Guide | How To Windows Home/Pro owner? Use Software Restriction Policies!

[509322]

@Windows_Security
I am not so sure about it, in many cases a drive by attack can gently ignore both UAC and Smartscreen. Both malware file and the shortcut can be dropped to the User Space (no copy alert) without 'Mark of the Web' (no Smartscreen check on the run), and executed without elevation (no UAC alert). Thanks to Microsoft, SRP will stop direct malware execution, but sadly, not indirect execution by the shortcut.
It is also interesting, that after copying the same shortcut to the System Space (for example C:\Windows) above trick does not work.
I would like the missing option in SRP to whitelist shortcuts by hash.
By the way, using SRP with something like Voodoo Shield may be a good idea.

@Av Gurus
My reply to your question was not correct, it should be:
Almost anywhere (except whitelisted folders).

A Smartscreen and UAC bypass can only happen if the malware is executed. The whole purpose of software restriction policies are to block the execution in the first place. For a file to execute the user launched it with either the SRPs disabled, the SRP configuration allows the launch, and\or there is a bug\vulnerability. The most common scenario are the first two - with the last one a rarity.

AppLocker if properly configured will block all high-risk file\process executions - even malicious *.lnk (shortcut) with arguments that download and drop files to writeable directories can be effectively handled. Simply create policies that block the launch of executable files from writeable directories susceptible to malicious *.lnk attacks. Using an understanding of Windows and malware behaviors you can bolster AppLocker's basic configuration.

 

[Andy Ful]

I was thinking that only Enterprise editions support AppLocker, but that is not so with Windows 10.

"You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016."

Requirements to use AppLocker (Windows 10)

It is very interesting. Thanks for the info.

 

[509322]

I was thinking that only Enterprise editions support AppLocker, but that is not so with Windows 10.

"You can use the AppLocker CSP to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016."

Requirements to use AppLocker (Windows 10)

It is very interesting. Thanks for the info.

AppLocker CSP is for mobile device management.

AppLocker is only available on Windows 10 Education and Enterprise versions.

 

[Andy Ful]

Are you sure? I found this info:
https://msdn.microsoft.com/en-en/library/windows/hardware/dn920025.aspx

Yes, this may be an old information. From another source I read, that Microsoft planned to remove Applocker from Win 10 Pro with the Anniversary Update.

 

[Windows_Security]

@Windows_Security
I am not so sure about it, in many cases a drive by attack can gently ignore both UAC and Smartscreen. Both malware file and the shortcut can be dropped to the User Space (no copy alert) without 'Mark of the Web' (no Smartscreen check on the run), and executed without elevation (no UAC alert). Thanks to Microsoft, SRP will stop direct malware execution, but sadly, not indirect execution by the shortcut.
It is also interesting, that after copying the same shortcut to the System Space (for example C:\Windows) above trick does not work.

The shortcut can't run programs in user space, so executable should be moved into UAC protected folders to be succesfull (which would trigger an UAC alert). Windows 10 has closed down 'user writeable subfolders in Windows. So SRP should protect you.

Also I don't think secure browsers like Chrome and Edge would allow you to download files without setting the 'internet flag'. Do you have examples of websites succesfully bypassing Chrome or Edge setting the ADS Internet flag?

 

[Andy Ful]

@Windows_Security
You wrote "The shortcut can't run programs in user space", so I think that we are talking about different SRP configurations. Definitely, in my setup shortcuts can run programs in User Space.
Please do the simple test on your computer:
1. Create new folder in User Space.
2. Make sure that this folder is not (indirectly) whitelisted by SRP path rule.
3. Copy EXE file to this folder and make the shortcut of EXE file (in the same folder).
4. Run EXE - blocked in my case
5. Run the shortcut - EXE file not blocked.

If you whitelisted the folder with shortcuts ('Desktop' for example) , the shortcut from this folder cannot run the EXE file located in User Space.

 

[Windows_Security]

See post 1 for SRP settings. I run SRP with default level set to basic user. No additional rules, just the MSI tweak.

Same result when I add a new folder in TEMP

No ACL restrictions on (sub)folder TEMP (toestaan = allow)

 

[Windows_Security]

I added a deny "traverse folder/execute file" for Everyone in all users folders (except in Temp, because I use this to install programs from with right cluck run as Admin). ACL does (like SRP) blocks the execution also (ACL access deny messsage in Dutch)

Inherited ACL deny execute file/traverse folder for Everyone on newly created folder elesewhere (weigeren = deny)

Because I use default level Basic User with an acception for Administrator, the Temp folder is the only folder where it is possible to use right "Run as Administrator". When I click on an executable it is blocked by SRP. In UAC I have removed the Windows Installer reconition (to prevent elevation) and set UAC to block elevation of unsigned executables (so it sort of mimics the AppGuard blocking behaviour in default mode in user folders).

Messing with ACL's (Access Control List) are an easy way to brick your system, so handle with care (make a backup of ACL's first). When you don't know how to backup and restore ACL's don't mess with them!

 

[Andy Ful]

It is interesting. Your system is somewhat more restricted than mine for LNK or EXE files.
I figured out how to minimize LNK execution problem in my setup. Here are all path rules in my SRP configuration:

DISALLOWED
*.lnk

UNRESTRICTED
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%LOCALAPPDATA%\Microsoft\Windows\WinX\Group1\*.lnk
%LOCALAPPDATA%\Microsoft\Windows\WinX\Group2\*.lnk
%LOCALAPPDATA%\Microsoft\Windows\WinX\Group3\*.lnk
%USERPROFILE%\Desktop\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*\*.lnk

I simply disallowed LNK files globally, and then whitelisted them in some folders for using 'Power Menu', 'Desktop', and 'Start Menu' shortcuts. Yet, whitelisting LNK locations has the side effect, that now I can run all scripts (BAT, CMD, JS, JSE, PS1, VBS, VBE, WSF, HTA), and configuration files (CPL, MSC, REG) in the User Space, by the shortcut in whitelisted location. This loophole can be made smaller if CMD, WSH, and PowerShell scripts are blocked by the reg tweak.
Above tweaks works in the same way on my 2 computers - Win 10 Pro (SRP configured by Secpol) and Win 7 Home (configured by reg hack).
I am curious how the LNK problem looks like on other computers.

 

[shmu26]

If Your portable programs do not update frequently the best way is to whitelist them by hash. Also, many portable applications work well in "Program Files" or "Program Files (x86)" - sometimes You need to change the folder where the application saves its settings etc. , because in above folders the Administrative Rights are needed.
Some programs are wrapped and have to use TEMP folder in the User Space to execute (most frequently it is ...\AppData\Local\Temp). Execution in the TEMP folder will be blocked by SRP, so the unwrapped file should be whitelisted by hash too. Usually, such files are quickly deleted, so utilities similar to "Moo0 FileMonitor" or Excubits MZWriteScanner may be needed to detect which files were temporary dropped to TEMP folder.

Does Moo0 work on Windows 10, and if not, is there a freeware alternative?

 

[Andy Ful]

Does Moo0 work on Windows 10, and if not, is there a freeware alternative?

I use Moo0 File Monitor 1.11 portable: http://www.moo0.com/software/FileMonitor/download/free2/
It works without problems in Windows 10. It is free and simple, but there are also many alternatives:
10 Tools to Monitor Files and Folders for Changes in Real Time • Raymond.CC

 

[509322]

Most users quickly abandon managing files by hash. I would bet the number of users that do it is something on the order of less than 0.0001 %.

 

[jAcos]

Thanks great post I will print this for my guide!

 

[shmu26]

Most users quickly abandon managing files by hash. I would bet the number of users that do it is something on the order of less than 0.0001 %.

Hard_Configurator with SRP allows also for whitelisting by file path, and supports wildcards.

 

[Pearl96]

Glad I have the Education Edition!

I use the Education edition too

 

[Andy Ful]

Most users quickly abandon managing files by hash. I would bet the number of users that do it is something on the order of less than 0.0001 %.

That is true. Whitelisting by hash, can be useful only for security paranoid (home) users or in the case of programs that update itself very rarely. In well updated system, whitelisting by path should be OK.

 

[509322]

@Andy Ful

Unless I am not paying attention and missed something in your prior post(s)...

You have DISALLOWED *.lnk, but made UNRESTRICTED:

%USERPROFILE%\Desktop\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*\*.lnk

You disallowed *.lnk globally, but what you've whitelisted are all the entry points for malicious shortcut files - so malicious shortcuts will not be blocked.

The primary entry point is: %USERPROFILE%\Desktop\*.lnk

Malicious shortcuts are a problem much more effectively solved by disabling or restricting the processes that malicious shortcuts abuse and the directories to which those abused processes write. Whether you block writes or executions - it's one half dozen and six in the other.

 

[Andy Ful]

@Andy Ful

Unless I am not paying attention and missed something in your prior post(s)...

You have DISALLOWED *.lnk, but made UNRESTRICTED:

%USERPROFILE%\Desktop\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\*\*.lnk

You disallowed *.lnk globally, but what you've whitelisted are all the entry points for malicious shortcut files - so malicious shortcuts will not be blocked.

The primary entry point is: %USERPROFILE%\Desktop\*.lnk

Malicious shortcuts are a problem much more effectively solved by disabling or restricting the processes that malicious shortcuts abuse and the directories to which those abused processes write. Whether you block writes or executions - it's one half dozen and six in the other.

That's right. And, that is the price, that have to be paid in Windows, when one prefers usability over security.
As I wrote in my previous post:
"Yet, whitelisting LNK locations have the side effects, that now I can run all scripts (BAT, CMD, JS, JSE, PS1, VBS, VBE, WSF, HTA), and configuration files (CPL, MSC, REG) in the User Space, by the shortcut in whitelisted location. This loophole can be made smaller if CMD, WSH, and PowerShell scripts are blocked by the reg tweak."
The LNK solution + blocked scripts is appropriate only for home users. It assumes that the system and software are hard to exploit by malware in the wild (updated Windows 8+), and no one bothers to make a targeted attack. In practice, it works exceptionally well, because SRP can also mitigate many exploits.
Of course, more security paranoid home user should listen to your advice, and put sponsors (cmd.exe, wscript.exe, cscript.exe, mmc.exe, mshta.exe, powershell.exe, powershell_ise.exe, regedit.exe, and many others) to SRP Black List. This is the solution known in Bouncer, NVT ERP, and other ani-exe porograms. I think about introducing such option in Hard_Configurator. But, that is a solution for users that prefer security over usability.
Windows built-in SRP assumes also, that the system can protect users against fileless exploits - which is partially true in Windows 8+ , and even more true in Windows 10.
Finally, when the home user needs the enterprise protection, then he/she can go for AppGuard.

 

[Andy Ful]

Windows built-in security (with SRP and hardening) is:
* good in Windows Vista;
* pretty good in Windows 7;
* very good in Windows 8 and 8.1;
* exceptionally good (but still not bullet proof) in Windows 10.

In Windows Vista and Windows 7, the users need to use additional antivirus/antimalware.
Windows with any usable security, is vulnerable to targeted attacks.

 

[509322]

The LNK solution + blocked scripts is appropriate only for home users.

It's appropriate for an Enterprise workstation user too as the typical worker doesn't use nor need to use them. Admins might use them - but that varies mostly with the Admin. Some use them, others don't.