windows 10
    Microsoft
    #14 Andy Ful, Sep 19, 2016
    Last edited: Sep 19, 2016
    Windows_Security

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
    "DefaultLevel"=dword:00020000
    "DefaultLevel"=dword:00000000

    Both values are for default deny SRP. The only difference I noticed is when You remove BAT, CMD, JS, JSE, VBS, VBE, WSH extensions from SRP protected extensions list in :
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ExecutableTypes

    If "DefaultLevel"=dword:00000000 then removed extensions are still protected by SRP, but at the later stage (when script interpreters try to find and run files).
    If "DefaultLevel"=dword:00020000, scripts are not protected after extensions removal. They are protected only if the script extensions are on the list.
    I found out this by accident while testing "Run As Smartscreen", because I use SRP with "DefaultLevel"=dword:00000000 and had to remove script extensions to make it working.:)

    I confirmed that now, in Windows 10 Pro, choosing Basic User gives "DefaultLevel"=dword:00020000 .
    I was confused because in Lucy's post and some technet articles "DefaultLevel"=dword:00000000 had been used.

    http://www.wilderssecurity.com/thre...p-under-lua-whatever-the-win7-version.262686/
    Using Software Restriction Policies to Protect Against Unauthorized Software
     
    Logethica and Av Gurus like this.
  15. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #15 Windows_Security, Sep 19, 2016
    Last edited: Sep 19, 2016
    @Andy Ful;
    With PRO versions one easily adopt SRP-rules, so your Smartscreen alternative to VS is useful.

    On Home versions you don't have gepedit or secpol, so VS is a better solution because it blocks dangerous command lines (meaning minimal and static SRP rules) and when you drop an executable on the VS gadget/icon it checks that executable at VT (with 57 AV-engines)
     
    Av Gurus likes this.
  16. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,114
    4,775
    business
    Poland
    Windows 10
    Microsoft
    #16 Andy Ful, Sep 19, 2016
    Last edited: Sep 19, 2016
    @Windows_Security

    I noticed something strange. In Widows 10 Pro I can setup SRP through secpol.msc and choose "BASIC USER", so indeed the value of "DefaultLevel"=dword:00020000 is written to the Registry. It is OK. Yet, the behavior of SRP is different. I can run programs in the User Space that do not require elevation! Programs with elevation are blocked.
    If I choose in secpol "DISALLOWED" then the value of "DefaultLevel"=dword:00000000 is written to the Registry, and SRP works as default deny like in Your Windows Home setup.
    Is it possible to confirm this on one of Yours machines? If so, maybe it would be better to change DefaultLevel value from 00020000 to 00000000 to avoid misconception.

    There is one little mistake on the list of SRP protected files:
    there is 'WSF should be WSF .

    I also tested Your SRP for Windows Home on my machine (Win 10 Pro 64Bit) and it works well:)
     
    Av Gurus likes this.
  17. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    #17 Windows_Security, Sep 19, 2016
    Last edited: Sep 19, 2016
    Basic User works simular to default deny with the exception it allows MSI files to install and you don't need to remove the LNK.

    Forgot to tell: you also need to elevate to admin to perform administrative tasks, so go to control panel, administrative tools and choose Run as administrator to run Computer Management and Disk Manager for example, see pic.

    upload_2016-9-19_21-43-56.png
     
  18. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,114
    4,775
    business
    Poland
    Windows 10
    Microsoft
    #18 Andy Ful, Dec 16, 2016
    Last edited: Dec 16, 2016
    If someone is interested in GUI to configure SRP in Windows Home, then can look here:
    Hard_Configurator - Windows Hardening Configurator
    It works for Windows 8+ (the minor bug actually prevents it to start in previous versions).
    Soon, there will be published the new version for Windows Vista+ with some additional options.
     
    Av Gurus likes this.
  19. Andy Ful

    Andy Ful Level 22

    Dec 23, 2014
    1,114
    4,775
    business
    Poland
    Windows 10
    Microsoft
    Some ideas from this thread were adopted in Hard_Configurator code. Thanks @Windows_Security. :)
     
    Av Gurus likes this.
  20. Windows_Security

    Windows_Security Level 13
    Content Creator Trusted

    Mar 13, 2016
    616
    2,886
    Holland
    Windows 7
    Default-Deny
    @Andy Ful compliments, great initiative, well done
     
    Andy Ful likes this.
Loading...
Similar Threads Forum Date
How do Software Restriction Policies work (part 3) ? Tutorials & Guides Apr 14, 2017
How do Software Restriction Policies work (part 2) ? Tutorials & Guides Mar 10, 2017
How do Software Restriction Policies work (part 1) ? Tutorials & Guides Mar 6, 2017