STOPPING TROJAN HORSE PROGRAMS AND EXPLOIT PAYLOADS THROUGH SOFTWARE RESTRICTION POLICY OR PARENTAL CONTROLS
Anyone with a computer knows that vulnerability is inevitable when using a network. Software Restriction Policy is a clear-cut concept that is comprehensible even to the least tech savvy. When you use a computer, you risk exposing your files to a potential attacker. You may be even revealing more about yourself than you want to let on.
There exist built in steps that will protect your identity and activities on the internet. It comes in standard account user on Windows Vista, 7 and 8. You will be able to improve your security by setting up a Software Restriction Policy or Parental Controls.
These functions provide an arbitrary protection from malicious attacks on the system. These are different from antivirus software in that they do not need updates. They do not slow down the computer system much, plus they cost nothing. They are also able to add more security to your defense from attacks.
Unlike other programs, Software Restriction Policy operates on the principle of stopping software from running automatically. It lists some dangerous file types like .exe. These files will only run if located in an approved location. Such locations could be C:\Windows directories and C:\Program Files.
User accounts not included in the Administrative accounts will not be able to add new files to these folders. There are exceptions, but that is a discussion for later. You can also override this function if you have to.
Parent Controls, another simple method, creates a white list of .exe files installed in the system found in standard locations. You have full control over what software runs on a specified user. You can also add more to the whitelist whenever you need it.
Working with Software Restriction Policy:
- Firstly, you need to create a Software Restriction Policy. To do this, type in from the Run or Search bar gpedit.msc. As it appears above, right-click on it and choose the Run As Administrator. This opens the Local Policy Group editor.
- From the drop-down choices on the right toolbar, choose Computer Configuration, down to Window Settings. Then, click Security Settings. From the drop-down, select Software Restriction Policies.
- Double click Enforcement from the Object Type that appears. An Enforcement dialogue box appears. Choose “All software files” and “All users except local administrators.” Click OK.
You can choose to apply Software Restriction Policies to Administrator, but you risk your processing speed. You may experience random hangups when removing or installing software. There is a significant lag if also applied for local administrators.
Enforcing SRP on all files may cause web browsers to stop responding due to Adobe Flash Player. You can work around this by imposing SRP on all files except libraries (such as DLLs). Imposing SRP could get done until the Flash version is obsolete or Adobe fixes it.
- Double click Designated File Types found in the right panel. Double-clicking opens another dialogue box. Scroll through the list to find LNK. Choose it and press Delete button. Deleting will allow you to use LNK file types such as Quick Launch icons and Desktop shortcuts.
- From the left-hand side of the panel, choose the Security Levels folder. Right click the Disallowed and choose “Set as default.” Setting as default makes the policy effective. A prompt will appear, just press OK.
*If you want to turn SRP off, you can just choose and right-click Unrestricted.
- There is an extra directory in the Program Files of 64-bit versions of Windows, named C:\Program Files (x68). Choose Additional Rules, right-click on the space in the right panel and select New Path Rule. Create the new path that makes the directory Unrestricted. Software installed in that directory will then be allowed to run.
An additional Path Rule should also get created in Windows 8. Mark C:\Program Files\WindowsApps as Unrestricted. Marking it will solve issues where Windows Apps cannot launch from Window Store.
- SRPs should be able to block Write permissions from users (and those that exploit them) other than Administrators. However, there are loopholes in Windows installations. You can fix this through Disallowed path rules for the unwanted folders.
Download AccessChk, extract the .exe file from the zip folder and save the file to C:\Windows\System32. Run accesschk –w –s –q –u group path. Run it once for each unrestricted path and non-Administrators. Make some necessary Disallowed paths as you run your check.
Be careful in setting Disallowed paths. Disallowed rule in a folder will cover all its subfolders, too. In the C:\Windows\32\spool folder, applying the Disallowed rule will block printing function. To make sure this does not happen, create the path rules one by one.
*Checking your SRP after installing new software or printers is essential for continuous protection from some loopholes. You may encounter loopholes from programs that need to be Disallowed. The Run As Administrator option should do the trick if you ever need to run the files.
- Overriding SRP is necessary when installing software from a disc. To remedy this, choose the file and either right click to Run As Administrator. Or, you can transfer the setup file to an Unrestricted folder such as C:\Program Files.
There are instances when you need to make SRP exemptions for a program. If you want to install a Remote Assitance app, you have to exempt the web browser to run the file temporarily. To do this, start the web browser by right clicking to Run As Administrator. Running as admin will lift restrictions on the browser until you close it.
If you need to disable SRP due to misconfiguration, right click on Local Computer Policy. Select Properties. Check the Disabled Computer Configuration settings from the dialogue box that appears. You can then set the behavior to Unrestricted that you can find in the Security Levels folder.
- Confirm that the SRP you set is up and working. Copy a .exe file to your desktop and try to run it. A prompt should appear like this:
Meanwhile, click here to check my other post on bypassing restricted environments.
Try Certified Ethical Hacker for FREE!!!– https://infosecaddicts.com/course/certified-ethical-hacker-v10/