Guide | How To Windows Home/Pro owner? Use Software Restriction Policies!

The associated guide may contain user-generated or external content.

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
LS,

For people owning a Pro/Business/Ultimate/Enterprise version of their Windows OS and not using the group policy editor to increase security with build in features, here is a simple 10 step tutorial to enable SRP (works for all Windows OS-ses with UAC, so Vista and higher).

SRP stands for Software Restriction Policies. As the name says it can be used to restrict software on your PC. It has basically three modes. This introduction describes how to use Basic User, because Basic User requires little tweaking and still allows to update/install software using Run as Administrator (make sure to create a restore point or have image as backup)

Run as administrator
With these "Basic User default" SRP rules, when you try to run a program in user folders, it will be blocked. You can still update/install software by using the "Run as Administrator" right click context menu in Windows Explorer. Microsoft Installer Packages don't run with elevated (admin) rights by default. Luckily Symantec has provided a registry tweak for that: download MSI "Run as administrator" Context Menu for Vista | Symantec Connect (MsiRunAsAdmin.zip)

Extract the zip file and double click it.

Enabling SRP using Basic User as default level
Click on Windows Start button and choose "Run". Enter secpol.msc and enter. Secpol.msc launches the Local Security Policy management console and follow the instructions on the picture below. Restart your computer when ready and your done.

upload_2016-8-1_8-25-39.png
 
Last edited:

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Why use Basic User default level and why allow local Administrators?
All programs updating to Windows or Program Files folders must run elevated (UAC). When you apply these rules except for Admin, these SRP rules don't interfere with regular program and OS updates. It is set and forget.


Programs in user space are blocked.
See link explains with picures how to add block rules. This link (step 9) on how to add an allow rule (Unrestricted security level). This setup does not mimic an anti-executable default deny setup, just prevents shoot in the foot errors and sneaky drive by infections. You determine what survives reboot by using "Run As Administrator"

upload_2016-8-1_8-52-6.png


Defending user space autoruns
Windows allows a few autorun locations in user space. This little nifty freeware program warns you when software wants to survive reboot by using user space autoruns: KC Softwares Startup Sentinel (thx Kyle). A "run once" is often used to clear entries after deïnstalling a program, a "run" when you install software (so only allow when you have deinstalled/installed a program yourself through Windows add/remove programs or Run as administrator).
 
Last edited:

SHvFl

Level 35
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Nov 19, 2014
2,350
Last edited:

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I need to master that tool,for my sake.Teaching users to benefit from this? Another issue,altogether...:rolleyes:
Just right click on the drive letter where you want to activate Bitlocker, and follow the instructions.
Very easy. Each time your PC start, BitLocked Drives are protected, no data seen / accessible.
You just have to right click on the BitLoked drive and choose "unlock", to access it.

Apart from my C: Drive, all my Drives are with BitLocker activated (D, E, F, G, H, I)
 
Last edited:

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
A right one to learn what is hardening mode is all about.

In such business landscape, limited user accounts is not enough but rather use the OS itself to configure for lockdown protection.

Very effective and less sacrifice on the resources; yes it needs technical analysis but the investment is good.
 

Av Gurus

Level 29
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Do we need remove LNK extension (This adjustment allows you to use your desktop shortcuts and Quick Launch icons, which are mostly the LNK filetype) or add some (like: JSE, JAR, PS1, VBS, JS, SCT, VBE, WS, WSF, WSH)?

Clipboard01.png
 

Windows_Security

Level 24
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
No not when you set default level to BASIC USER. You have to remove lnk when you set DISALLOWED as default level. Disadvantage of disallowed, is that the RUN as ADMIN registry tweak from Symanatec for MSI files does not work.

:) Thx @Av Gurus for this excellent suggestion to add some file extensions (I was forgotten to mention it, apologize). See picture, please repeat for file extension mentioned by Av gurus: JSE, JAR, PS1, VBS, JS, SCT, VBE, WS, WSF, WSH)

upload_2016-8-19_0-34-49.png
 
Last edited:

Nikos751

Level 20
Verified
Malware Tester
Feb 1, 2013
971
Great article!
Is Google Chrome update affected in any way (automatic or manual) after this configuration? Is an exception needed to be set? Chrome runs from the user folder in most home pc's and can be updated manually asking for admin priviledges (UAC) or automatically without asking anything.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top