Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware attack hardening using Software Restriction Policies

Published byBeverly Harmon Modified over 6 years ago

Similar presentations

Presentation on theme: "Malware attack hardening using Software Restriction Policies"— Presentation transcript:

1 Malware attack hardening using Software Restriction Policies
Kamin Miller Warrington College of Business University of Florida

2 What are Software Restriction Policies?
Software restriction policies are GPO enabled rules that indicate if an application is allowed to run or is blocked from running Rules can be applied to any folder on the system A malformed rule could accidentally block parts of the Windows system from running Security levels are Unrestricted(Default), Disallowed, and Basic User Unrestricted is the default level – Software runs as the user context access rights level, i.e. If UAC allows for running the program as an administrator Basic User – Force all programs that match the rule to run in the limited user context Disallowed – Force all programs that match the rule to be unable to execute Each rule can be assigned a security level during creation Rules can be pattern matching by path, hash, internet zone, or publisher certificate matching

3 How do they help with security?
All users, regardless of administrative permissions have full access to their home directories Most applications take advantage of the user’s AppData folder for temporary storage during installs and updates Malware tends to also utilize the user’s local temp folder as a place to start the process of modifying the system By whitelisting only approved apps to run from this folder, we can cut down the ability for malware to enter the system Rules apply to all users, regardless of administrative permission

4 What Software Restriction Policies do not replace
Antivirus/Antimalware policies Limited user accounts User education about malware risks Common Sense

5 Whitelisting vs Blacklisting
By default all apps are blocked Apps that need to be able to run from these folders are explicitly allowed Blacklisting By default all apps are allowed to run Identified malware is explicitly denied execution Whitelisting is less overhead for I.T. to maintain

6 Warrington College of Business Policy Configuration
In Group Policy Management Editor Computer Configuration Policies Windows Settings Security Settings Software Restriction Policies

7 Warrington College of Business Policy Configuration
Software Restriction Policies Enforcement Apply software restriction policies to all software files except libraries Apply software restriction policies to all users When applying software restriction policies, enforce certificate rules

8 Warrington College of Business Policy Configuration
Software Restriction Policies Designated file types Lists what the computer will consider an executable to be evaluated Extensions: ADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, EXE, HLP, HTA, INF, INS, ISP, JS, LNK, MDB, MDE, MSC, MSI, MSP, MST, OCX, PCD, PIF, REG, SCR, SHS, URL, VB, WSC List is modifiable by the GPO administrator

9 Warrington College of Business Policy Configuration
Software Restriction Policies Additional Rules Path rules to be evaluated %AppData%\*.exe – Disallowed Blocks all executables at the User’s AppData root level from running %AppData%\*\*.exe - Disallowed Block executables in the AppData Subfolders from running %LocalAppData%\*.exe – Disallowed %LocalAppData%\*\*.exe – Disallowed

10 Warrington College of Business Policy Configuration
Software Restriction Policies Additional Rules (continued) Path rules to be evaluated %Temp%\*.zip\*.exe – Disallowed Blocks all executables inside zip archives from being run without being extracted %Temp%\7z*\*.exe - Disallowed Block executables inside 7zip archives from being run without being extracted %Temp%\Rar*\*.exe – Disallowed Block executables inside WinRAR archives from being run without being extracted %Temp%\wz*\*.exe – Disallowed Block executables inside WinZip archives from being run without being extracted

11 Warrington College of Business Policy Configuration
Software Restriction Policies Additional Rules (continued) Certificate rules to be evaluated Google Inc. – Unrestricted Allowed to run from any User Home directory sub folder Mozilla Corporation - Unrestricted Other digitally signed software as needed Certificate verification adds CPU cycles, which may slow down execution of an application

12 Alternative to Software Restriction Policies
AppLocker is similar to Software Restriction Policies, but has more granular support for rules and users, allowing blocking by user group rather than all-or- nothing like Software Restriction Policies Audit mode can be used to test the impact before deploying PowerShell support for creating and modifying rules

13 AppLocker vs Software Restriction Policies comparison
Feature Software Restriction Policies AppLocker Rule scope All users Specific user or group Rule conditions provided File hash, path, certificate, registry path, and Internet zone rules File hash, path, and publisher rules Rule types provided Allow and deny Default rule action Allow or deny Deny Audit-only mode No Yes Wizard to create multiple rules at one time Policy import or export Rule collection PowerShell support Custom error messages

14 Takeaways Anything that enhances security and minimizes user downtime is a win to I.T. A demo GPO object with these settings can be read with anyone with the “PS_UF_N_ALL_IT_WORKERS_AutoGS” role, called “w-Computers-Security- ExeRestrictions-Demo” for reference Since its implementation, the Warrington College of Business has had 0 Ransomware infections, and a low number of malware UFIRT tickets from UF Security on domain joined machines It is possible to apply these settings locally to a non-domain joined machine

15 Contact and References
Kamin Miller References UF Security provided bulletin that linked a set of reference Software Restriction Policy rules information#prevent Microsoft TechNet on Software Restriction Policies Microsoft TechNet on AppLocker

Download ppt "Malware attack hardening using Software Restriction Policies"

Similar presentations

Group Policy - Part 2 of 3 Rick Claus IT Pro Advisor Microsoft Canada

Group Policy - Part 2 of 3 Rick Claus IT Pro Advisor Microsoft Canada
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft

Building on the Foundation of Windows Vista: Introduction to Windows 7: Security and Management Dan Stolts IT Pro Evangelist Microsoft
Managing User Settings with Group Policy

Managing User Settings with Group Policy
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.

Chapter 6: Configuring Security. Group Policy and LGPO Setting Options Software Installation not available with LGPOs Remote Installation Services Scripts.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 16: Creating Group Policy Objects

Lesson 16: Creating Group Policy Objects
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Performing Software Installation with Group Policy

Performing Software Installation with Group Policy
Guide to MCSE 70-290, Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.

Guide to MCSE , Enhanced 1 Activity 9-1: Creating a Group Policy Object Using the MMC Objective: To create a GPO using the Group Policy Object Editor.
Group Policy in Microsoft Windows Active Directory.

Group Policy in Microsoft Windows Active Directory.
Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK

Understanding Group Policy on Windows Server 2003 John Howard, IT Pro Evangelist, Microsoft UK
Microsoft ® Official Course Module 9 Configuring Applications.

Microsoft ® Official Course Module 9 Configuring Applications.

Similar presentations

Ads by Google