Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Software Restriction Policies


Imagine if you could prevent a new virus from running on your systems even before your anti-virus vendor had prepared and made public a signature. Imagine if you could prevent well-known but forbidden software such as games or administrative tools from being run by anyone on your system. Imagine if you could prevent as-yet-unknown malicious software from running at all. Would you buy the product that allowed you to do so?

You don't have to. If you have Windows Server 2003 or Windows XP Professional, you already have such a product. Software Restriction Policies is a component that was introduced with Windows XP Professional for the management of a single computer. You can use Windows Server 2003 to write group policies that impact a single server or desktop or thousands of XP Professional and Windows Server 2003 computers. Here's how.

Software Restriction Policy Limitations


If you do not fully understand Software Restriction Policy scopethat is, what it can and cannot do to various thingsyou may either configure it incorrectly or rely on it for a level of security that it cannot provide. In either case, policies may not work the way you think they do, or worse, you may develop a false sense of securityyou may believe you have protected computers from malicious software or prevented anything but authorized programs from running only to find out that this is not so. Properly designed Software Restriction Policies can provide improved security if you understand and work with Software Restriction Policy limitations. The following limitations should be understood.

Software Restriction Policies Have No Effect in Safe Mode

When a computer is booted in Safe Mode, Software Restriction Policies have no effect.

WARNING: Safe Mode

Software Restriction Policies have no effect in Safe Mode. If the user can boot to Safe Mode, she can get around any Software Restriction Policies.

Local Security Policy Affects Every User of the Computer

Software Restriction Policy created in the Local Security Policy will only affect that computer. Because it is a computer-wide policy, it affects every user unless its properties are set to exclude members of the Administrators group. If, however, you use a Group Policy-based Software Restriction Policy, you can create Software Restriction Policies in either the Computer or User Security settings of the GPO. You can determine whom the policy will impact by only applying it to OUs within which specific user or computer accounts lie, or you can filter the GPO's application by removing the Apply Group Policy permission for the desired user groups.

Some Software Is Not Affected by Software Restriction Policies

Software Restriction Policies do not apply to the following:

Drivers or other kernel mode software

Programs run by the SYSTEM account

Macros in Microsoft Office 2000 or Office XP documents (manage macros in Office with the Office Macro security settings)

Programs written for the common language runtime (these programs use Code Access Security Policy)


There Are Ways to Get Around Rules

Software restriction policies include individual rules that prohibit or allow the use of specific software. However, there are limitations to the effectiveness of each rule. This does not mean that you cannot create effective rules that prohibit use of software; it just means that you must understand each rule's limitations and use it appropriately. Examples of rule limitations are as follows:

If the code of an application changes, a hash rule no longer applies.

If the path of an application changes, a path rule no longer applies.

Internet zone rules apply only to applications created with the Windows Installer.

Certificate rules rely on the trust you place in the certificate.


For information about these rules, see the section "Creating and Using Software Restriction Policies."

Software Restriction Policy Basics


Restricting access to software doesn't seem like a difficult task. All you have to do is not install it and not allow others to do so either. The problem is that you may lack the ability to control exactly what software should be installed, to control who can install it, and to control who can run software that is already installed on the computer. Some Windows default rights assignments help. A user needs administrative rights to install software that installs a service. But many applications do not do this and therefore do not require administrative rights to be installed. If a user has the right to copy a file to the disk, that simple process may be all the application requires to be installed. Finally, many applications such as Administrative Tools must be present on systems, yet we should deny ordinary users the right to use them. Access to these programs is controlled by user rights assignments and permissions and those you impose. Ordinary users, for example, cannot create or edit Group Policy Objects (GPOs). Other system applications and their associated registry values are protected by default from some types of users. Group Policy, object ACLs, careful control over user rightsall these things can be used to control access to objects. However, because of poorly coded applications, you may have had to give users administrative rights on their computers.

If you limit user access to resources such as files and registry settings, you may be able to mitigate the harm that might be done by running unauthorized applications. If you provide users awareness training and strictly enforce security policies, you may also prevent applications from being installed. However, none of these techniques will totally prevent the installation and use of rogue or malicious software.

NOTE: Software Restriction Policy Design

An excellent paper that includes information on designing software restriction policies is "Using Software Restriction Policies to Protect Against Unauthorized Software," available at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx. The paper includes design scenarios for Terminal services, line-of-business PC, and the use of different policies for different users.

When you use Software Restriction policies, however, you supplement default settings and hardening steps and provide a solution for controlling things that defaults and other operations cannot control. With Software Restriction Policies, you can do the following:

Prevent any software from running and then authorize each piece of necessary software individually.

Allow all software to run and then restrict specific software from running.


These basic security levels determine initially whether software will run or not. After a security level has been chosen, software restriction policies can identify software via hash, path, URL, or code signing certificate and prevent or allow the software to run based on its identification. The software does not have to exist on the system before a policy can be written to prevent or allow its use.

WARNING: Automatic Path Rules

Automatic path rules are created as a protection against locking all users out of the system. These path rules are always visible in the Additional Rules folder and are as follows:


%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRoot%\System32\*.exe
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current
Version\ProgramFilesDir%

As a general rule, you should not modify these rules unless you are very knowledgeable about the registry and the access that the System requires to itself.

Creating and Using Software Restriction Policies


To establish a Software Restriction Policy, you must first create the basic policy and then write rules. To establish the policy follow these steps:


1.

Create a Software Restriction Policy.

2.

Set the security level.

3.

Determine enforcement.

4.

Establish file types that define what an executable file is.


Create a Software Restriction Policy

A Software Restriction Policy is created in the Software Restriction Policy container of a local policy or Group Policy Object (GPO) in the Active Directory. Local policies only affect the machine that they are developed on, while Active Directory-based policies can be linked to domains and organizational units and can impact a multitude of systems and users in a uniform manner. Deciding where to link a GPO requires much thought and will depend on your Active Directory design. More details are available in Chapter 7. Regardless of where a policy is created, you should test its implementation on a single test computer that is configured in the manner typical for its use. If the policy is to be deployed on many machines in a domain, careful testing in a test domain or OU is required. Remember: Software Restriction Policies are powerful. It is possible to develop a policy that prohibits the use of software on a computer. Imagine what that would do if introduced into thousands of computers in your organization. As usual, deployment issues are the most complicated ones of this task; creating a policy for a single machine is simple. To create a Software Restriction Policy in the Local policy:


1.

Click Start, Run, and in the Run box, type secpol.msc

OR

Click Start, Programs, Administrative Tools, Local Security Policy.

2.

Select the Software Restriction Policies container.

3.

If no policy exists, as shown in Figure 4-20, right-click the Software Restrictions Policy container and select New Software Restriction Policy.

Figure 4-20. By default, no Software Restriction Policy exists.

[View full size image]

4.

The default containers and objects will be created, as shown in Figure 4-21.

Figure 4-21. Creating a policy populates the node.


Set the Security Level

The security level determines whether all software is allowed to run unfettered (in which case some software will be identified as not allowed) or no software is allowed to run (in which case some software will be identified as allowed). Sounds simple, doesn't it? It will take a bit of work, regardless of your decision. The interface may also be a bit confusing.

To allow all software to run and restrict some, the security level is "Unrestricted." Not "allowed," or "ok," or "let all software run unless otherwise identified"nope, the security level you must choose (it happens to be the default, so we're okay at first) is "Unrestricted." Well, you might say, perhaps that makes sense; after all, the policies are called "Software Restriction Policies," so we want to indicate that unless software is restricted, it's unrestricted. However, the alternative security level is not "restricted," it's "disallowed." If all software is restricted, then it's "disallowed."

You'll find this funkiness repeated when you build the rules. Each rule has its own security levelit's either disallowed or unrestricted. We'll talk more about this use when we discuss each rule type; just keep this official naming convention straight at the policy level so you don't freeze thousands of user machines, okay? Remember: Unrestricted means anything can run unless you somehow restrict it. Disallowed means nothing can run unless it's allowed. A good rule of thumb is that you should set the security level to "disallow" only if you know all of the applications that must be run. Otherwise, set the security level to "unrestricted" (the default). Paradoxically, setting the level to "disallow" and then only unrestricting the software that is allowed to run can create the more secure environment. This, however, is more difficult than it might sound at first.

To set the security level for the policy, do the following:


1.

Expand the Software Restriction Policy.

2.

Double-click on the Security Levels Folder.

3.

The detail pane shows both possibilities. The current default is marked with a check. If this is not what you want, double-click on the security level you desire: either Disallowed or Unrestricted.

4.

Use the Set as Default button to set your choice to the default security level, as shown in Figure 4-22.

Figure 4-22. The security level can be changed.

[View full size image]

5.

Click OK.


Determine Enforcement

Local Software Restriction Policies are computer-based, while Group Policy-based Software Restriction Policies can be computer- or user-based. You can prevent administrators from being affected by policies by using the All users except local administrators enforcement rule. Alternatively, select All users to make sure the policy applies to all usersincluding members of the Administrators group. If users must be members of the local Administrators group on their own machine, be sure not to set enforcement for All users except local administrators.

A second enforcement choice determines if software libraries are restricted. Software libraries are code files that are not executable but are used by executable files. In most cases, this means a file type of DLL. Set either All software files except libraries (such as DLLs) or All software files. Choosing All software files except libraries simplifies policy writing and prevents performance degradation. It assumes that if you want to allow software to execute, you want its libraries to be accessible. It also assumes that if you want to disallow software, its DLLs won't be executed. It doesn't manage the libraries. However, you may want or need tighter control. Remember, however, that DLL checking can reduce performance. Each program the user runs causes a software policy evaluation. If I run 10 programs, 10 checks are done. If each program uses 15 DLLs, and I am enforcing DLL checking, there are 160 checks done. Libraries contain code that could be accessed by other applications that we may not be managing. If harm, either accidental or malicious, might be possible using these libraries, you may want to control them by changing enforcement to All software files.

WARNING: The All Software Selection Means Extra Work Identifying DLLs and Writing Rules

Be aware that if you chose the software security level of "disallowed" and an enforcement level of "All software," then to allow a specific software application to run, you must explicitly identify all of its libraries and give them the level of "unrestricted." This could prove to be an onerous task.

To configure enforcement, do the following:


1.

Select and expand the Software Restriction Policy.

2.

Double-click on the Enforcement object in the detail pane to open its properties, as shown in Figure 4-23.

Figure 4-23. Set enforcement rules for the policy.

3.

Select the software enforcement level.

4.

Select the user enforcement level.

5.

Click OK to close the enforcement object.


Establish Designated File Types

What constitutes an executable? What types of files will be restricted if you set the Security Level to "disallowed?" These questions can be answered by viewing the properties of the Designated File Types object within the policy, as shown in Figure 4-24.

Figure 4-24. Designated file types define "software" to the policy.

On this page, you review, add, or remove the file types that you want to designate as software for purposes of this policy. By doing so, you can keep policies updated if new software introduces new executable file types. You should guard access to this configuration page, because a malicious user might get around software restriction policies by removing a file extension from the list.

To inspect or modify designated file types, follow these steps:


1.

Select the Software Restriction Policies container.

2.

Double-click the File Types object in the details pane of the Software Restriction Policy container.

3.

Scroll through the window, as shown in Figure 4-24, to see which file types are identified as being software.

4.

To remove a file type, select it and click the Delete button. Click OK to dismiss the warning.

5.

To add a file type, enter its extension in the Extension box and click the Add button.

6.

Click OK to close the window.


Set Trusted Publishers Options

Trusted publishers are those organizations that you trust to publish safe code. This option affects only ActiveX controls and other signed content. Trusted applications are identified to the system by their certificate, and they use their private key to sign code that they produce. By selecting approved, trusted publishers, you can control whether or not signed software can execute on the computer. Add trusted publishers by importing their certificate into the Trusted Publishers container of the computer certificate store.

You can use the Trusted Publisher options, as shown in Figure 4-25, to manage who can accept publisher certificates and what things should be checked before a certificate is considered valid.

Figure 4-25. Trusted Publisher options allow you to determine who can accept the publishers that will be trusted.

You can select End users, Local administrators, or Enterprise administrators as authorized Trusted Publisher selectors. By default, only domain and enterprise administrators can determine Trusted Publishers for entire domains or groups of computers. However, local users and administrators can accept offered certificates as trusted certificates on local systems if policy is not controlled at a higher level. The value of restricting certificate acceptance to administrators is that users cannot simply click OK when offered a certificate while downloading or installing software. By setting this level, you prevent them, for example, from making decisions about trusting ActiveX controls that they may download from the Internet or receive as attachments in email. After all, no one has to pass an ethics test to purchase or obtain a code-signing certificate. The only thing the certificate can do is to authenticate the signer in some fashion. You can further extend the concept of using certificates to control software by writing certificate rules.

You can require that Publisher, Timestamp, or both characteristics be used to determine the validity of a certificate. Selecting Publisher requires that the certificate be checked for revocation. Checking the Timestamp requires that the certificate be checked for expiration.

Creating Software Restriction Policy Rules

Software restriction policy rules are applied to specific software (using hash rules, certificate rules, computer path, and URL rules), to its location (using path rules and URL rules), and by referring to a registry path that controls it. Each type of rule has its own advantages and disadvantages. Path rules, for example, can unrestrict or disallow a large group of software in one simple rule. However, if a user can copy the file(s) to another path, she can execute the code. Hash rules can be applied only to a single executable per rule but will prevent a user from running that software, no matter its source, path, or name. However, if the software changes (the virus mutates or a new version of the game is produced), then you must write another rule. The best approach is not to rely on one type of rule, and especially not to set rules and then believe you will never have to set them again. The best approach even includes using file ACLs to further control a user's access to the executable objects.


Software Restriction Example


At a company I worked with, Sally was used to controlling her own computer. She downloaded cool tools and drivers from the Internet, brought software from home, and whiled away the hours playing Solitaire and FreeCell. She'd even convinced the powers that be that she needed to have local administrator group membership on her Windows XP Professional system. Then her organization implemented Software Restriction Policies. The first thing Sally noticed was that she couldn't play Solitaire. She'd double-click on the sol.exe shortcut on her desktop and get the warning message in Figure 4-26. So she copied the sol.exe program to another folder to play it. Next, that stopped working, too. Sally was getting mad. She found that many of her other pastimes were disappearing. She could no longer download just any software, and she no longer seemed to have full administrative privileges on her computer. She was losing control. Finally, frustrated and unable to find a way around the restrictions, Sally discovered that the reason for her troubles was the new administrator who'd convinced management to use Software Restriction Policies. Sally tried to sabotage the policies and the new administrator. She began to delete the program files of applications she was supposed to run and moved the location of others to paths that were restricted. When her programs would not run, she reported this and any error message she was able to trigger about policies.

Figure 4-26. When a user attempts to execute restricted software, a warning message is displayed.

[View full size image]

The new administrator almost lost his job, and Software Restriction Policies were blamed for the trouble. Fortunately, the administrator was able to turn on auditing for Sally's computer and figure out what she was doing. With this proof, it was Sally who had to leave.

Since then, all Software Restriction Policies have been backed up by appropriate file ACLs, which prevent harmful action, support the restriction (deny execute), and track user attempts at access and possible attacks.

Four types of rules can be created:

Hash rules

Certificate rules

Path rules, including file path rules and registry path rules

Internet zone rules


To complete your Software Restriction Policy, you must create rules. To begin, determine which software must run and which must not. Next, determine the type of rule to use, and finally, write the rules. The task of determining which software should run and which shouldn't is not easy. You will need to review your security policy and the jobs held by users of the computers, and you will need to consult with management. The suggestions in Table 4-3 may help you decide which type of rule to use.

Table 4-3. Best Practices for Selecting Rule Types

Rule

Purpose

Hash

Allow or disallow a specific version of a program

Zone

Allow software to be installed from Trusted Internet zone sites

Path

Allow or disallow a program that is always installed to the same location

Certificate

Identify a set of scripts that can be run

Registry path

Allow or disallow a program whose path is stored in the registry

Path using UNC format share (\\SERVER\share)

Allow or disallow a set of scripts located on a server

Two path rules *.vbs set to disallowed, and \\LOGIN-XRV\share\*.vbs set to unrestricted

Disallow all VBS files except those in a login scriptuse two path rules

An flcss.exe path rule set to disallowed

Disallow a new virus that is always named flcss.exe

When multiple rules affect the same software file, the precedence rule determines which rule will win by examining the rules against the precedence order. The order of precedence from top to bottom is as follows:

Hash

Certificate

Path

Internet zone


For example, if the security level of the policy is unrestricted, and a path rule disallows (prevents from running) the software, but a hash rule allows it, the hash rule wins, and the software can run. In the case of multiple path rules, the most restrictive rule will take precedence. For example, if a path rule is set on the C:\mysoftware folder that prevents software from running (the security level of the path rule is "disallowed"), but another path rule names the C:\mysoftware\approved folder and sets the security level to "unrestricted," then software in the C:\mysoftware\approved folder can run.

NOTE: Virus Rules

Software Restriction Policies are not meant to take the place of anti-virus products. Remember that hash rules don't work when files change (and viruses often mutate). Recall that virus names also can change. Anti-virus programs work to recognize patterns or signatures that the viruses have and are more effective in preventing infection. However, a software restriction policy could be written that could add some protection when a new virus is identified but a signature pattern is not yet available from your anti-virus product vendor.

You should test each rule on test systems before putting them on production systems. After configuring rules but before testing, reboot the system to ensure the rule is in effect.

Hash Rules

Hash rules work by creating a hash of the executable file. A hash can take a variable amount of information and reduce it to a unique digest of a standard size. Ideally, no two software files hashed by the same algorithm will ever produce the same hash. Signed and unsigned programs can be restricted with hash rules. The signed program may have a hash produced by either the MD5 or SHA-1 algorithm. When a hash rule is created, it will use whichever hash is present. If a file is not signed, the MD5 hashing algorithm will be used. The hash rule contains the hash, the file length, and an ID that identifies the hash algorithm.

NOTE: Always Choose Collision-Resistant Hashing Algorithms

While the possibility of collision (the production of the same hash from different data) is always present, it is unlikely to occur. When choosing hashing algorithms, developers should choose those currently considered to be less prone to collision. When considering choices between applications, administrators also should consider this. For more information, read http://www.rsasecurity.com/rsalabs/node.asp?id=2738, in which the 2004 results of research on collisions in MD5 are examined.

When a user attempts to run a program and there is a policy in place, a new hash is made and compared with the hash available in the hash rules. If there is a match, and the related hash rule specifies "disallowed," then the software will not run, no matter where the attempt to execute it is made. For example, if a hash rule is made for the sol.exe program, then it will apply to the program, no matter where the executable is stored or run from, even if it has been renamed. Users cannot get around the rule by copying the file to another folder. However, if the executable file changes, the hash made at attempted execution will not match any stored in the rules, and the software will run. To create a hash rule, follow these steps:


1.

Open the Software Restriction Policy.

2.

Right-click on the Additional Rules folder and select Create New hash rule.

3.

In the New Hash Rule dialog box, click Browse.

4.

Browse to and select the file you want to create a hash rule for.

5.

Click Open to confirm this file and return to the dialog box.

6.

The file hash is created and placed in the hash text box, and the information windows are automatically filled, as shown in Figure 4-27.

Figure 4-27. After you browse to a file, the hash is copied from the digital signature of the file or is created for you.

7.

Select "disallowed" or "unrestricted." If the Security Level is unrestricted, to disallow this particular program, select "disallowed." If the Security Level is disallowed, then select "unrestricted" to allow the program to run. Remember: "Disallowed" will prevent the program from running, and "unrestricted" will permit the program to run.

8.

Enter a description for the rule.

9.

Click the OK button to finish the rule and return to the policy.


NOTE: If the Executable Changes, the Hash Rule Is No Longer Valid

Remember: If the executable changes, the hash rule is no longer valid. It does not matter how significant the change is, and there are simple, freely available tools that can be used to make minor modifications. Reshack.exe is such a tool. It is often used to modify the resources (such as the icon) in a Windows executable file. A determined user may easily discover this tool and learn how to use it. This points out the need for security awareness education, not to teach users how to do such a modification, but rather for administrators to recognize that it is possible and to develop alternatives to technical controls. It also makes a better case for establishing the use of "disallow all" and then only allowing approved executables.

Certificate Rules

Certificate rules can restrict or allow software based on the digital signature applied to the file. A certificate rule specifies a code-signing software publisher certificate. The rule uses the signed hashes from the signature of the signed file to match files. The location of the file does not matter. If the software is signed by one of the certificates identified in a certificate rule, then the security level specified will be applied to the file. This type of rule might be used if a company's policy is to require that all ActiveX scripts are signed by a specific digital signature.

Certificate rules apply only to the file types identified in the Designated Files types folder. To write a certificate rule, you must have a copy of the certificate associated with the signed files. The use of certificate rules must also be enabled using Group Policy. For example, to use a certificate rule to allow only those VB scripts that are signed by your organization's code-signing certificate, you must do the following:

Enable Certificate Rules in Group Policy.

Sign your VB scripts.

Extract a copy of the certificate to an accessible file location.

Add a path rule that disallows all scripts of this type, such as *.VBS.

Create a certificate rule that identifies your certificate and set the security policy to "unrestricted."


To enable the use of certificates rules, do this:


1.

Open the Group Policy that affects this machine (Group Policy Object in Active Directory or Local Security Policy).

2.

Navigate to Local Security Policy, Security Options.

3.

Double-click on the option System Settings: Use certificate rules on Windows executables for Software Restriction Policies.

4.

Select Enabled.

5.

Click OK to close and assign the new security settings.


Figure 4-28. To enable certificate rules, you must enable a Security Option.

To create a certificate rule, follow these steps:


1.

Open the Software Restriction Policy.

2.

Right-click on the Additional Rules folder and select Create New certificate rule.

3.

Browse to select a certificate.

4.

Select a security level.

5.

Click OK to complete the rule.


Internet Zone Rules

Internet zone rules only apply to applications that use the Windows Installer packages to install. Internet zone rules determine if an application from a site in that zone can be installed. All zones can be selected, including Local Computer, Internet, Local Intranet, Restricted Sites, and Trusted Sites.

To create an Internet zone rule, do the following:


1.

Open the Software Restriction Policy.

2.

Right-click on the Additional Rules folder and select Create New Internet Zone rule.

3.

Select the zone to control.

4.

Select a security level for the rule, as shown in Figure 4-29.

Figure 4-29. Zone rules determine if software can be installed from sites in these zones.

5.

Click OK to complete the rule.


Path Rules and Registry Path Rules

Path rules set restriction policies for software that is stored in or below that path. There are file path rules and registry path rules. You may use wildcards, such as * and ?, and environmental variables, such as %program files% or %system root%, in defining your file system path. If the location in the file system may vary from computer to computer and you know the registry path that specifies its location, then write a registry path rule. Registry paths must be enclosed in percent "%" signs and must be of a REG_SZ or REG_EXPAND_SZ value. You may not use abbreviations such as HKLM or HKLU.

If you have programs that must run at startup and you use the Run registry key to make it happen, create a registry rule for the path HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run and set it to "unrestricted."

Alternatively, if you do not want to have programs run at startup by using this path, you should create a registry rule for the path and set it to "disallowed."

To create a path rule follow these steps:


1.

Open the Software Restriction Policy.

2.

Right-click the Additional Rules container and select Create a new path rule or Create a new registry path rule.

3.

Enter the path, as shown in Figure 4-30.

Figure 4-30. Registry and file paths define locations where software is disallowed or unrestricted.

4.

Click OK to close the windows and create the policy.



Hacking Software Restriction Policy Security Levels


As administrators, we are often gently suckered into reliance on the visible administrative controls presented in the GUI and in public documentation for command-line tools and registry modification. We often forget that acres of code lie underneath the public presentation provided to us, acres of code that might be used just as much for good as for evil. Don't let my use of the word "hacking" in the title here make you think of illegal activities or wanton disregard for proper testing and planning. Instead, think of it as a warning. I am not suggesting that you attempt to illegally obtain Windows source code or reverse engineer Windows to secure it. Like any good hack, this suggestion is not for use by every Windows administrator or in all circumstances, and it requires extensive testing in your environment to determine if it's suitable. Be forewarned: This hack may break applications. I suggest you thoroughly read documentation http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp and continued at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure01182005.asp. The documentation discusses other ways to reduce user rights without using a separate user identity and includes the warning that this technology may change in future versions of Windows.

The hack consists of modifying the registry so that three new security levels are available in Software Restriction policies. The new levels are as follows:

Normal User (or Basic User)
User does not have Administrator or Power user rights.

Constrained (Restricted User)
HKEY_CURRENT_USER is read-only. %USRPROFILE% is inaccessible. Some crypto operations such as SSL negotiation do not work.

Untrusted
Further constraints beyond Constrained but not documented.


Each level allows the execution of software identified as unrestricted but restricts what the user can do by successively reducing the privileges the user has. This is important because users may need some rights for some applications but may be able to run others successfully without them. It is always considered a good security practice to run any application with the least amount of privileges. For example, running Internet Explorer as an administrator while browsing the Internet is not a good idea. Use Software Restriction Policies and the Normal User Security level to restrict use of IE.

To make the new Basic User Security level available in Software Restriction Policies, you must edit the registry. Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WIndows\Safer\ CodeIdentifiers. Then add a DWORD value named Levels and set it to 0x20000.

Troubleshooting Software Restriction Policies


Many problems with Software Restriction Policies are the result of administrators or users not understanding how and why policies are created. A number of common issues may occur, such as these:

Users complain they received the message Windows cannot open this program because it has been prevented by a software restriction policy. This may be the expected result, because they are not supposed to run the program. Before changing the policy, ask the question, "Why is there a software restriction policy in place?" If the user should be able to run the application, look for possible conflicts between policies (inspect the precedence rule) and identify whether the policy is being applied to the correct Organizational Unit or domain in Active Directory or to the correct computer if Local Security Policy is being used.

A user complains that he cannot run an application that he has permission to run, and has correct. There are numerous software restriction policies in the domain that may affect the user. You can find the policy that is the problem by inspecting the GUID assigned to the policy rule that is causing the problem. Each software restriction rule is assigned a unique GUID. An event in the user's log will contain the GUID. Running gpresult, a Windows resource kit tool, or Resultant Set of Policy (RSOP) identifies the GPO policy that contains this GUID, and thus this rule. Inspecting the Software Inspection Policy may reveal a mistake, which can then be corrected.

Administrators complain that when running a utility from the command line, they get the message, "The system cannot execute the specified program." This may be a software restriction policy, because this is the message given if a policy prevents a program from running, and it is executed from the command line. Determine the administrator's right to run the utility, and look for possible conflicts. If the administrator should be able to run the program, but users should not, you may be able to set enforcement on that machine to "All users but Administrators."

A Local Security Policy Software Restriction Policy is not taking effect. Software Restriction Policies created in Active Directory will take precedence over those created locally. Check to see if a policy exists in the AD.

A Local Security Policy is taking effect, even though a domain policy exists. Check to ensure that the AD policy has refreshed. Check to ensure that the local computer is downloading the policy from the domain controller.

A change to Software Restriction Policies is now preventing anyone from logging on at the computer. It is possible to create a rule that prevents some software necessary for successful boot, including logon. You can recover by booting in Safe Mode, logging on as the local administrator, and fixing the policy. Software Restriction Policies do not take effect in Safe Mode.

A rule created to restrict a specific application is not taking effect. It is possible that the file type for the application is not included in the Designated File Types container for Software Restriction Policies. You can add the file type to this list.


You will often be able to determine why a Software Restriction Policy is having a problem by exercising common sense, reviewing settings, and referring to the common problems listed previously. However, when these options do not help, enabling advanced logging will allow you to record every software restriction policy evaluation. Advanced logging is enabled by doing the following:


1.

Create the registry key:

HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\ Codeidentifiers

2.

Add the string value LogFileName.

3.

Give the string value the path to a log file.


To disable logging, delete the key.

Best Practices for Software Restriction Policies


When developing Software Restriction Policies, you will want to ensure that you get the best result. These policies can be a powerful agent in controlling what software can run on a computer, or they can hinder productivity and prevent work from getting done. Microsoft recommends the following best practices for software restriction policies.

If used in a domain, never set software restriction policies in the domain policy. Always create a separate GPO for software restriction policies. Because no software restriction policies are set by default, you have the option of recovering from an incorrect software restriction policy by removing or disabling a created software restriction policy and allowing the domain policy to be reapplied.

Never link to a software restriction policy in another domain, because it will result in poor performance.

Use WMI filtering. You can create a filter that restricts the application of a GPO to, say, computers with a specific service pack. WMI filters are set in the property pages of the GPO.

Use Security Filtering. You can filter which groups of users the policy will apply to. This is done by adding the group to the Security tab of the GPO property pages and (if you want the group to be exempt from the Software Policy) making sure they do not have the "apply group policy" permissions. You can also improve performance by making sure they do not have the read policy permission. If they do not have the read policy policy permission, the GPO will not be downloaded to their computer.

If you have problems with software restriction policies, reboot into Safe Mode. Software restriction policies have no effect in Safe Mode, so you can log on as administrator, change the policy, refresh the policy using gpupdate, and reboot.

If you are going to change the default security level setting to "disallowed," change the Enforcement setting to "All users except administrators" at least until you can troubleshoot the system. Setting the security level setting to "disallowed" will mean you must write a policy to allow each bit of software to run.

Use access controls (file and registry access control lists) in concert with software restriction policies. Users will attempt to go around policies by moving files, overwriting files, or adding other copies to other locations. You can deny them the ability to do so.

Before implementing policies, test them in a test network. If policies are to be used in a domain, test them in a test domain.

Do not guess about the effects of setting restrictions on files. Disallowing some files to run can prevent the system from running or can make it unstable.

Filter software restriction policy application when applied in a domain policy by denying read and apply policy permissions on the GPO.

Manage the designate file types container. This defines what file types besides EXE and DLL are considered to be programs. If you use "disallow" rules, which disallow all programs, and the file type is not defined here, the software will run. Path rules are also affected by this policy.

Change the default on the trusted publishers from "user" to local computer administrators for standalone servers and either the local administrator or enterprise administrators if the server is in a domain.

Ensure that users must periodically log off and log back on to systems. (When a new software restriction policy is implemented or there are changes to an existing software restriction policy, the user must log off and log back on again before the policy will take effect.)

If users are members of the local administrator group on their computer, change enforcement settings so that the policy applies to administrators.

Write a path rule for the attachment folder of email programs (the folder where attachments are temporarily placed and from which they can be run). If the path is disallowed, attachments cannot accidentally be run, and perhaps you will avoid the next attachment virus. If the attachment is a program that is okay and desired by the recipient, he must save it to another folder, one from which software is allowed to run.



/ 194