Serious Discussion Why do you use obsolete security technologies such as SRP?

SpyNetGirl

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
It's honestly very surprising to me that I see super old and totally obsolete technologies such as SRP or software restriction policies is being suggested and used by members in the forum. Thought I'd raise awareness by making this thread and presenting some facts about these technologies.

Here is the timeline of the application control solutions in Windows:

1. SRP (Introduced with Windows XP - before I was even born!)
2. AppLocker (Introduced with Windows 7)
3. WDAC (Application Control for Business) (Introduced with Windows 10)

As a home user, there is 0 reasons, I repeat, 0 reasons, to use #1 and #2.

You only use AppLocker nowadays in a very limited scope, to allow Intune as managed installer for WDAC policies. Since 9 years ago when Windows 10 was introduced, WDAC is the recommended method of Application Control solution.

As you can see even WDAC is not new and it's been with us for 9 years, but it is actively maintained.

All the documents, automations, solutions, tooling etc. to use WDAC for both enterprises and home users are available. All of these things are Free btw!

At the end of the day, it's your choice just like it's your choice to turn off your firewall and AVs. I just wanted this information to be put out there. I've helped multiple companies with implementation of WDAC and continue doing so, and I myself use it on my PC and family members. I've made tooling and documentations available for it and continue to do so.

The threat landscape has changed significantly since Windows XP, it even changes every ~2-3 years, the ever-changing TTPs (Tactics, techniques, and procedures) require us on the defense side to be very adaptive or risk falling behind and being defeated.

Hope everyone has a good time and stays secure!
 
  • Like
  • Applause
  • Thanks
Reactions: Sunshine-boy, cryogent, Jonny Quest and 9 others
SpyNetGirl

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Victor M said:
Hi @SpyNetGirl , make a GUI for WDAC. I have an aversion to PowerShell.

Also, the WDAC Wizard is buggy. When you have a lot of rules, it can't delete old rules anymore. You have manually go in and remove the XML lines. Just a little motivation for you.
Click to expand...

That's on the roadmap but my first priority is making the module feature complete, there are still a bunch of new features that are coming, the most imminent one is MDE Advanced Hunting.

GUI will inevitably come, in the meantime you can try get comfortable with the cmdlets or tell me what can be done to make using them easier for you. CLI experience currently offers GUI file picker whenever possible and tab completion to make the available parameters visually available to choose from. I also made it really hard for the user to do something wrong by putting lots of checks. With Windows 11 24H2, the checks will be even better since there will be more WDAC features available in the OS.
 
  • Like
  • Thanks
Reactions: Sunshine-boy, cryogent, Victor M and 1 other person
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,155
SRP and AppLocker are super old but not obsolete.
SRP is a deprecated feature = it will not be actively developed by Microsoft.
SRP is still used on several Windows editions:
learn.microsoft.com

Software Restriction Policies Technical Overview

Learn about software restriction policies, when and how to use the feature, and what changes have been implemented in past releases.
learn.microsoft.com
SRP and AppLocker work well on Windows 10 and Windows 11. Both can work well with WDAC and SAC.
AppLocker can apply restrictions per user (WDAC cannot).
SRP can restrict many file types (via ShellExecute function) - WDAC can restrict only a few file types.
AppLocker and SRP can be managed on Windows Home (both can be managed without GPO) - WDAC cannot (except when one uses WHHLight).
etc.

I know well SRP, AppLocker, and WDAC - I do not share your opinion about AppLocker and SRP (especially in the home environment).

It is true that in Enterprises, it is recommended to use WDAC.
 
Last edited:
  • Like
Reactions: cryogent and Freki123
SpyNetGirl

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Andy Ful said:
SRP and AppLocker are super old but not obsolete.
SRP is a deprecated feature = it will not be actively developed by Microsoft.
SRP is still used on several Windows editions:
learn.microsoft.com

Software Restriction Policies Technical Overview

Learn about software restriction policies, when and how to use the feature, and what changes have been implemented in past releases.
learn.microsoft.com
SRP and AppLocker work well on Windows 10 and Windows 11. Both can work well with WDAC and SAC.
AppLocker can apply restrictions per user (WDAC cannot).
SRP can restrict many file types (via ShellExecute function) - WDAC can restrict only a few file types.
AppLocker and SRP can be managed on Windows Home (both can be managed without GPO) - WDAC cannot (except when one uses WHHLight).
etc.

I know well SRP, AppLocker, and WDAC and I do not share your opinion about AppLocker and SRP (especially in the home environment).
Click to expand...

Those are not my opinion, those are just facts, here are some more

Go here Deprecated features in the Windows client - What's new in Windows
and search for "Software Restriction Policies"

Also suggest reading this
learn.microsoft.com

Software Restriction Policies Technical Overview

Learn about software restriction policies, when and how to use the feature, and what changes have been implemented in past releases.
learn.microsoft.com

Specially the part where it says: "SRP rules enforcement happens in the user-mode which is less secure."

It's a false sense of security you're trying to achieve and people shouldn't be using these stuff because gives them false sense of security, thinking they are immune but they are not because of using old and obsolete security features.

So unless you're using Windows XP or Windows Server 2008, stick to WDAC and build tooling for it.
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,155
SpyNetGirl said:
Those are not my opinion, those are just facts,
Click to expand...

You have misinterpreted those facts. The article is related to the Enterprise environment and not related to home users.
SpyNetGirl said:
Also suggest reading this
learn.microsoft.com

Software Restriction Policies Technical Overview

Learn about software restriction policies, when and how to use the feature, and what changes have been implemented in past releases.
learn.microsoft.com

Specially the part where it says: "SRP rules enforcement happens in the user-mode which is less secure."
Click to expand...

It is true in the Enterprise environment and not at home. SRP is as secure as SAC. Both can be tampered from Userland.
As you know, SAC is recommended by Microsoft for home users.

SpyNetGirl said:
It's a false sense of security you're trying to achieve and people shouldn't be using these stuff because gives them false sense of security, thinking they are immune but they are not because of using old and obsolete security features.

So unless you're using Windows XP or Windows Server 2008, stick to WDAC and build tooling for it.
Click to expand...

Most home users cannot stick to WDAC, because it cannot be managed on Windows Home (except WHHLight).
Can anyone on MT insists that people are immune when using SRP? For example, did you read the Hard_Configurator manual where I explicitly mentioned the cons and pros of using SRP and some other policies?
 
  • Like
Reactions: cryogent
SpyNetGirl

SpyNetGirl

Level 3
Thread author
Well-known
Jan 30, 2023
113
Andy Ful said:
You have misinterpreted those facts. The article is related to the Enterprise environment and not related to home users.

It is true in the Enterprise environment and not at home. SRP is as secure as SAC. Both can be tampered from Userland.
As you know, SAC is recommended by Microsoft for home users.

Most home users cannot stick to WDAC, because it cannot be managed on Windows home.
Can anyone on MT insists that people are immune when using SRP? For example, did you read the Hard_Configurator manual where I explicitly mentioned the cons and pros of using SRP and some other policies?
Click to expand...

That article is not for enterprise environments only, it applies to everyone and every edition of Windows.

"SRP is as secure as SAC" heh sure, believe what you want :)
 
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,155
SpyNetGirl said:
That article is not for enterprise environments only, it applies to everyone and every edition of Windows.
Click to expand...
It is not. Microsoft applies SRP via GPO and it cannot be done on Windows Home.

SpyNetGirl said:
"SRP is as secure as SAC" heh sure, believe what you want :)
Click to expand...
It is not a matter of beliefs. If I can easily tamper SAC from Userland, then most attackers can do it too.
 
  • Like
Reactions: cryogent and Freki123

Similar threads

Andy Ful
    • Like
    • +Reputation
    • Thanks
  • Sticky
Serious Discussion WHHLight - simplified application control for Windows Home and Pro.
Replies
257
Views
17,752
Hard_Configurator Tools
Andy Ful
Andy Ful
Andy Ful
    • +Reputation
    • Like
    • Applause
New Update Testing Windows Hybrid Hardening (new hardening application).
Replies
253
Views
22,201
Hard_Configurator Tools
South Park
South Park
SpyNetGirl
    • Like
    • +Reputation
    • Hundred Points
WDACConfig module - WDAC Policy Deployment Simulation
Replies
0
Views
397
Other security for Windows, Mac, Linux
SpyNetGirl
SpyNetGirl

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top