Serious Discussion Why do you use obsolete security technologies such as SRP?

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
It's honestly very surprising to me that I see super old and totally obsolete technologies such as SRP or software restriction policies is being suggested and used by members in the forum. Thought I'd raise awareness by making this thread and presenting some facts about these technologies.

Here is the timeline of the application control solutions in Windows:

1. SRP (Introduced with Windows XP - before I was even born!)
2. AppLocker (Introduced with Windows 7)
3. WDAC (Application Control for Business) (Introduced with Windows 10)

As a home user, there is 0 reasons, I repeat, 0 reasons, to use #1 and #2.

You only use AppLocker nowadays in a very limited scope, to allow Intune as managed installer for WDAC policies. Since 9 years ago when Windows 10 was introduced, WDAC is the recommended method of Application Control solution.

As you can see even WDAC is not new and it's been with us for 9 years, but it is actively maintained.

All the documents, automations, solutions, tooling etc. to use WDAC for both enterprises and home users are available. All of these things are Free btw!

At the end of the day, it's your choice just like it's your choice to turn off your firewall and AVs. I just wanted this information to be put out there. I've helped multiple companies with implementation of WDAC and continue doing so, and I myself use it on my PC and family members. I've made tooling and documentations available for it and continue to do so.

The threat landscape has changed significantly since Windows XP, it even changes every ~2-3 years, the ever-changing TTPs (Tactics, techniques, and procedures) require us on the defense side to be very adaptive or risk falling behind and being defeated.

Hope everyone has a good time and stays secure!
 

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Hi @SpyNetGirl , make a GUI for WDAC. I have an aversion to PowerShell.

Also, the WDAC Wizard is buggy. When you have a lot of rules, it can't delete old rules anymore. You have manually go in and remove the XML lines. Just a little motivation for you.

That's on the roadmap but my first priority is making the module feature complete, there are still a bunch of new features that are coming, the most imminent one is MDE Advanced Hunting.

GUI will inevitably come, in the meantime you can try get comfortable with the cmdlets or tell me what can be done to make using them easier for you. CLI experience currently offers GUI file picker whenever possible and tab completion to make the available parameters visually available to choose from. I also made it really hard for the user to do something wrong by putting lots of checks. With Windows 11 24H2, the checks will be even better since there will be more WDAC features available in the OS.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
SRP and AppLocker are super old but not obsolete.
SRP is a deprecated feature = it will not be actively developed by Microsoft.
SRP is still used on several Windows editions:
SRP and AppLocker work well on Windows 10 and Windows 11. Both can work well with WDAC and SAC.
AppLocker can apply restrictions per user (WDAC cannot).
SRP can restrict many file types (via ShellExecute function) - WDAC can restrict only a few file types.
AppLocker and SRP can be managed on Windows Home (both can be managed without GPO) - WDAC cannot (except when one uses WHHLight).
etc.

I know well SRP, AppLocker, and WDAC - I do not share your opinion about AppLocker and SRP (especially in the home environment).

It is true that in Enterprises, it is recommended to use WDAC.
 
Last edited:

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
SRP and AppLocker are super old but not obsolete.
SRP is a deprecated feature = it will not be actively developed by Microsoft.
SRP is still used on several Windows editions:
SRP and AppLocker work well on Windows 10 and Windows 11. Both can work well with WDAC and SAC.
AppLocker can apply restrictions per user (WDAC cannot).
SRP can restrict many file types (via ShellExecute function) - WDAC can restrict only a few file types.
AppLocker and SRP can be managed on Windows Home (both can be managed without GPO) - WDAC cannot (except when one uses WHHLight).
etc.

I know well SRP, AppLocker, and WDAC and I do not share your opinion about AppLocker and SRP (especially in the home environment).

Those are not my opinion, those are just facts, here are some more

Go here Deprecated features in the Windows client - What's new in Windows
and search for "Software Restriction Policies"

Also suggest reading this

Specially the part where it says: "SRP rules enforcement happens in the user-mode which is less secure."

It's a false sense of security you're trying to achieve and people shouldn't be using these stuff because gives them false sense of security, thinking they are immune but they are not because of using old and obsolete security features.

So unless you're using Windows XP or Windows Server 2008, stick to WDAC and build tooling for it.
 
  • +Reputation
Reactions: kylprq

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
Those are not my opinion, those are just facts,

You have misinterpreted those facts. The article is related to the Enterprise environment and not related to home users.
Also suggest reading this

Specially the part where it says: "SRP rules enforcement happens in the user-mode which is less secure."

It is true in the Enterprise environment and not at home. SRP is as secure as SAC. Both can be tampered from Userland.
As you know, SAC is recommended by Microsoft for home users.

It's a false sense of security you're trying to achieve and people shouldn't be using these stuff because gives them false sense of security, thinking they are immune but they are not because of using old and obsolete security features.

So unless you're using Windows XP or Windows Server 2008, stick to WDAC and build tooling for it.

Most home users cannot stick to WDAC, because it cannot be managed on Windows Home (except WHHLight).
Can anyone on MT insists that people are immune when using SRP? For example, did you read the Hard_Configurator manual where I explicitly mentioned the cons and pros of using SRP and some other policies?
 
  • Like
Reactions: cryogent

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
You have misinterpreted those facts. The article is related to the Enterprise environment and not related to home users.

It is true in the Enterprise environment and not at home. SRP is as secure as SAC. Both can be tampered from Userland.
As you know, SAC is recommended by Microsoft for home users.

Most home users cannot stick to WDAC, because it cannot be managed on Windows home.
Can anyone on MT insists that people are immune when using SRP? For example, did you read the Hard_Configurator manual where I explicitly mentioned the cons and pros of using SRP and some other policies?

That article is not for enterprise environments only, it applies to everyone and every edition of Windows.

"SRP is as secure as SAC" heh sure, believe what you want :)
 
  • +Reputation
Reactions: kylprq

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,223
That article is not for enterprise environments only, it applies to everyone and every edition of Windows.
It is not. Microsoft applies SRP via GPO and it cannot be done on Windows Home.

"SRP is as secure as SAC" heh sure, believe what you want :)
It is not a matter of beliefs. If I can easily tamper SAC from Userland, then most attackers can do it too.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top